More Web Proxy on the site http://driver.im/

research-article

Cloud Watching: Understanding Attacks Against Cloud-Hosted Services

Authors:

Liz Izhikevich,

Michalis Kallitsis,

Zakir DurumericAuthors Info & Claims

IMC '23: Proceedings of the 2023 ACM on Internet Measurement Conference

Pages 313 - 327

https://doi.org/10.1145/3618257.3624818

Published: 24 October 2023 Publication History

Abstract

Cloud computing has dramatically changed service deployment patterns. In this work, we analyze how attackers identify and target cloud services in contrast to traditional enterprise networks and network telescopes. Using a diverse set of cloud honeypots in 5 providers and 23 countries as well as 2 educational networks and 1 network telescope, we analyze how IP address assignment, geography, network, and service-port selection, influence what services are targeted in the cloud. We find that scanners that target cloud compute are selective: they avoid scanning networks without legitimate services and they discriminate between geographic regions. Further, attackers mine Internet-service search engines to find exploitable services and, in some cases, they avoid targeting IANA-assigned protocols, causing researchers to misclassify at least 15% of traffic on select ports. Based on our results, we derive recommendations for researchers and operators.

References

[1]

Advanced honeypot framework. https://github.com/honeytrap/honeytrap. Accessed on 2022-04-29.

[2]

Alibaba cloud. https://us.alibabacloud.com. Accessed on 2022-12-01.

[3]

Aws EC2. https://aws.amazon.com/ec2/. Accessed on 2022-12-01.

[4]

Cowrie. https://github.com/GreyNoise-Intelligence/cowrie. Accessed on 2021- 12--28.

[5]

Cowrie issue 1102. https://github.com/cowrie/cowrie/issues/1102. Accessed on 2021-12-28.

[6]

Google compute engine. https://cloud.google.com/compute. Accessed on 2022-12-01.

[7]

Greynoise visualizer. https://viz.greynoise.io. Accessed on 2022-05-06.

[8]

Kippo. https://github.com/desaster/kippo. Accessed on 2022-05-22.

[9]

Nmap. https://nmap.org/docs.html. Accessed on 2022-05-04.

[10]

Suricata rules. https://pastebin.com/eqGtVvdX.

[11]

Suricata rules readme. https://pastebin.com/EWSQQkBf.

[12]

Suricata user guide. https://suricata.readthedocs.io/en/suricata-6.0.5/. Accessed on 2022-05-06.

[13]

T-pot - the all in one multi honeypot platform. https://github.com/telekom-security/tpotce. Accessed on 2021-12-01.

[14]

Trendmicro: Mirai-like scanning from China targets Brazil. https://securityonline. info/trendmicro-mirai-like-scanning-from-china-targets-brazil/. Accessed on 2022-05-05.

[15]

What's in a name - exploring the term APAC. https://www.forum-expat-management.com/posts/11371-what-s-in-a-name-exploring-the-term-apac, 2016. Accessed on 2022-05-20.

[16]

Top 9 Internet search engines used by security researchers. https://securitytrails. com/blog/hacker-search-engines, 2022. Accessed on 2022-11-07.

[17]

Understanding GreyNoise classifications. https://docs.greynoise.io/docs/ understanding-greynoise-classifications, 2022. Accessed on 2022-05-10.

[18]

R. Akiyoshi, D. Kotani, and Y. Okabe. Detecting emerging large-scale vulnerability scanning activities by correlating low-interaction honeypots with darknet. In Computer Software and Applications Conference (COMPSAC), volume 2. IEEE, 2018.

[19]

A. Anand, M. Kallitsis, J. Sippe, and A. Dainotti. Aggressive internet-wide scanners: Network impact and longitudinal characterization. arXiv preprint arXiv:2305.07193, 2023.

[20]

M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z. Du-rumeric, et al. Understanding the Mirai botnet. In USENIX Security Symposium, 2017.

