One thing that public clouds emphasize is scalability. You pick any "Why should you use cloud" blog posts of public cloud providers. One of the top five reasons is scalability.

Do you want a single server up and running? Or do you want 10,000 servers up and running?

Cloud providers have got you covered.

You focus on your business logic and applications. Cloud providers help you scale quickly to meet your needs.

And the best part?

You only pay for what you use!

This flexibility makes the cloud appealing to companies of all sizes - from startups with few engineers to multi-million dollar companies with hundreds to thousands of engineers.

But there's a catch with this statement.

You only pay for what you use.

If you use many resources (even unintentionally), you must pay for that.

This quick resource provisioning and pay-for-usage pricing make Denial of Wallet (DoW) attacks a potential threat in the cloud.

So, What's Denial of Wallet?

It's a bug class, which, when exploited by attackers, leads to a huge cloud bill for the victim.

Let's take a DDoS attack, for example.

When a DDoS attack occurs, the backend servers get overwhelmed by the number of requests. Your cloud provider may automatically spin up new servers based on the autoscaling configuration to handle incoming requests.

If you look closely, these additional servers have a cost. By the end of the DDoS attack, your cloud bill includes the price of the original servers you had + the cost of newly spun-up servers (+ additional data transfer costs to respond to those DDoS requests.)

So, a DDoS attack on your cloud resources can significantly inflate your cloud bill.

DoS and DDoS are not the only attack vectors in the DoW bug class. A wide range of attack vectors can increase your cloud bills, all falling under this category. Other popular attack vectors include Cryptojacking and LLMHijacking.

The increase in your cloud bills depends on the attack. An attack can be slow and steady and increase cloud bills over time (ex, continuous scraping by LLM companies bots). Or it can cause a massive increase in cost within a day/few hours (ex, spin up a gigantic GPU server for crypto mining post credential leak).

But before I continue this DoW blog series, I must clarify one thing.

Unlike Denial of Service (DoS), Denial of Wallet doesn't block you from accessing your wallet. Instead, it makes you lose money on your cloud bills. You can still access your wallet during the attack (and before your cloud provider notifies you of the bill).

A better name could be Exhaustion of Wallet. Only in the worst case, when you have no money left in your wallet to pay the bill, then it might qualify as "Denial of Wallet" 👿

DoW is an interesting bug class

Usually, security attacks directly affect the CIA triad, but some attacks in this bug class don't. That's why (I assume) Denial of Wallet attack vectors are marked as Informational/Not Applicable/Accepted Risks in bug bounty programs.

Some DoW attack vectors (like Cryptojacking or LLMHijacking) may not even impact your existing resources. But they still achieve the goal of making you bleed money on cloud bills.

In the worst-case scenario, DoW could impact Availability but not Confidentiality or Integrity of your systems.

If the number of servers hits the allocated server quotas in your account (due to cryptojacking), new servers can't spin up (say, autoscaling backend servers, data engineering workloads, etc.)

If the number of concurrent serverless functions reaches the maximum limit (due to a DDoS attack), your cloud provider might start throttling. Requests from genuine customers might also get blocked.

What's in it for attackers?

DoW is digital vandalism. Attackers might not get anything from the attack, but the victims lose something.

Let's say an attacker made you spend 100k USD overnight in a DoW attack (and your cloud provider doesn't agree to refund it); you've lost 100k. You could have used it for other things — product research, hiring new talent, etc. But now the money is gone.

These massive cloud bills could be a significant blow if you're a bootstrapped startup or solopreneur running things on the cloud. Sometimes, this leads you to declare bankruptcy and close the shop (or at least the cloud account).

In the upcoming blog posts, I'll explain the popular attack vectors that fall under the DoW bug class and the mitigation steps.

Until next time. 👋