techblog 

A cloud refers to “the provision of dynamically scalable and often virtualized resources as a service over the Internet” (from Wikipedia). In practice, a user that logs in a cloud service (the bottom of this page lists some of them), for a reasonable price, can rent “resources” such as disk space or virtual machines to run his own code.

Recently, I have been monitoring the queries coming to our WHOIS service  and have noticed that several requests were originated by machines belonging to the IP space of a well-known commercial cloud. Since the WHOIS is a free service and can be run from any machine, I strongly suspect this technique has been used to avoid hitting the limit of 1000 queries/day set by Nominet’s Acceptable Use Policy on a per user basis (and not per IP).

The impact of this episode, as far as I can see, is limited and, maybe, not worth too much attention. What is interesting, however, is the way the cloud has been used to circumvent Nominet’s rules. This rises questions about how easy it would be for a malicious user to exploit a cloud computing environment for illegal activities and how long shall we wait before the first large-scale attack based on this technology is reported.

If we consider how the cloud environment works, we realise that:

• A cloud gives a malicious user access to a virtually unlimited pool of resources and computing power
• It is difficult to enforce limits on the amount of resources a single user is allowed to control, because this would harm legimitate users, without preventing malicious ones to open multiple accounts
• Monitoring all processes and activities that run on the cloud is quite complex, maybe impractical. Besides, I don’t think legitimate users would be happy with service providers inspecting their data. They will be forced to use cryptography, which will make things even worse
• Assuming that a service provider could offer some level of protection from misuses of their service, malicious users could spread their activities across different cloud providers, making the task of early detection very complex.
• Finally, accessing cloud services is cheap and prices are expected to drop with the technology behind big data centres becoming more accessible.

The security issues associated to cloud computing are not unknown (recently, for example, botnet controllers have been discovered in the Google cloud), the problem is that this kind of attacks and  the threat associated to them are likely to increase in the coming years.

Defending from a cloud-based attack might not be easy and will need to rely on the “good will” of  the cloud service providers, which will be expected to monitor their users activities. And, to cite Joze Nazario, from Arbor Networks in a recent interview to The Register, “going to a company as big as Google and saying ‘Can we get an image of that server,’ that’s a pretty high barrier”. Especially for small-medium organisations affected by a small/medium -sized attacks.

The day following the death of Michael Jackson, Google published a graph showing that their system were heavily hit by queries related to this news. Details can be found on the Google Official Blog.

Our experiments suggest that Nominet systems experienced an analogous, although orders of magnitude smaller, phenomenon. The following figures show the number of new registrations per hour of domain names that contain the name of Michael Jackson (or part of it) and the number of WHOIS queries that Nominet systems received in the same period.

The two graphs are highly correlated because it is common practice for domain name owners to make WHOIS lookups around the period of time they register new domains. The peak around the 27 of June in the second graph is probably related to news stories concerning suspicions about Michael’s death.  Apparently, it did not lead to an immediate rise in the number of domain name registrations.

We have conducted an informal analysis of the domain names that were registered in the last week. The majority of them belong to three categories: parking pages, commercial pages and commemorative sites such as blogs and forums. At the moment, we have no evidence of domain names used for scam or phishing.

In general, this episode confirms (again) that the dynamics of the Domain Name System follow those of the “real world”. A question that is still partially unanswered is at which degree these dynamics are followed by Internet users, i.e. how much their navigation behaviour depends on news stories. In the following months we plan to study the correlation between DNS data and other public events. Google has done something similar in the past, by correlating Google searches for flu-related terms with the spread of flu in North America. The results are very interesting and definitely merit extension to other data sources such as DNS traffic.