Digital Library

[21]

S. Bano, P. Richter, M. Javed, S. Sundaresan, Z. Durumeric, S. J. Murdoch, R. Mortier, and V. Paxson. Scanning the Internet for liveness. ACM SIGCOMM Computer Communication Review, 2018.

Digital Library

[22]

A. Blaise, M. Bouet, V. Conan, and S. Secci. Detection of zero-day attacks: An unsupervised port-based approach. Computer Networks, 180, 2020.

[23]

R. C. Bodenheim. Impact of the Shodan computer search engine on internet-facing industrial control system devices. Technical report, Air Force Institute of Technology Wright-Patterson AFB OH Graduate School of Engineering and Management, 2014.

[24]

D. Bove and T. Müller. Investigating characteristics of attacks on public cloud systems. In IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom), 2019.

[25]

S. Brown, R. Lam, S. Prasad, S. Ramasubramanian, and J. Slauson. Honeypots in the cloud. 2012.

[26]

O. Cabana, A. M. Youssef, M. Debbabi, B. Lebel, M. Kassouf, R. Atallah, and B. L. Agba. Threat intelligence generation using network telescope data for industrial control systems. IEEE Transactions on Information Forensics and Security, 16, 2021.

[27]

J. Cable, D. Gregory, L. Izhikevich, and Z. Durumeric. Stratosphere: Finding vul-nerable cloud storage buckets. In Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses, pages 399--411, 2021.

Digital Library

[28]

Censys. Opt out of scanning. https://support.censys.io/hc/en-us/articles/ 360043177092-Opt-Out-of-Scanning. Accessed on 2022-03-14.

[29]

P. Chatziadam, I. G. Askoxylakis, and A. Fragkiadakis. A network telescope for early warning intrusion detection. In International Conference on Human Aspects of Information Security, Privacy, and Trust. Springer, 2014.

Digital Library

[30]

H. Cramér. A contribution to the theory of statistical estimation. Scandinavian Actuarial Journal, 1946(1), 1946.

[31]

Z.Durumeric.Censyssearch2.0officialannouncement.https://support.censys.io/hc/en-us/articles/360060941211-Censys-Search-2-0-Official-Announcement.

[32]

Z. Durumeric, D. Adrian, A. Mirian, M. Bailey, and J. A. Halderman. A search engine backed by Internet-wide scanning. In CCS, 2015.

[33]

Z.Durumeric,M.Bailey,andJ.A.Halderman.AnInternet-wideviewofInternet-wide scanning. In USENIX Security Symposium, 2014.

[34]

Z. Durumeric, F. Li, J. Kasten, J. Amann, J. Beekman, M. Payer, N. Weaver, D. Adrian, V. Paxson, M. Bailey, et al. The matter of heartbleed. In ACM Internet Measurement Conference, 2014.

Digital Library

[35]

Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-wide scanning and its security applications. In USENIX Security Symposium, 2013.

Digital Library

[36]

J. Francois, O. Festor, et al. Activity monitoring for large honeynets and network telescopes. International Journal on Advances in Systems and Measurements, 1(1), 2008.

[37]

F. Gadhia, J. Choi, B. Cho, and J. Song. Comparative analysis of darknet traffic characteristics between darknet sensors. In International Conference on Advanced Communication Technology (ICACT). IEEE, 2015.

[38]

H. Griffioen, K. Oosthoek, P. van der Knaap, and C. Doerr. Scan, test, execute: Adversarial tactics in amplification DDoS attacks. In CCS, 2021.

[39]

R. Hiesgen, M. Nawrocki, A. King, A. Dainotti, T. C. Schmidt, and M. Wählisch. Spoki: Unveiling a new wave of scanners through a reactive network telescope. 2022.

[40]

G. Intelligence. Sample Log4Shell (CVE-2021-44228) payloads observed in the wild by GreyNoise Intelligence. https://gist.github.com/nathanqthai/ 197b6084a05690fdebf96ed34ae84305. Accessed on 2022-03-14.

