Secure IP Address Allocation at Cloud Scale Eric Pauley Kyle Domico Blaine Hoak Ryan Sheatsley Quinn Burke Yohan Beugin Engin Kirda Patrick McDaniel
2025-05-03
0
0
1.56MB
18 页
10玖币
侵权投诉
Secure IP Address Allocation at Cloud Scale
Eric Pauley∗‡, Kyle Domico∗, Blaine Hoak∗, Ryan Sheatsley∗, Quinn Burke∗,
Yohan Beugin∗, Engin Kirda†, Patrick McDaniel∗
∗University of Wisconsin–Madison
‡Email: epauley@cs.wisc.edu
†Northeastern University
Abstract—Public clouds necessitate dynamic resource alloca-
tion and sharing. However, the dynamic allocation of IP addresses
can be abused by adversaries to source malicious traffic, bypass
rate limiting systems, and even capture traffic intended for other
cloud tenants. As a result, both the cloud provider and their
customers are put at risk, and defending against these threats
requires a rigorous analysis of tenant behavior, adversarial
strategies, and cloud provider policies. In this paper, we develop
a practical defense for IP address allocation through such an
analysis. We first develop a statistical model of cloud tenant
deployment behavior based on literature and measurement of
deployed systems. Through this, we analyze IP allocation policies
under existing and novel threat models. In response to our
stronger proposed threat model, we design IP scan segmentation,
an IP allocation policy that protects the address pool against
adversarial scanning even when an adversary is not limited
by number of cloud tenants. Through empirical evaluation on
both synthetic and real-world allocation traces, we show that
IP scan segmentation reduces adversaries’ ability to rapidly
allocate addresses, protecting both address space reputation and
cloud tenant data. In this way, we show that principled analysis
and implementation of cloud IP address allocation can lead to
substantial security gains for tenants and their users.
I. INTRODUCTION
Cloud providers allow near limitless scalability to tenants
while reducing or eliminating upfront costs. One component
that enables this architecture is the reuse of scarce IPv4
addresses across tenants as services scale. Though a practical
necessity, this reuse–combined with the use of IP addresses
as a security principal–enables malicious cloud tenants to
abuse IP address reputation [1]–[3], pollute the address space
for future tenants [4], and even collect sensitive information
intended for previous tenants [5]–[7]. We observe that these
seemingly disparate attack spaces share a common thread: the
ability of adversaries to easily sample large numbers of IP
addresses from provider pools.
While prior works have identified and confirmed the issue
of IP address reuse, and proposed some preliminary mitiga-
tions [6], [7], the community still lacks a complete under-
standing of the security provided by these measures, especially
against a more powerful or adaptive adversary. For instance,
prior works that attempt to reassign addresses to the same
tenant can be defeated by adversaries using many disconnected
cloud accounts (a form of Sybil attack). Developing secure
policies for IP address allocation necessitates a fine-grained
analysis of tenant behaviors and adversarial strategies. Such
an analysis, and the stronger defenses that analysis enables,
are the key focus of this work.
Towards this goal, we propose a novel, comprehensive
model for IP address allocation on public clouds. By con-
sidering realistic distributions of benign tenant behaviors,
configuration management, and cloud provider allocation poli-
cies, our new model enables us to concretely evaluate the
effectiveness of attacks against the address pool. Implemented
in the Elastic IP Simulator (EIPSIM), tenant and adversarial
behaviors enable the key goal of our work: developing new
allocation strategies that reduce the ability of adversaries to
allocate, measure, and exploit many IP addresses. Our model
is validated via real-world data on cloud tenant allocations,
as well as data collected on cloud configuration management
practices and discussions with major cloud providers. In this
way, our model enables the development of new defenses
against a broad class of attacks against cloud services.
Our model enables us to characterize and defend against
a stronger adversary than considered in prior work. This
adaptive adversary performs a Sybil attack against the cloud
provider, creating many accounts to continually allocate new
IP addresses from the pool. Hence, this attacker effectively
defeats the protections provided by prior works. We propose
IP scan segmentation, a novel IP allocation policy that heuristi-
cally identifies adversarial behavior across many cloud tenants,
and effectively segments the pool to prevent such adversaries
from allocating many unique IPs and exploiting vulnerabilities.
