34

In classic hosting we have a virtual machine with limited resources allocated by hosting provider for running our web application. But with serverless code such as AWS Lambda or Azure Functions, our code is executed by hosting provider (Amazon or Microsoft) itself in response to events. Theoretically speaking, there is no limit for resources that will be allocated to a Lambda function, so doesn't that mean if attacker wanted to take down a serverless app with DDoS he would have to first take down entire AWS/Azure which is just impossible?

Mr. Engineer
  • 684
  • 1
  • 4
  • 10
  • 12
    In the extreme, there is a limit of resources: AWS isn’t infinite. Of course, a DDoS that can compete with AWS’s capacity is extremely unlikely - something else will fail first - but it’s important to remember that serverless code is running on a server(s) somewhere – Tim Jun 20 '21 at 18:55
  • 20
    "Serverless" still runs on servers, so how can it be immune to attacks? Why do you think taking down AWS is impossible? – curiousdannii Jun 20 '21 at 23:59
  • 12
    worse still, if you don't control the servers the host is likely to just shut them down to stop the attack rather than try to fight and overcome it. And they may well decide afterwards to cancel your contract as being too risky for them. – jwenting Jun 21 '21 at 06:13
  • @curiousdannii AWS has about the same processing power as the rest of the world, but as was pointed out by others, that doesn't quite save us individuals. – Mr. Engineer Jun 21 '21 at 14:13
  • Source? I'm gonna call BS on that. AWS is incredibly expensive so any company with large compute requirements will colo their servers or even buld their own data centers. (No, running a CRUD website doesn't necessarily require significant compute, even if we're talking about one of the most popular websites in the world) – Navin Jun 21 '21 at 15:03
  • 4
    @Navin I don't think that's at all true. I work for a large company (~$2 billion a year in revenue) but we use AWS almost exclusively and are moving most of our remaining on-prem infrastructure to AWS. Not to mention the [endless list](https://www.contino.io/insights/whos-using-aws) of large companies that use AWS. – Conor Mancone Jun 21 '21 at 15:24
  • @Navin AWS powers like entire Internet, it would be easier to tell you which webservices do not use AWS rather than which do. In fact almost everyone of the websites I visit daily use some AWS services. That's not what this question is about, it's rather about whether or not that helps us to protect against DDoS attacks. – Mr. Engineer Jun 21 '21 at 16:42
  • @MonkeyZeus AWS calls their serverless platform "AWS Lambda". I'm not sure I understand your question. – Mr. Engineer Jun 21 '21 at 16:44
  • 4
    Security in depth to the rescue: you should have a good CDN with DDOS mitigation abilities in front of your app regardless of how you deploy it. – chicks Jun 21 '21 at 18:26
  • @Mr.Engineer “AWS powers like entire internet” source of that? Internet is powered by backbone telecom companies like Nokia, Alcatel and such. AWS at best powers many websites and services but not internet. And there are many many services for who it is cheaper (way cheaper) to run their systems themselves. AWS business model is to manage servers for you so they charge you would it costs to manage servers plus margin. There is a sweet spot in system size where AWS is indeed cheaper, but for many more companies (larger or smaller than that sweet spot) is way too expensive. – Alexey Kamenskiy Jun 23 '21 at 04:06
  • @Alexey Kamenskiy I meant exactly websites and services. You can use whois.domaintools.com to check if webservice uses AWS for hosting. As you will find out, many, many of them do. – Mr. Engineer Jun 23 '21 at 15:33

4 Answers4

96

There is always something that will break

While, theoretically, serverless systems can scale up your application to very high levels, there is always something that will break. Likely candidates:

  1. Your database!
  2. Other internal services
  3. 3rd party services you call while responding to requests
  4. Your bank account

Even with a stateless endpoint that doesn't use a database or external services, a large-scale DDoS attack can still run up such a large bill from your cloud provider that you chose to shut off the service until the DDoS attack ends. It's not a new concept. Here's a discussion about it:

https://summitroute.com/blog/2020/06/08/denial_of_wallet_attacks_on_aws/

Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
  • 5
    I guess theory and practice are two very different things... in real life there is always a budget limit. – Mr. Engineer Jun 19 '21 at 20:31
  • 26
    "Your bank account" - most interesting answer of all. Also, I believe AWS would have employed quotas beyond which either service gets throttled or suspended. – Kannan Jun 20 '21 at 04:00
  • 29
    @Kannan " Also, I believe AWS would have employed quotas beyond which either service gets throttled or suspended." According to the article in this answer, nope. They just charge you piles of money, instead. – nick012000 Jun 20 '21 at 10:20
  • If your using an in house server farm you worry about horizontal scaling - If you switch to the serverless cloud then you need to worry about wallet scaling. You can set and adjust standard rate limit and a burst rate limit per second for methods in your REST APIs. You could also write your APIs to detect DDos attacks (e.g Requests flooding from a small number of IPs, or a countries IP range) then have those requests short-circuit in their processing. – andrew pate Jun 20 '21 at 14:19
  • 7
    @Kannan most cloud providers do have options to set budget limits and automatically disable services when reached. I don't believe AWS has ever jumped on that bandwagon directly, but you can certainly set trigger thresholds and send notices that your own software processes to disable services. Regardless though, if you disable a service due to fear of the bill, or the service is automatically disabled because you hit a budget threshold, it's still a win for the person running the DDoS. – Conor Mancone Jun 20 '21 at 16:46
  • 1
    Like any other case, there are plenty of strategies you can put in place to mitigate the danger of DDoS, including employing an actual DDoS mitigation service (Akamai and CloudFlare would be two examples). However, just using serverless technologies does not make you immune to DDoS. – Conor Mancone Jun 20 '21 at 16:48
31

Theoretically speaking, there is no limit for resources that will be allocated to a Lambda function ...

There is - it's the budget and the quotas. Lambda functions are not free to execute, so a DDoS causing lots of executions of Lambda functions will eventually exhaust the given quotas and cause throttling - which as a result is a reduction or even denial of service. While one might increase the quotas it will cost, in which case the available budget is a new limit.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • and AWS is likely to cut you off completely before that happens just to reduce the overall load on their systems, and may well decide to cancel you to prevent a recurrence. – jwenting Jun 21 '21 at 06:15
  • 1
    @jwenting why would they do that? Wouldn't AWS be fine with making money off you while you're being DDoS'ed? – Andrew Hulterstrom Jun 21 '21 at 20:13
  • 2
    @AndrewHulterstrom Not having a quota would result in a worse experience for AWS customers (having an enormous bill) and if the bill's higher than the customer is able to pay, AWS will ultimately have to eat the loss. – bjb568 Jun 22 '21 at 03:53
  • @bjb568 I totally agree the quota concept makes sense! Though my question was about why Amazon would "cut you off completely" and "may well decide to cancel you". – Andrew Hulterstrom Jun 22 '21 at 15:30
  • @AndrewHulterstrom a DDOS against one user can cause disruption for their entire platform (or at least the region) because it causes increased loads across the board to their servers. They definitely don't want that. – jwenting Jun 24 '21 at 06:24
22

In short: all-in-all serverless is not a protection against any kind of attack.

Note that "serverless" doesn’t mean servers are not involved. It only means that you have delegated server management to someone else (Amazon, Microsoft, ...) and they setup their servers for you.

Many things can still happen. Servers can still break, the service provider can stop your account, your contract can be invalidated for some reasons, you can go over your quota, ecc.

The assumption is that the underlying software will move your code to another server automatically and scale it for you. The goal of DDoS attacks is to hurt your business. Given all of that - DDoS on serverless is still a threat. It can cause degraded quality of service (i.e. intermittent errors while underlying software shuffles your code) or can blow up your bills to 1000x of normal usage.

Valerio Bozz
  • 103
  • 3
Alexey Kamenskiy
  • 691
  • 3
  • 5
  • You are paying someone good money to make sure their servers do not break, and the company you are paying are usually quite good at this. – user253751 Jun 21 '21 at 20:15
  • @user253751 I don’t think that point is relevant to the question asked. And while somewhat correct it doesn’t guarantee 100% no issues. – Alexey Kamenskiy Jun 24 '21 at 04:49
5

There are always some limits. For example for AWS Lambdas there are limits how many can be executing concurrently (e.g few 1000 concurrent executions) for a single AWS account. With DDoS you could take down a single AWS account, not the whole AWS infra. And, of course, generate a large bill in the process for the account owner.

Juha Syrjälä
  • 151
  • 2