What is Denial of Wallet?
Denial of Wallet is a form of Denial of Service attack that targets applications and micro-services, exploiting the auto-scaling functionality of cloud environments.
How does Denial of Wallet work?
In short, denial of wallet is the practice of over-consuming resources, typically in the cloud, and the allocated budget as a means of driving up infrastructure costs for the victim. Expanding on the definition, one of the key cloud-adoption drivers is the ability to scale up and out in an on-demand manner to address traffic spikes that are common across many industries. Retailers have massive traffic spikes during holiday seasons or periodic promotional sales. Financial companies have higher than normal transaction rates at months end. Travel and hospitality sites see spikes during spring breaks, summer and winter vacation periods.
In most auto-scaling scenarios, the metric used to initiate a scale-up/scale-down event is maximum number of sessions per second. In a denial of wallet scenario, an application is targeted with a massive number of web requests resulting in a rapid increase in sessions.
Denial of wallet attacks will use your public facing application business logic such as:
- Account login
- New account creation
- Generating a massive spike in “likes”
Anything that will cause a spike in traffic to initiate an application scaling event is fair game. Behind the scenes, more CPUs, memory, storage, and all of the other supporting IaaS elements (e.g., WAF, other security, load balancing, logging, bandwidth) are automatically deployed, and your account is automatically billed for the resource consumption. If the attack is sizable and sustained for a long period of time, your budget is depleted rapidly, and the application becomes unavailable (denial of service).
In some cases, cloud customers will use a “dollars consumed” metric in their account as a means of controlling costs. In this scenario, a denial of wallet attack would consume the money allocated quickly, resulting in a more rapid application level denial of service.
What are the denial of wallet goals?
Denial of wallet goals are to inflict monetary damage on the target victim while rendering the application unusable – an application level denial of service. In some cases, denial of wallet is a secondary result brought on by the over consumption of cloud resources for the purposes of harvesting bitcoin, automated attacks or other malicious activity.
What is the impact of a denial of wallet attack on an organization?
- Rapidly increase IT costs. If the application is cloud-based, those costs will be treated as operational expenditures, directly impacting the budget and bottom line. To stay within budget, the organization may need to move money, resulting in a ripple effect to other parts of the business. If the target application is in the data center, the financial impact may be felt in the form of emergency acquisition and deployment of resources to accommodate the spike in traffic.
- Lost sales and loss of customer confidence if the application is unavailable, slow to respond or acts in an unpredictable manner.
- Organizationally wide ranging, distracting teams from their daily roles to address a wide range of challenges. Legal teams need to address a range of possible lawsuits from both customers and investors if the news of the attack becomes public. Public relations and marketing will need to respond to press and analyst queries to maintain brand image. Ensuring customer support can adequately manage angry customers while maintaining positive morale, while addressing their normal roles and responsibilities.
What type of applications and industries are targeted by denial of wallet attacks?
Any industry or organization with a public facing application could be a target. The more elaborate and feature rich the application is, the more likely it will result in a denial of wallet attack.
Preventing Denial of Wallet with Cequence Security
Cequence Application Security Platform prevents denial of wallet attacks using a patented machine-learning analytics engine that detects the intent of the transaction based on many factors including the behavior of the user (e.g., speed of form fills, mouse movement and keystrokes, time of day, location, etc.). Using these datapoints and more, you can creatively mitigate the attack through blocking, rate limiting, geo fencing, or deception.