We use EIPSIM to evaluate the security properties (i.e.,
adversarial ability to discover unique IPs and exploitable
configurations) of our studied allocation policies and ten-
ant/adversarial behaviors in real cloud settings. Our analysis,
spanning over 250 years of simulated IP address allocation,
highlights the marked impact of IP allocation policies on
the exploitability of IP address reuse. Indeed, our analysis
shows that IP scan segmentation reduces adversarial success
by 83.8 % over the IP allocation policies deployed by cloud
providers, and by 70.1 % compared to prior explored tech-
niques. Because our model concretely parallels the actual
behavior of cloud providers and tenants, the techniques studied
in this work can be directly implemented by providers to
protect their customers and network resources. We have shared
our findings with providers and release our models and policies
Network and Distributed System Security (NDSS) Symposium 2025
23 - 28 February 2025, San Diego, CA, USA
ISBN 979-8-9894372-8-3
https://dx.doi.org/10.14722/ndss.2025.23374
www.ndss-symposium.org
arXiv:2210.14999v2 [cs.CR] 10 Sep 2024
as open source artifacts1to support practical security of IP
address allocation.
IP address reuse poses a practical security concern, but prin-
cipled study of new allocation techniques can lead to practical
defenses, making this reuse less exploitable in practice. Our
work provides such a defense, as well as a basis on which
future research in IP allocation can be measured.
II. BACKGROUND
Our work addresses security properties of IP address allo-
cation for public clouds. As such, we briefly describe consid-
erations in IP allocation generally, as well as contemporary
work in cloud security related to IP address allocation.
A. IP Address Allocation
Network hosts require an IP address for communication.
This can be manually assigned or managed out of band, or
it can be provisioned through some automation. In home
and corporate networks, the standard solution to automatic IP
allocation is DHCP [8]. Likewise, in public clouds such as
Amazon Web Services [9], Microsoft Azure [10] or Google
Cloud [11], servers are allocated a private (i.e., RFC1918 [12])
IP address via DHCP [8]. While the DHCP standard does not
specify how addresses are assigned, they are generally drawn
from a pool either sequentially or based on the physical (MAC)
address of the requesting machine [8]. For workloads with
only private or outbound communications, these addresses are
sufficient, as outbound connections can be mapped to publicly-
routable IPs via Network Address Translation (NAT) [13].
When services need to receive connections from the broader
Internet, they require a public IP address (usually, at a min-
imum, an IPv4, though support is increasing for IPv6 [14]).
These addresses could be configured directly in the machine
or over DHCP. However, cloud providers generally opt to use
NAT [13] to route public IP addresses to the private IPs of
servers. This has multiple benefits, including flexibility (public
IPs can be changed dynamically without host involvement),
security (tenants cannot spoof IPs), and ease of management
(centralized view of IP address allocations).
Cloud Provider IP Allocation. When a tenant requests an
IP address, cloud providers have a choice to return any unused
address they control, subject to their own internal policy.
For instance, a recent work [7] showed that Amazon Web
Services samples their pool of available addresses pseudo-
randomly subject to a 30-minute delay between reusing any
given address. Another study [15] found that IP reuse followed
a random process, though the ranges of used IP addresses
could be inferred from many samples of the pool. Other
works have found that Microsoft Azure [6] and Google Cloud
Platform [15] show allocation behavior consistent with random
allocation. While this random allocation can have the positive
effect of allowing for a moving-target defense [15], wherein
tenants move around the IP address pool to evade attack, it can
also lead to severe security weaknesses as discussed below.
1https://github.com/MadSP-McDaniel/eipsim/
IP Address
Adversary Tenant
192.0.2.1
Benign Tenant 1
192.0.2.1
Benign Tenant 2
192.0.2.1
Release Release
Client
Firewall
Retrospective Prospective
ReputationConfiguration
Attacker
I
A
I
CCIA
Fig. 1: Taxonomy of threats ( ) to the (C)onfidentiality,
(I)ntegrity, and (A)vailability of cloud-based network services
from IP address reuse. Threats apply to previous tenants
(retrospective), future tenants (prospective), and leverage the
reputation of IP addresses or associated configuration.
The Security Role of IP Addresses. When viewed solely
as a means to route traffic, IP addresses serve little security
role. However, addresses have long been used in the capacity
of security principals, i.e., control of an IP mediates access to
resources, is associated with reputation, and can lead to the
receipt of sensitive data. Firewall rules may filter access to
specific IP addresses [1], servers may block messages from
historical spam IPs [4], [16], and DNS can cause clients to
send data to addresses [5]–[7].