[41]

B. Irwin. A baseline study of potentially malicious activity across five network telescopes. In International Conference on Cyber Conflict (CYCON). IEEE, 2013.

[42]

B. Irwin. A source analysis of the conficker outbreak from a network telescope. SAIEE Africa Research Journal, 104(2), 2013.

[43]

B. Irwin and T. Nkhumeleni. Observed correlations of unsolicited ip traffic across five distinct network telescopes. Journal of Information Warfare, 14(3):1-14, 2015.

[44]

L. Izhikevich, G. Akiwate, B. Berger, S. Drakontaidis, A. Ascheman, P. Pearce, D. Adrian, and Z. Durumeric. Zdns: a fast dns toolkit for internet measurement. In Proceedings of the 22nd ACM Internet Measurement Conference, pages 33--43, 2022.

Digital Library

[45]

L. Izhikevich, R. Teixeira, and Z. Durumeric. LZR: Identifying unexpected Internet services. In USENIX Security Symposium, 2021.

[46]

L. Izhikevich, R. Teixeira, and Z. Durumeric. Scalably and efficiently discovering IPv4 services across all ports. In ACM SIGCOMM Conference, 2022.

[47]

M. Jonkman. What every IDS user should do. https://doc.emergingthreats.net/ bin/view/Main/WhatEveryIDSUserShouldDo. Accessed on 2022-05-03.

[48]

C. Kelly, N. Pitropakis, A. Mylonas, S. McKeown, and W. J. Buchanan. A compar-ative analysis of honeypots on different cloud platforms. Sensors, 21(7), 2021.

[49]

L. Krämer, J. Krupp, D. Makita, T. Nishizoe, T. Koide, K. Yoshioka, and C. Rossow. Amppot: Monitoring and defending against amplification DDoS attacks. In International Symposium on Recent Advances in Intrusion Detection. Springer, 2015.

Digital Library

[50]

S. Lagraa and J. François. Knowledge discovery of port scans from darknet. In IFIP/IEEE Symposium on Integrated Network and Service Management (IM). IEEE, 2017.

Digital Library

[51]

E. Le Malécot. Mitibox: camouflage and deception for network scan mitigation. In USENIX Workshop on Hot Topics in Security (HotSec), 2009.

[52]

F. Li, Z. Durumeric, J. Czyz, M. Karami, M. Bailey, D. McCoy, S. Savage, and V. Paxson. You've got vulnerability: Exploring effective vulnerability notifications. In USENIX Security Symposium, 2016.

Digital Library

[53]

R. Li, M. Shen, H. Yu, C. Li, P. Duan, and L. Zhu. A survey on cyberspace search engines. In Cyber Security: 17th China Annual Conference, CNCERT 2020, Beijing, China, August 12, 2020, Revised Selected Papers 17, pages 206--214. Springer Singapore, 2020.

[54]

E. L. Malécot and D. Inoue. The carna botnet through the lens of a network telescope. In International Symposium on Foundations and Practice of Security. Springer, 2013.

[55]

D. Moore. Network telescopes: Observing small or distant security events. In USENIX Security Symposium, 2002.

[56]

D. Moore, C. Shannon, G. Voelker, and S. Savage. Network telescopes: Technical report. Technical report, Cooperative Association for Internet Data Analysis (CAIDA), 2004.

[57]

G. C. Moura, R. Sadre, and A. Pras. Bad neighborhoods on the internet. IEEE communications magazine, 52(7):132--139, 2014.

[58]

M. Nawrocki, M. Jonker, T. C. Schmidt, and M. Wählisch. The far side of DNS amplification: tracing the DDoS attack ecosystem from the Internet core. In ACM

[59]

K. Nishijima, T. Kondo, T. Hosokawa, T. Shigemoto, N. Kawaguchi, H. Hasegawa, H. Honda, Y. Suzuki, T. Kaji, and O. Nakamura. Verification of the effectiveness to monitor darknet across multiple organizations. In International Symposium on Computing and Networking Workshops (CANDARW). IEEE, 2021.

