Does the Twitter Attack Give the Cloud a Black Eye?
I can't believe that the Twitter DoS (denial-of-service) attack made the national news, but these days when everyone from celebrities to senators -- and their millions of followers -- are on Twitter, panic ensued. Twitter was not the only cybervictim; Facebook and LiveJournal suffered as well, but not as much as Twitter did, perhaps due to the fact that Twitter has not been scaling as well as it should. Can you say "fail whale"?
The question on the lips of those looking at cloud computing remains: Does this attack on Twitter indicate that cloud computing is not yet ready for prime time? Twitter today, my cloud infrastructure provider tomorrow? Not really. You're talking about apples and oranges.
[ Stay up on the cloud with InfoWorld's Cloud Computing Report newsletter. | Confused by the cloud hype? Read InfoWorld's "What cloud computing really means" and watch our cloud computing InfoClipz. ]
The issue with Twitter and Facebook is that, as public social networking sites, they have to let anybody and everybody on. Thus, you have millions of IP addresses making requests into those sites during any hour of the day. A DoS attack takes advantage of the openness, in essence hitting the site with so many requests at the same time that it can no longer respond effectively; it either slows down to a crawl or crashes. DoS attacks are difficult to defend against, because if you block one IP address, another pops up. From my days of running cloud computing companies, I can tell you that DoS attacks happen a lot more often than they are reported in the news.
If you're moving to cloud computing, you should relax -- somewhat. Twitter is not a cloud provider, and while Twitter has to deal with anyone and everyone, cloud computing providers that offer applications, app servers, and databases deal with known users or subscribers, and thus can easily shut down a DoS attack by only dealing with IP addresses from their customers. At least, that's the idea.
However, this does not mean that poorly architected cloud computing services won't have other vulnerabilities. Thus, you need to make sure you understand those before signing up. For instance, some could find that their sign-in and provisioning system, which serves as the front end of the cloud computing service, may be saturated by a DoS attack. I'm sure we'll hear about a few of these as cloud computing becomes more popular, but I don't believe this risk should be a deal-breaker for cloud computing.