B. Exploiting IP Address Reuse
Due to the use of IP addresses as security principals,
the (necessary) reuse of IPv4 addresses by cloud providers
opens a set of vulnerabilities to attackers [1]–[7]. Depicted in
Figure 1, these vulnerabilities allow adversaries to compro-
mise the confidentiality, integrity, and availability guarantees
of the network to other tenants in a variety of ways. We
taxonomize such vulnerabilities into those that affect previous
tenants (retrospective) and those that affect future tenants
(prospective). Further, vulnerabilities may be related to the
reputation of the IP address (and associated accessibility of
other network services) or to configuration associated with that
IP (and associated inbound traffic). Described below, these
threat scenarios present different avenues for exploitation,
though all rely on the ability for adversaries to acquire and
route traffic over a sampling of cloud IP addresses.
Reputation Attacks. Source IP address is used to mediate
access to a variety of resources on the public Internet. When
an adversary uses an address to abuse other services (e.g., by
sending spam email, malicious traffic, or large request volume)
services may respond by blocking the address [1]–[3] and
reporting to centralized reputation services (e.g., Spamhaus
for email [16]). This poses a prospective threat to network
availability for future tenants. When a future tenant attempts
to access services, their address may be blocked because of
the actions of previous tenants. Cloud providers pay careful
attention to the reputation of their IP pools for services such
as managed email sending [17], and routinely pay services to
clean the reputation of their address space. The reputation of
IP address ranges is also a key factor in the sale of address
blocks [18]. Indeed, it is clear that prospective reputation
threats to future tenants are a widespread and important issue,
though one that to-date has seen little attention in terms of
affecting address allocation.
Reputation can also pose risks retrospectively, though such
attacks have not yet been observed in practice. Consider a
service that mediates access via IP address allowlists [1]. A
benign tenant may be granted access to restricted systems via
their cloud-allocated IP, and then later release the IP address
to the pool. An adversary can then allocate the IP address,
and have access to the restricted service via the firewall allow
rule. This attack is exceedingly difficult to perform, as the
adversary must acquire the IP through random sampling then
also determine additional services that may be accessible.
However, if a service is known to authorize access to a
variety of customers via their IP address, it may be possible
to quickly enumerate a cloud provider’s address space and
discover authorized IPs.
Configuration Attacks. Tenants use IP addresses to refer
to resources hosted on cloud providers, causing clients to
connect to the resources and establishing trust relationships.
Recent works have shown that, when tenants fail to remove
the configurations referring to IP addresses they no longer
control, these latent configurations can be exploited by future
tenants [5]–[7]. Clients continue to send sensitive data, which
is often unencrypted due to trust in the network isolation of the
cloud provider. This retrospective configuration vulnerability
is relatively easy for adversaries to exploit en masse on
popular cloud providers, as the rapid and random reuse of
IP addresses leaves little time for organizations to correct
latent configurations. This leaves a long window of vulner-
ability during which adversaries could identify and exploit
latent configuration. The community has proposed methods
for correcting configurations such that they do not become
latent, but changes to IP address allocation can also play a
role when tenants fail to take action.
While of lower impact, configuration can also pose risks to
services prospectively. Here, a tenant (denoted as adversarial
although they may be relatively benign) may host services
and create a configuration that causes large volumes of traffic
to be sent to the address. This traffic could be sourced
from legitimate services or from attackers targeting deployed
software with exploits or denial of service attacks due to the
services a tenant hosts. After releasing the IP, it is allocated
to a new (benign) tenant, which then receives the malicious
or high-volume traffic targeted at the previous tenant. At a
minimum, such high-volume traffic can impose a cost on the
new tenant, since cloud providers still charge for outbound
bandwidth due to unwanted requests.
C. Preventing exploitation of IP Reuse.
A commonality of all the above attacks is that they rely
on the adversary allocating a vulnerable IP address. While the
random nature of IP address allocation ostensibly makes the
attacks untargeted, prior works have shown that adversaries
can easily allocate thousands or even millions of addresses.
Because allocation by major providers is currently pseudo-
random [6], [7], vulnerabilities spanning many IP addresses
become akin to the birthday paradox, wherein the probability
of some adversary IP overlapping with some vulnerable IP
quickly approaches 100%.