[60]

P. Paganini. Multi-vector minertsunami botnet with SSH lateral movement. https://securityaffairs.co/wordpress/111761/malware/multi-vector-miner-tsunami-botnet.html. Accessed on 2022-03-14.

[61]

R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson. Characteristics of Internet background radiation. In ACM SIGCOMM conference on Internet measurement, 2004.

Digital Library

[62]

S. Pang, D. Komosny, L. Zhu, R. Zhang, A. Sarrafzadeh, T. Ban, and D. Inoue. Ma-licious events grouping via behavior based darknet traffic flow analysis. Wireless Personal Communications, 96(4), 2017.

[63]

K. Pearson. On the criterion that a given system of deviations from the probable in the case of a correlated system of variables is such that it can be reasonably supposed to have arisen from random sampling. The London, Edinburgh, and Dublin Philosophical Magazine and Journal of Science, 50(302), 1900.

[64]

V.-H. Pham and M. Dacier. Honeypot trace forensics: The observation viewpoint matters. Future Generation Computer Systems, 27(5), 2011.

[65]

F. Pouget, M. Dacier, V. Pham, et al. On the advantages of deploying a large scale distributed honeypot platform. In the e-crime and computer evidence conference, 2005.

[66]

R. Prajapati, V. Honavar, D. Wu, J. Yen, and M. Kallitsis. Shedding light into the darknet: scanning characterization and detection of temporal changes. In International Conference on emerging Networking EXperiments and Technologies, 2021.

Digital Library

[67]

E. Raftopoulos, E. Glatz, X. Dimitropoulos, and A. Dainotti. How dangerous is internet scanning? a measurement study of the aftermath of an internet-wide scan. In Traffic Monitoring and Analysis: 7th International Workshop, TMA 2015, Barcelona, Spain, April 21-24, 2015. Proceedings 7, pages 158--172. Springer, 2015.

[68]

P. Richterand A. Berger. Scanningthescanners: Sensing the Internet from amassively distributed network telescope. In ACM Internet Measurement Conference, 2019.

[69]

SHODAN. The search engine for Internet-connected devices. https://www.shodan.io/. Accessed on 2021-12-01.

[70]

S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In OSDI, volume 4, 2004.

[71]

F. Soro, I. Drago, M. Trevisan, M. Mellia, J. Ceron, and J. J. Santanna. Are darknets all the same? on darknet visibility for security monitoring. In 2019 IEEE International Symposium on Local and Metropolitan Area Networks (LANMAN). IEEE, 2019.

[72]

S. Torabi, E. Bou-Harb, C. Assi, E. B. Karbab, A. Boukhtouta, and M. Debbabi. Inferring and investigating IoT-generated scanning campaigns targeting a large network telescope. IEEE Transactions on Dependable and Secure Computing, 2020.

[73]

A. Vetterl and R. Clayton. Bitter harvest: Systematically fingerprinting low- and medium-interaction honeypots at Internet scale. In USENIX Workshop on Offensive Technologies (WOOT 18), Baltimore, MD, Aug. 2018. USENIX Association.

[74]

G. Wan, L. Izhikevich, D. Adrian, K. Yoshioka, R. Holz, C. Rossow, and Z. Du-rumeric. On the origin of scanning: The impact of location on Internet-wide scans. In ACM Internet Measurement Conference, 2020.

Digital Library

[75]

E. Wustrow, M. Karir, M. Bailey, F. Jahanian, and G. Huston. Internet background radiation revisited. In ACM SIGCOMM conference on Internet measurement, 2010.

