Is serverless code immune to DDoS attacks?



  • In classic hosting we have a virtual machine with limited resources allocated by hosting provider for running our web application. But with serverless code such as AWS Lambda or Azure Functions, our code is executed by hosting provider (Amazon or Microsoft) itself in response to events. Theoretically speaking, there is no limit for resources that will be allocated to a Lambda function, so doesn't that mean if attacker wanted to take down a serverless app with DDoS he would have to first take down entire AWS/Azure which is just impossible?



  • There is always something that will break

    While, theoretically, serverless systems can scale up your application to very high levels, there is always something that will break. Likely candidates:

    1. Your database!
    2. Other internal services
    3. 3rd party services you call while responding to requests
    4. Your bank account

    Even with a stateless endpoint that doesn't use a database or external services, a large-scale DDoS attack can still run up such a large bill from your cloud provider that you chose to shut off the service until the DDoS attack ends. It's not a new concept. Here's a discussion about it:

    https://summitroute.com/blog/2020/06/08/denial_of_wallet_attacks_on_aws/



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2