Changes to IP allocation policies have been shown to reduce
the exploitability of IP Reuse. The goal here is to both (a)
reduce the number of IPs that an adversary can allocate,
(b) reduce the number of vulnerable tenants associated with
those IPs, and (c) increase the window of time between reuse
such that associated factors (configuration and reputation) have
time to decay. While initial techniques towards achieving this
have been proposed [6], [7], the community’s understanding
of the space of attacks and countermeasures here remains
incomplete: that is, the ways in which an adversary might
adapt to new techniques have not yet been modeled, and
resulting further improvements to IP allocation strategies have
yet to be explored. Hence, such important questions are the
key focus of our work.
III. MODELING THE IP ADDRESS POOL
Here, we present a comprehensive, novel framework for
modeling secure IP address allocation. Towards this, we pro-
pose statistical models for tenant behavior (resource allocation
and latent configuration), describe algorithms for allocation
policies (including our proposed IP Scan Segmentation policy),
and define threat models under which adversaries might exploit
cloud resources. In each case, our methodology is informed
by prior works, and validated based on real-world allocation
and configuration datasets. Note: a reference of symbols used
throughout the paper can be found in Appendix A.
A. Tenant Behavior
Cloud providers lease resources (e.g., IPs) to tenants under
two general paradigms: static and dynamic [19]–[23]. Static
allocation allows tenants to acquire a specified amount of
resources (perhaps for a fixed period of time); such resources
are often used to handle workloads with known or predictable
behavior. On the other hand, dynamic allocation allows tenants
to acquire and release resources on-demand (to specified upper
and lower limits); such resources are typically backed by auto-
scalers and other automation tools to handle less predictable
workloads efficiently [24]. As such, we model the behavior
of tenants within a spectrum of potential allocation strategies
(defined in terms of the number of IPs currently allocated to
the tenant) spanning static and dynamic resource allocation.
Benign tenants independently allocate IP addresses at some
time tafrom the pool and release those addresses at a later
time tr> ta(here, the IP is said to be allocated for da=
tr−ta). Tenants also associate configuration with IP addresses,
which is dissociated from the IP at tc. Each tenant’s overall
behavior Biwith respect to IP allocation can therefore be
described as a set of timestamps:
Bi={(ta,0, tr,0, tc,0), ..., (ta,n, tr,n, tc,n)},
where nis the total number of IPs allocated to the tenant. A
single tenant’s behavior then has a maximum limit of Smax
servers and minimum limit of Smin servers; this can capture
both static (Smax =Smin) and dynamic (Smax > Smin)
resource allocation. For the purposes of our experiments, we
focus primarily on dynamic allocations using auto-scalers,
as we found this to be most representative of cloud tenant
workloads [24], [25].
We next model each tenant’s behavior as being indepen-
dently sampled from a distribution of potential tenant be-
haviors: Bi∼ B. We approximate Bas a randomized n-
term Fourier series with a base period of one day [25]. The
intuition is that a given tenant’s resource needs will likely
vary throughout the day as demand peaks and subsides, but
for a given tenant, this pattern will likely be similar from
day to day. One work [25] suggests modeling with a period
of 1 week for more precision. Our framework is flexible in
this regard, but simulations are performed with 1-day periods.
Recall that, by the Shannon-Nyquist sampling theorem [26],
any daily-periodic function can be approximated by a Fourier
series of sufficient terms. We compute the tenant’s server
utilization as a function of the current time t(0≤t≤1),
where 0and 1represent the beginning and end of the day,
respectively. We then model the mean server usage of the
tenant ( ¯
S=Smax +Smin
2) and the relative deviation from the
mean server usage using the Fourier series:
S(t)−¯
S
Smax −Smin
=Pn
i=1
ai
isin(2πi(t+ϕi))
Pn
i=1
ai
i
,
where the Fourier amplitudes (ai) and phases (ϕi) are ran-
domly sampled from the range [0,1]. This series has an
expected range of [−0.5,0.5], spanning from Smin to Smax
throughout a simulated day. The tenant then allocates or
releases IP addresses to respond to this change in compute
needs [27]. In keeping with the behavior of a major cloud
provider [28], IP addresses allocated under autoscale behavior
are selected at random for release when a tenant scales down
infrastructure.
