The Dangers of Recycling in the Cloud

by Andrew Casale (VP Strategy)

Cloud computing has become an increasingly popular go to market strategy for both new and mature ad tech companies looking to streamline their infrastructure. I want to talk about safety and precautions, specifically as it pertains to cloud computing. While this is probably not the first thing that comes to mind when you think about ad tech, for anyone embracing the cloud, please take note.

The cloud offers excellent benefits from a computing scale perspective—why? It’s an incredibly efficient and cost effective way to get computing power on demand. It completely eliminates the cost burden to maintain infrastructure from a hardware, ongoing maintenance and IT support perspective. While we don’t rely on the cloud for our real time, production environment, we do use a popular cloud service for prototypes and offline analysis from time to time. We prefer to maintain our own data centers for our production operations because they give us a unique level of control over our infrastructure and the final product, but we still use the cloud when we are looking to prove a theory before we send it out to the production line.

Recently, while one of our product teams were prototyping an application, they lit up a new cloud instance to serve as a new environment, but something strange was observed. The second they gained access to the computing instance, it was exposed to a massive amount of traffic. The team was monitoring over 5,000 web requests per minute hitting this brand new cloud implementation. It should have been zero.

The team examined the traffic, and realized that what the instance was being exposed to was properly crafted ad requests directed to what appeared to be a former ad server. Effectively they were now sitting in front of a cloud instance that had the entire volume of traffic for whoever was just previously using that IP address. Clearly that IP address was previously part of someone’s infrastructure and maybe still cached, and had now been recycled and given to this newly minted instance by the cloud provider. Maybe this company just recently upgraded to a faster instance with more cores – but neglected to realize this address was still exposed to a part of their live infrastructure.

If a bad actor had assumed this IP address, they could have responded to those requests with anything they wanted. They would be in the ad request stream, so not only could they have listened and gained competitive intelligence, they could have injected anything into the stream. They could have served malware, inappropriate ads, or literally anything they wanted to 5,000 requests per minute, and no one would have been the wiser. Scary.

Needless to say we “returned” the instance – wanting nothing to do with it at that point. But this experience serves as a valuable lesson, one that would clearly have been valuable to whichever company previously occupied the IP we were given—if you’re using the cloud in a production capacity, before you give away an instance, you need to make sure it is doing nothing, or someone else can get a piece of your business. And if you’re a cloud service provider, do not recycle an IP address to a new customer if it is still getting request load, as this can effectively indirectly breach the privacy of your customer’s transactions.

Security is one of the biggest concerns for any web-based technology or platform, cloud or not. What we discovered has little do with how secure the cloud is, because I have every confidence that for those using the cloud actively, their data is quite secure. But what I am describing is a very innocent oversight that would completely render all safeguards irrelevant. Any company, ad tech or otherwise who leverages the cloud will upgrade from time to time as capacity needs rise. Just as what happened in this circumstance, if that upgrade happens too fast, sensitive information may leak to the next customer in line. Suppose it was a social network or a financial institution that had been using the cloud in this instance? Private messages and financial information could have been compromised.

Safety must always reign supreme and in a world where everyone is always trying to move a mile a minute to out innovate the competition—ad tech especially, spending a few extra moments to take the appropriate precautions can make all the difference in the world.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s