Abstract
The world of cloud computing is progressing from the concept of securing resources by predefined units to dynamically allocating resources using economic mechanisms. New mechanisms offer better utilization of the hardware by sharing it among multiple users. However, they allow new types of economic attacks. We introduce two new economic attacks performed by malicious users. These attacks harm the aggregate utility of Resource-as-a-Service (RaaS) clouds. Our first attack aims at raising bills in the system, and causing victims to pay more for the same amount of resources. Over time the attack may cause victims to exhaust their budget, thus lowering their demand for resource allocation, and allowing the attacker to acquire the freed resources at a negligible cost. Our second attack is designed to hinder the victim’s performance at specific points in time by outbidding them for a single round. For resources of high regaining costs or that their full utilization takes time (e.g., RAM), even a single round without the resource may significantly hinder the performance. In this work we demonstrate on a simple representative example how the first attack reduces the victim’s profit sevenfold and the second attack causes damage of $290–$630 for every dollar spent on the attack.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Most of the provider’s revenue comes from the constant hourly fee the guests pay for their base RAM. This allows the provider to use an auction to optimize the social welfare of the guests without worrying about its own revenue.
References
Litke, A.G.: Memory Overcommitment Manager. https://github.com/aglitke/mom. Accessed 19 July 2018
Agmon, S., Agmon Ben-Yehuda, O., Schuster, A.: Preventing collusion in cloud computing auctions. In: Coppola, M., Carlini, E., D’Agostino, D., Altmann, J., Bañares, J.Á. (eds.) Economics of Grids, Clouds, Systems, and Services - 15th International Conference, GECON 2018, Proceedings. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-13342-9
Agmon Ben-Yehuda, O., Ben-Yehuda, M., Schuster, A., Tsafrir, D.: The Resource-as-a-Service (RaaS) cloud. In: USENIX Conference on Hot Topics in Cloud Computing (HotCloud) (2012)
Agmon Ben-Yehuda, O., Ben-Yehuda, M., Schuster, A., Tsafrir, D.: Deconstructing Amazon EC2 spot instance pricing. ACM Trans. Econ. Comput. 1(3), 16:1–16:20 (2013). http://doi.acm.org/10.1145/2509413.2509416
Agmon Ben-Yehuda, O., Ben-Yehuda, M., Schuster, A., Tsafrir, D.: The rise of RaaS: the Resource-as-a-Service cloud. Commun. ACM 57(7), 76–84 (2014). http://doi.acm.org/10.1145/2627422
Agmon Ben-Yehuda, O., Posener, E., Ben-Yehuda, M., Schuster, A., Mu’alem, A.: Ginseng: market-driven memory allocation. ACM SIGPLAN Not. 49(7), 41–52 (2014)
Alibaba Cloud Spot Instances. https://www.alibabacloud.com/help/doc-detail/52088.htm. Accessed 11 Mar 2018
Azure. https://tinyurl.com/burstable-azure-cloud-instance. Accessed 03 June 2018
Brandt, F., Weiß, G.: Antisocial agents and Vickrey auctions. In: Meyer, J.-J.C., Tambe, M. (eds.) ATAL 2001. LNCS, vol. 2333, pp. 335–347. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45448-9_25
Cary, M., et al.: Greedy bidding strategies for keyword auctions. In: Proceedings of the 8th ACM Conference on Electronic Commerce, pp. 262–271. ACM (2007)
Charting CloudSigma Burst Prices. https://kkovacs.eu/cloudsigma-burst-price-chart. Accessed 21 Apr 2018
Clarke, E.H.: Multipart pricing of public goods. Public Choice 11(1), 17–33 (1971)
Dolgikh, A., Birnbaum, Z., Chen, Y., Skormin, V.: Behavioral modeling for suspicious process detection in cloud computing environments. In: 2013 IEEE 14th International Conference on Mobile Data Management (MDM), vol. 2, pp. 177–181. IEEE (2013)
EC2 Instances with Burstable Performance. https://aws.amazon.com/blogs/aws/low-cost-burstable-ec2-instances/. Accessed 11 Mar 2018
Fernandes, D.A., Soares, L.F., Gomes, J.V., Freire, M.M., Inácio, P.R.: Security issues in cloud environments: a survey. Int. J. Inf. Secur. 13(2), 113–170 (2014)
Funaro, L., Agmon Ben-Yehuda, O., Schuster, A.: Ginseng: market-driven LLC allocation. In: 2016 USENIX Annual Technical Conference, p. 295 (2016)
Google Cloud Platform. https://cloud.googleblog.com/2016/09/introducing-Google-Cloud.html. Accessed 11 Mar 2018
Groves, T.: Incentives in teams. Econ. J. Econ. Soc. 617–631 (1973)
Hashizume, K., Rosado, D.G., Fernández-Medina, E., Fernandez, E.B.: An analysis of security issues for cloud computing. J. Internet Serv. Appl. 4(1), 5 (2013)
