{"title":"暖男攻击:无服务器计算中的新型攻击向量","authors":"Junjie Xiong;Mingkui Wei;Zhuo Lu;Yao Liu","doi":"10.1109/TNET.2024.3437432","DOIUrl":null,"url":null,"abstract":"We debut the Warmonger attack, a novel attack vector that can cause denial-of-service between a serverless computing platform and an external content server. The Warmonger attack exploits the fact that a serverless computing platform shares the same set of egress IPs among all serverless functions, which belong to different users, to access an external content server. As a result, a malicious user on this platform can purposefully misbehave and cause these egress IPs to be blocked by the content server, resulting in a platform-wide denial of service. To validate the effectiveness of the Warmonger attack, we conducted extensive experiments over several months, collecting and analyzing the egress IP usage patterns of five prominent serverless service providers (SSPs): Amazon Web Service (AWS) Lambda, Google App Engine, Microsoft Azure Functions, Cloudflare Workers, and Alibaba Function Compute. Additionally, we conducted a thorough evaluation of the attacker’s potential actions to compromise an external server and trigger IP blocking. Our findings revealed that certain SSPs employ surprisingly small sets of egress IPs, sometimes as few as four, which are shared among their user base. Furthermore, our research demonstrates that the serverless platform offers ample opportunities for malicious users to engage in well-known disruptive behaviors, ultimately resulting in IP blocking. Our study uncovers a significant security threat within the burgeoning serverless computing platform and sheds light on potential mitigation strategies, such as the detection of malicious serverless functions and the isolation of such entities.","PeriodicalId":13443,"journal":{"name":"IEEE/ACM Transactions on Networking","volume":"32 6","pages":"4826-4841"},"PeriodicalIF":3.0000,"publicationDate":"2024-08-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Warmonger Attack: A Novel Attack Vector in Serverless Computing\",\"authors\":\"Junjie Xiong;Mingkui Wei;Zhuo Lu;Yao Liu\",\"doi\":\"10.1109/TNET.2024.3437432\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"We debut the Warmonger attack, a novel attack vector that can cause denial-of-service between a serverless computing platform and an external content server. The Warmonger attack exploits the fact that a serverless computing platform shares the same set of egress IPs among all serverless functions, which belong to different users, to access an external content server. As a result, a malicious user on this platform can purposefully misbehave and cause these egress IPs to be blocked by the content server, resulting in a platform-wide denial of service. To validate the effectiveness of the Warmonger attack, we conducted extensive experiments over several months, collecting and analyzing the egress IP usage patterns of five prominent serverless service providers (SSPs): Amazon Web Service (AWS) Lambda, Google App Engine, Microsoft Azure Functions, Cloudflare Workers, and Alibaba Function Compute. Additionally, we conducted a thorough evaluation of the attacker’s potential actions to compromise an external server and trigger IP blocking. Our findings revealed that certain SSPs employ surprisingly small sets of egress IPs, sometimes as few as four, which are shared among their user base. Furthermore, our research demonstrates that the serverless platform offers ample opportunities for malicious users to engage in well-known disruptive behaviors, ultimately resulting in IP blocking. Our study uncovers a significant security threat within the burgeoning serverless computing platform and sheds light on potential mitigation strategies, such as the detection of malicious serverless functions and the isolation of such entities.\",\"PeriodicalId\":13443,\"journal\":{\"name\":\"IEEE/ACM Transactions on Networking\",\"volume\":\"32 6\",\"pages\":\"4826-4841\"},\"PeriodicalIF\":3.0000,\"publicationDate\":\"2024-08-08\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IEEE/ACM Transactions on Networking\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://ieeexplore.ieee.org/document/10630835/\",\"RegionNum\":3,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE/ACM Transactions on Networking","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10630835/","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}
Warmonger Attack: A Novel Attack Vector in Serverless Computing
We debut the Warmonger attack, a novel attack vector that can cause denial-of-service between a serverless computing platform and an external content server. The Warmonger attack exploits the fact that a serverless computing platform shares the same set of egress IPs among all serverless functions, which belong to different users, to access an external content server. As a result, a malicious user on this platform can purposefully misbehave and cause these egress IPs to be blocked by the content server, resulting in a platform-wide denial of service. To validate the effectiveness of the Warmonger attack, we conducted extensive experiments over several months, collecting and analyzing the egress IP usage patterns of five prominent serverless service providers (SSPs): Amazon Web Service (AWS) Lambda, Google App Engine, Microsoft Azure Functions, Cloudflare Workers, and Alibaba Function Compute. Additionally, we conducted a thorough evaluation of the attacker’s potential actions to compromise an external server and trigger IP blocking. Our findings revealed that certain SSPs employ surprisingly small sets of egress IPs, sometimes as few as four, which are shared among their user base. Furthermore, our research demonstrates that the serverless platform offers ample opportunities for malicious users to engage in well-known disruptive behaviors, ultimately resulting in IP blocking. Our study uncovers a significant security threat within the burgeoning serverless computing platform and sheds light on potential mitigation strategies, such as the detection of malicious serverless functions and the isolation of such entities.
期刊介绍:
The IEEE/ACM Transactions on Networking’s high-level objective is to publish high-quality, original research results derived from theoretical or experimental exploration of the area of communication/computer networking, covering all sorts of information transport networks over all sorts of physical layer technologies, both wireline (all kinds of guided media: e.g., copper, optical) and wireless (e.g., radio-frequency, acoustic (e.g., underwater), infra-red), or hybrids of these. The journal welcomes applied contributions reporting on novel experiences and experiments with actual systems.