Cloud computing has dramatically changed service deployment patterns. In this work, we analyze how attackers identify and target cloud services in contrast to traditional enterprise networks and network telescopes. Using a diverse set of cloud honeypots in 5~providers and 23~countries as well as 2~educational networks and 1~network telescope, we analyze how IP address assignment, geography, network, and service-port selection, influence what services are targeted in the cloud. We find that scanners that target cloud compute are selective: they avoid scanning networks without legitimate services and they discriminate between geographic regions. Further, attackers mine Internet-service search engines to find exploitable services and, in some cases, they avoid targeting IANA-assigned protocols, causing researchers to misclassify at least 15% of traffic on select ports. Based on our results, we derive recommendations for researchers and operators.
Cloud Watching: Understanding Attacks Against Cloud-Hosted Services
Internet Measurement Conference 2023
- Liz Izhikevich, Manda Tran, Michalis Kallitsis, Aurore Fass, Zakir Durumeric
- Liz Izhikevich
We provide the GreyNoise dataset used in our work, which spans 1 week in 2020 and 1 week in 2021. To request more recent GreyNoise data (which is still being collected), please reach out directly to GreyNoise at https://www.greynoise.io/contact/vip. To access the ORION network telescope dataset used in our paper, use the following link: https://www.merit.edu/initiatives/orion-network-telescope/. A COMUNDA dataset for the same ORION network telescope data can be found here, under the name orion_telescope-20200801: https://comunda.isi.edu/artifact/view/2353. The HoneyTrap data used in the work can be found here: .