Digital Library

Cited By

Singh SGautam SCartier CPatil SRicci RVanbever LZhang I(2024)Where the wild things areProceedings of the 21st USENIX Symposium on Networked Systems Design and Implementation10.5555/3691825.3691920(1731-1750)Online publication date: 16-Apr-2024
https://dl.acm.org/doi/10.5555/3691825.3691920
Durumeric ZAdrian DStephens PWustrow EHalderman JVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Ten Years of ZMapProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689012(139-148)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3689012
Du BFontugne RTestart CSnoeren Aclaffy kVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Sublet Your Subnet: Inferring IP Leasing in the WildProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689010(328-336)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3689010
Show More Cited By

Index Terms

Cloud Watching: Understanding Attacks Against Cloud-Hosted Services
1. Networks
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems
  2. Network security

Recommendations

Cloud Computing Vulnerability: DDoS as Its Main Security Threat, and Analysis of IDS as a Solution Model
ITNG '14: Proceedings of the 2014 11th International Conference on Information Technology: New Generations

Cloud computing has emerged as an increasingly popular means of delivering IT-enabled business services and a potential technology resource choice for many private and government organizations in today's rapidly changing computing environment. ...
Is your cloud elastic enough?: performance modelling the elasticity of infrastructure as a service (IaaS) cloud applications
ICPE '12: Proceedings of the 3rd ACM/SPEC International Conference on Performance Engineering

Elasticity, the ability to rapidly scale resources up and down on demand, is an essential feature of public cloud platforms. However, it is difficult to understand the elasticity requirements of a given application and workload, and if the elasticity ...
Insider Threats to Cloud Computing: Directions for New Research Challenges
COMPSAC '12: Proceedings of the 2012 IEEE 36th Annual Computer Software and Applications Conference

Cloud computing related insider threats are often listed as a serious concern by security researchers, but to date this threat has not been thoroughly explored. We believe the fundamental nature of current insider threats will remain relatively ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '23: Proceedings of the 2023 ACM on Internet Measurement Conference

October 2023

746 pages

ISBN:9798400703829

DOI:10.1145/3618257

General Chairs:
Marie-José Montpetit
McGill University, Canada
,
Aris Leivadeas
École de Technologie Supérieure, Canada
,
Program Chairs:
Steve Uhlig
Queen Mary University of London, United Kingdom
,
Mobin Javed
Lahore University of Management Sciences, Pakistan

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

NSF

Conference

IMC '23

Sponsor:

SIGCOMM

IMC '23: ACM Internet Measurement Conference

October 24 - 26, 2023

Montreal QC, Canada

Acceptance Rates

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
441
Total Downloads

Downloads (Last 12 months)258
Downloads (Last 6 weeks)14

Reflects downloads up to 02 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Singh SGautam SCartier CPatil SRicci RVanbever LZhang I(2024)Where the wild things areProceedings of the 21st USENIX Symposium on Networked Systems Design and Implementation10.5555/3691825.3691920(1731-1750)Online publication date: 16-Apr-2024
https://dl.acm.org/doi/10.5555/3691825.3691920
Durumeric ZAdrian DStephens PWustrow EHalderman JVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Ten Years of ZMapProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689012(139-148)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3689012
Du BFontugne RTestart CSnoeren Aclaffy kVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Sublet Your Subnet: Inferring IP Leasing in the WildProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689010(328-336)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3689010
Izhikevich KVoelker GSavage SIzhikevich L(2024)Using Honeybuckets to Characterize Cloud Storage Scanning in the Wild2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00014(95-113)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00014
García-Peñas RRodríguez-Gómez RMaciá-Fernández G(2024)HoDiNTComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2024.110570250:COnline publication date: 19-Sep-2024
https://dl.acm.org/doi/10.1016/j.comnet.2024.110570
Yazdani RJonker MSperotto A(2024)Swamp of Reflectors: Investigating the Ecosystem of Open DNS ResolversPassive and Active Measurement10.1007/978-3-031-56252-5_1(3-18)Online publication date: 11-Mar-2024
https://dl.acm.org/doi/10.1007/978-3-031-56252-5_1

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten