Serverless botnets could soon become reality

We have been accustomed to think about botnets as a network of compromised machines – personal devices, IoT devices, servers – waiting for their masters’ orders to begin their attack, but Protego researchers say that many compromised machines are definitely not a requirement: botnets can quite as easily be comprised of serverless functions.

They created one on the Google Cloud Functions platform as a proof of concept and have calculated that the losses experienced by organizations whose account the botmasters are exploiting could reach tens (if not hundreds) of thousands of dollars.

The theory

“Serverless functions, the primary unit of compute in a serverless architecture, are small stateless modules that run when they are needed, and evaporate when they are not,” the researchers explained.

A serverless botnet relies on a bot that’s hosted on an infected instance of a serverless function to periodically trigger the creation of a new instance of the same function. This “copy” will do the same after a predetermined period of time has passed, then its copy will again do the same, and so on and so forth.

But once the function gets the order to mount an attack, the bots running in the small set of zombie functions are instructed to make more than one copy of the function. The replication continues until it reaches the limits of the account or a preset, lower limit that would make the process less noticeable.

Once the attack is over, the “surplus” functions “evaporate,” but a few are instructed to keep periodically replicating themselves to ensure persistence and availability for the next attack.

“While the ‘idle phase’ of the attack, where the botnet wants to stay alive but dormant is somewhat more complex, during the attack phase the shift to serverless is a boon to the attackers. A single attacked function can suddenly scale up to thousands of concurrent bots, attacking the target in unison. The near-infinite scaling potential of serverless provides huge amounts of ‘free’ attack resources for the bot herder,” the researchers pointed out.

A prototype of a serverless botnet

To create a serverless botnet, attackers must first compromise a server run by the cloud vendor/serverless computing platform provider.

“The inception of the botnet (the ‘patient zero’) can be triggered by a malicious payload directly from a C&C system, or can be infected by another zombie instance running on some other customer’s serverless infrastructure,” the researchers explained.

After contact is made with the C&C server, a malicious payload that carries all the logic for persisting, growing, shrinking, spreading, and mounting an attack is delivered.

For obvious reasons, Protego chose not to publish the full source code of this prototype attack online, although they say that they are willing to share it with interested parties. But they have provided a video demonstration of the botnet in action:

The customers whose infrastructure is abused by a serverless botnet risk a DoS of their own service during the attack, but also considerable monetary losses.

“With Google’s Cloud Functions, HTTP triggered functions like the ones we use in our prototype are limited to 10,000 invocations per second, which can bring the cost of even just one hour of the botnet attack to almost $5,500. Assuming the botnet is leveraging only a single region and is attacking for only one hour a day, this could easily be over $160,000 per month,” they estimated.