“Cloudy With a Chance of Misbehavior”: Researching Malicious Traffic originating from Cloud Machines

by Rene Van Steenbergen

Bethany Drouin / Pixabay

Cloud services are increasingly popular among businesses and organizations (e.g, NGOs, government), as a way to scale their infrastructure as demand increases or obtain access to special hardware (e.g., GPUs). Google Cloud, Microsoft Azure and Amazon EC2 are all examples of cloud services one can rent on demand to support their business.

Though cloud computing is rapidly increasing in popularity, there have been concerns regarding the security and vulnerability of these services. Malicious actors can rent cloud nodes and misuse them to send malware, spam, and phishing. Malicious actors can also hijack nodes rented by others and misuse them. “Though some clouds do use different protection mechanisms to prevent misuse, the attackers are able to bypass those protections,” said Tandon.

To measure the increasing threats to security from various cloud computing services, USC Information Sciences Institute researcher and project leader Jelena Mirkovic teamed up with Ph.D. student Rajat Tandon and MS student Pithayuth Charnsethikul to research cloud providers and the “misbehavior” that occurs on these platforms. By looking at 13 datasets each containing unwanted traffic, the researchers quantified and analyzed the extent to which malicious activity occurs on clouds.

Mirkovic and her students found that although cloud providers only occupy 5.4% of routable Internet address space, they generate around 50% of vulnerability scans, which are often precursor to attacks. Clouds also contribute to up to 96% of entries on blocklists, which are lists of IP addresses that participated in prior documented misbehavior.

Researchers also looked at /24 prefixes – areas of Internet address space that contain multiple IP addresses, and that are managed by a single organization. The researchers found that a cloud’s /24 prefix is 20-100 times more aggressive than that of a non-cloud, indicating high amounts of malicious traffic generated by cloud prefixes.

The high degrees of misbehavior in cloud providers opens the door to all types of Internet attacks. Such attacks are often handled via firewalls, but because clouds are also used extensively for legitimate purpose, firewalls can do little to filter out attacks coming from clouds.

Interestingly, Tandon et al. research indicates that a small number of clouds are responsible for the majority of the misbehavior.

“There are 25 clouds that contribute 90% of all the cloud scans, and 10 clouds contribute more than 20% of blocklist entries from clouds,” explains Tandon. “Thus, if efforts were focused on securing these clouds, Internet attacks could be greatly reduced.”

Though this heavy-tailed result provides a promising future for securing cloud machines, it’s clear that clouds must adopt stricter security measures and stricter monitoring of resources they rent out, to prevent future attacks from occurring.

Going forward, Mirkovic, Tandon, and Charnsethikul plan to continue their research by analyzing how misbehavior on clouds changes over time. It’s safe to say that we should all get our heads out of the clouds when it comes to serious threats to our security.