Cloud computing has dramatically changed service deployment patterns. In this work, we analyze how attackers identify and target cloud services in contrast to traditional enterprise networks and network telescopes. Using a diverse set of cloud honeypots in 5~providers and 23~countries as well as 2~educational networks and 1~network telescope, we analyze how IP address assignment, geography, network, and service-port selection, influence what services are targeted in the cloud. We find that scanners that target cloud compute are selective: they avoid scanning networks without legitimate services and they discriminate between geographic regions. Further, attackers mine Internet-service search engines to find exploitable services and, in some cases, they avoid targeting IANA-assigned protocols, causing researchers to misclassify at least 15% of traffic on select ports. Based on our results, we derive recommendations for researchers and operators.

Study Details

Study

Cloud Watching: Understanding Attacks Against Cloud-Hosted Services
Internet Measurement Conference 2023

Authors

Liz Izhikevich, Manda Tran, Michalis Kallitsis, Aurore Fass, Zakir Durumeric

Contact

Liz Izhikevich

Dataset Details

We provide the GreyNoise dataset used in our work, which spans 1 week in 2020 and 1 week in 2021. To request more recent GreyNoise data (which is still being collected), please reach out directly to GreyNoise at https://www.greynoise.io/contact/vip. To access the ORION network telescope dataset used in our paper, use the following link: https://www.merit.edu/initiatives/orion-network-telescope/. A COMUNDA dataset for the same ORION network telescope data can be found here, under the name orion_telescope-20200801: https://comunda.isi.edu/artifact/view/2353. The HoneyTrap data used in the work can be found here: .

File Download