Denial of Wallet -- Defining a Looming Threat to Serverless Computing

TL;DR

This paper introduces the concept of Denial of Wallet, a new cyber-attack targeting serverless computing that can cause financial exhaustion, and discusses its threat, attack patterns, and potential mitigation strategies.

Contribution

It defines and identifies Denial of Wallet as a novel attack vector in serverless environments, highlighting its differences from traditional DoS attacks and providing initial experimental insights.

Findings

Denial of Wallet can bypass existing DoS mitigation systems.

Simulated experiments show significant potential financial damage.

An isolated test bed was created for further research.

Abstract

Serverless computing is the latest paradigm in cloud computing, offering a framework for the development of event driven, pay-as-you-go functions in a highly scalable environment. While these traits offer a powerful new development paradigm, they have also given rise to a new form of cyber-attack known as Denial of Wallet (forced financial exhaustion). In this work, we define and identify the threat of Denial of Wallet and its potential attack patterns. Also, we demonstrate how this new form of attack can potentially circumvent existing mitigation systems developed for a similar style of attack, Denial of Service. Our goal is twofold. Firstly, we will provide a concise and informative overview of this emerging attack paradigm. Secondly, we propose this paper as a starting point to enable researchers and service providers to create effective mitigation strategies. We include some simulated experiments to highlight the potential financial damage that such attacks can cause and the creation of an isolated test bed for continued safe research on these attacks.