Cloud cartography – load based co-residence detection
Some weeks ago @krishnan and I had a tweet conversation regardinga claim he heard at an Amazon webcast where the speaker claimed that cloud cartography attacks are impossible due to Amazon's use of virtual interfaces to separate customers traffic. I responded that any such claim should make anyone sceptical (not in those words 
). Specifically I cited that the paper addresses other ways of detection ie.
Section 8.2 - Load-based co-residence detection
I have written in the past about Cloud Computing's Achilles Heel which dealt with performance degradation in case there is misbehaving instance running on the same piece of hardware as your own instance. I did not think of cartography in those cases but today while making a large back up of a virtual instance I thought let's try the load-based co-residence detection so on a different virtual instance running on the same machine I typed
dd if=/dev/zero of=testfile bs=1M count=15000
This simply creates a 15G file with zeroes in it. Check out what happens to the network performance of the machine that was being backed up
Performance dives from about average of 15 Mbytes/s to between 0 and 2 Mbytes/sec. For completeness here is the CPU utilization graph
I was actually quite surprised at the magnitude of degradation. I'd say this may be even a more successful co-residence detection attack than network probing since you could generate legitimate HTTP traffic to a site of interest (or a node of interest), throw tons of load at it and see if you notice response degradation.
There are obviously ways to mitigate some of these issues ie. control tightly who can connect to your instances within the cloud, cycle your own instances so that they keep "moving around", etc. Unfortunately it does come at a price of additional complexity and work.