Hoff, C.: Cloud Computing Security: From DDoS (Distributed Denial of Service) to EDoS (Economic Denial of Sustainability). https://tinyurl.com/from-ddos-to-edos. Accessed 27 May 2018
Idziorek, J., Tannian, M.: Exploiting cloud utility models for profit and ruin. In: 2011 IEEE International Conference on Cloud Computing (CLOUD), pp. 33–40. IEEE (2011)
Jellinek, R., Zhai, Y., Ristenpart, T., Swift, M.M.: A day late and a dollar short: the case for research on cloud billing systems. In: HOTCLOUD (2014)
Kivity, A., Kamay, Y., Laor, D., Lublin, U., Liguori, A.: KVM: the Linux virtual machine monitor. In: Proceedings of the Linux symposium, vol. 1, pp. 225–230 (2007)
Kumar, M.N., Sujatha, P., Kalva, V., Nagori, R., Katukojwala, A.K., Kumar, M.: Mitigating economic denial of sustainability (edos) in cloud computing using in-cloud scrubber service. In: 2012 Fourth International Conference on Computational Intelligence and Communication Networks (CICN), pp. 535–539. IEEE (2012)
Lazar, A.A., Semret, N.: Design, analysis and simulation of the progressive second price auction for network bandwidth sharing. Columbia University (1998)
Maillé, P., Tuffin, B.: Multi-bid auctions for bandwidth allocation in communication networks. In: Proceedings IEEE INFOCOM 2004, The 23rd Annual Joint Conference of the IEEE Computer and Communications Societies, Hong Kong, China, 7–11 March 2004. IEEE (2004). https://doi.org/10.1109/INFCOM.2004.1354481
memcached. https://github.com/ladypine/memcached. Accessed 12 Mar 2018
Metz, C.: Facebook Doesn’t Make As Much Money As It Could–On Purpose. https://tinyurl.com/facesbook-ads. Accessed 12 Mar 2018
Movsowitz, D., Agmon Ben-Yehuda, O., Schuster, A.: Attacks in the Resource-as-a-Service (RaaS) cloud context. In: Bjørner, N., Prasad, S., Parida, L. (eds.) ICDCIT 2016. LNCS, vol. 9581, pp. 10–18. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-28034-9_2
Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 199–212. ACM (2009)
Spot Marketing Pricing–discount Packet Bare Metal Servers. https://www.packet.net/bare-metal/deploy/spot/. Accessed 02 June 2018
Subashini, S., Kavitha, V.: A survey on security issues in service delivery models of cloud computing. J. Netw. Comput. Appl. 34(1), 1–11 (2011)
Varadarajan, V., Kooburat, T., Farley, B., Ristenpart, T., Swift, M.M.: Resource-freeing attacks: improve your cloud performance (at your neighbor’s expense). In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 281–292. ACM (2012)
Varadarajan, V., Zhang, Y., Ristenpart, T., Swift, M.M.: A placement vulnerability study in multi-tenant public clouds. In: Jung, J., Holz, T. (eds.) 24th USENIX Security Symposium, USENIX Security 2015, Washington, D.C., USA, 12–14 August 2015, pp. 913–928. USENIX Association (2015). https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/varadarajan
Vickrey, W.: Counterspeculation, auctions, and competitive sealed tenders. J. Financ. 16(1), 8–37 (1961)
Waldspurger, C.A.: Memory resource management in VMware ESX server. In: Culler, D.E., Druschel, P. (eds.) 5th Symposium on Operating System Design and Implementation (OSDI 2002), Boston, Massachusetts, USA, 9–11 December 2002. USENIX Association (2002), http://www.usenix.org/events/osdi02/tech/waldspurger.html
Yu, D., Mai, L., Arianfar, S., Fonseca, R., Krieger, O., Oran, D.: Towards a network marketplace in a cloud. In: HotCloud (2016)
Zhou, Y., Lukose, R.: Vindictive bidding in keyword auctions. In: Proceedings of the Ninth International Conference on Electronic Commerce, pp. 141–146. ACM (2007)
Acknowledgments
This work was partially funded by the Amnon Pazi memorial research foundation. We thank A. Schuster and E. Tromer for fruitful discussions. We thank Y. Lev, A. Ohayon, and S. Levenzon for their contribution in creating the allocation plots presented in Sect. 5. We also thank the Caesarea Rothschild Institute for Interdisciplinary Applications of Computer Science in the University of Haifa for their support.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Movsowitz, D., Funaro, L., Agmon, S., Agmon Ben-Yehuda, O., Dunkelman, O. (2019). Why Are Repeated Auctions in RaaS Clouds Risky?. In: Coppola, M., Carlini, E., D’Agostino, D., Altmann, J., Bañares, J. (eds) Economics of Grids, Clouds, Systems, and Services. GECON 2018. Lecture Notes in Computer Science(), vol 11113. Springer, Cham. https://doi.org/10.1007/978-3-030-13342-9_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-13342-9_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-13341-2
Online ISBN: 978-3-030-13342-9
eBook Packages: Computer ScienceComputer Science (R0)