Some people did a test and set up a group of public websites on cloudproviders that would do the following
- Malformed traffic: Sending a series of non-RFC compliant packets, as well as aggressive port scanning.
- Malware traffic: Sending a set of publicly known and commonly detected malware to the victim host via a ‘reverse shell’.
- Denial of service: Sending a flood of traffic to a web server on the victim host.
- Brute force: Attempting to brute-force the password for the credentials on the FTP service.
- Shellcode: Launching a set of known shellcodes against various services running on the victim host.
- Web application: Launching commonly known web application attacks against the victim host including SQL injection, cross-site scripting, path traversal, etc.
Security posture of the Cloud platforms
During the execution of the test cases, although we were expecting responses from Cloud providers, our observations on the five tested Cloud providers showed that:
No connection reset or connection termination on the outbound or inbound network traffic;
No connection reset or termination against the internal malicious traffic;
No traffic was throttled or rate limited;
No warning emails, alerts, or phone calls were generated by the Cloud providers, with no temporary or permanent account suspensions;
Only one Cloud provider by default blocked inbound and outbound traffic on SSH, FTP and SMTP, however these limitation was bypassed by running the above service on non-default port.
somebody should sue them for millions, that would make them change their minds