Modeling autoscaling behavior as a Fourier series creates
traces of tenant allocation that are sufficiently realistic to
simulate allocation policies. However, on its own, it fails
to account for the fact that IP allocations in a given cloud
provider region would likely be correlated (due to the local
geographies served by that region [29]). We account for this
by biasing the sampling of the lowest-frequency phase of the
Fourier series (ϕ1): enforcing that ϕ1<0.5, for instance, will
roughly align peak loads to one half of the day. Moreover,
tenants may have multiple workloads deployed under the same
account that exhibit a hybrid of the above and other behaviors.
While evaluation of these hybrid allocation behaviors is be-
yond the scope of this work, we note that EIPSIM can also be
extended to support other models (or distributions) of tenant
behavior, as well as real-world allocation traces. Analysis on
real allocations (Section V-B) further support findings based
on Fourier-distributed allocations, though effectiveness could
vary on other workloads.
B. Latent Configuration
As discussed above, tenants associate configuration with
IP addresses when they are allocated. In most cases, this
configuration is dissociated from the IP when or before the IP
is released (tc≤tr). In some cases, however, the configuration
remains (tc> tr). If an adversary manages to allocate the IP
address before tc, we consider the adversary to have exploited
the configuration. The time between IP release and latent
configuration (tc−tr) is the duration of vulnerability dvfor
a given tenant and IP.
Tenant behavior in dissociating configuration can be highly
diverse. For feasibility, we model this configuration disso-
ciation as a Poisson process. We assume that with some
probability (pc, a simulation parameter) the tenant leaves
latent configuration. If latent configuration is left, it will be
dissociated from the IP after some duration dv=tc−tr. We
model this as an exponential distribution
dv∼Exponential(1/da),
where the duration of vulnerability is distributed proportionally
to the duration of allocation. Recall the probability density
function of such a distribution:
f(dv) = (1
dae−dv
dadv≥0
0dv<0.
This distribution approximates the relationship between
the duration of vulnerability and duration of allocation. It
reflects empirical observations of cloud deployments [30],
where relatively short-lived allocations are often orchestrated
by automation tools and receive frequent configuration updates
摘要:
展开>>
收起<<
SecureIPAddressAllocationatCloudScaleEricPauley∗‡,KyleDomico∗,BlaineHoak∗,RyanSheatsley∗,QuinnBurke∗,YohanBeugin∗,EnginKirda†,PatrickMcDaniel∗∗UniversityofWisconsin–Madison‡Email:epauley@cs.wisc.edu†NortheasternUniversityAbstract—Publiccloudsnecessitatedynamicresourcealloca-tionandsharing.However,th...
声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!
相关推荐
-
【词汇变形总汇】2025高考词汇变形总汇 - 教师版VIP免费
2024-12-06 3 -
【超简37页】新课标高考英语考纲3500词汇VIP免费
2024-12-06 4 -
《高考英语3500词详解》(WORD版)VIP免费
2024-12-06 13 -
《高考英语3500词详解》VIP免费
2024-12-06 11 -
高中英语-[教师版]80天通关高考3500词汇VIP免费
2024-12-06 12 -
高中人教选修7课文逐句翻译VIP免费
2024-12-06 7 -
高中人教选修7课文原文及翻译VIP免费
2024-12-06 13 -
高中人教必修4课文逐句翻译VIP免费
2024-12-06 7 -
高中人教必修4课文原文及翻译VIP免费
2024-12-06 13 -
高考英语核心高频688词汇VIP免费
2024-12-06 10
分类:图书资源
价格:10玖币
属性:18 页
大小:1.56MB
格式:PDF
时间:2025-05-03
作者详情
相关内容
-
2014年高考物理试卷(安徽)(解析卷)
分类:中学教育
时间:2025-05-05
标签:无
格式:DOCX
价格:10 玖币
-
2014年高考物理试卷(北京)(空白卷)
分类:中学教育
时间:2025-05-05
标签:无
格式:DOC
价格:10 玖币
-
2014年高考物理试卷(北京)(解析卷)
分类:中学教育
时间:2025-05-05
标签:无
格式:DOC
价格:10 玖币
-
2014年高考物理试卷(大纲版)(空白卷)
分类:中学教育
时间:2025-05-05
标签:无
格式:DOCX
价格:10 玖币
-
2014年高考物理试卷(大纲版)(解析卷)
分类:中学教育
时间:2025-05-05
标签:无
格式:DOC
价格:10 玖币
渝公网安备50010702506394
