Where Did My Money Go?: Self-Inflicted Denial-of-Wallet in Microservices Cloud Applications

Abstract:
Modern cloud applications consist of independent and diverse microservices to enable scalable development and usage-based billing. While this architecture enhances flexibility and scalability, it introduces significant coordination challenges. In this talk, we focus on the lack of coordination between independently deployed microservices that operate under inherently different auto-scaling mechanisms.
We explore how loosely coupled components interact as a request navigates through a cloud-based service. We observe that when microservices with distinct auto-scaling mechanisms work together to handle traffic they can become inefficient, particularly under heavy load, leading to throttling and over-provisioning of resources. We demonstrate how attackers can exploit these behaviors to launch effective DDoS attacks, causing service providers to incur extensive costs for requests that ultimately fail.
We further examine the impact of retry patterns on these systems performance. As we demonstrate, excessive retries between poorly coordinated services can lead to increased waste of resources and higher operational expenses. Misaligned services may overwhelm each other with amplified load due to retry attempts, escalating resource consumption and costs — a scenario we refer to as a self-inflicted Denial-of-Wallet (DoW). We analyze the performance and cost implications and propose a distributed solution to mitigate these issues.

Bio:
Jhonatan Tavori is a fifth-year PhD candidate at the School of Computer Science, Tel Aviv University, supervised by Prof. Hanoch Levy. His research focuses on analyzing the performance of cloud applications and networked systems when faced with malicious attacks, and offering guidelines for optimizing their operation and budget utilization. During the last 6 months, he was a visiting scholar at Columbia University, collaborating with the Wireless and Mobile Networking Lab.