Warmonger Attack: A Novel Attack Vector in Serverless Computing

We debut the Warmonger attack, a novel attack vector that can cause denial-of-service between a serverless computing platform and an external content server. The Warmonger attack exploits the fact that a serverless computing platform shares the same set of egress IPs among all serverless functions, which belong to different users, to access an external content server. As a result, a malicious user on this platform can purposefully misbehave and cause these egress IPs to be blocked by the content server, resulting in a platform-wide denial of service. To validate the effectiveness of the Warmonger attack, we conducted extensive experiments over several months, collecting and analyzing the egress IP usage patterns of five prominent serverless service providers (SSPs): Amazon Web Service (AWS) Lambda, Google App Engine, Microsoft Azure Functions, Cloudflare Workers, and Alibaba Function Compute. Additionally, we conducted a thorough evaluation of the attacker's potential actions to compromise an external server and trigger IP blocking. Our findings revealed that certain SSPs employ surprisingly small sets of egress IPs, sometimes as few as four, which are shared among their user base. Furthermore, our research demonstrates that the serverless platform offers ample opportunities for malicious users to engage in well-known disruptive behaviors, ultimately resulting in IP blocking. Our study uncovers a significant security threat within the burgeoning serverless computing platform and sheds light on potential mitigation strategies, such as the detection of malicious serverless functions and the isolation of such entities.