Secure IP Address Allocation at Cloud Scale
Public clouds necessitate dynamic resource allocation and sharing. However, the dynamic allocation of IP addresses can be abused by adversaries to source malicious traffic, bypass rate limiting systems, and even capture traffic intended for other cloud tenants. As a result, both the cloud provider a...
Gespeichert in:
| Hauptverfasser: | , , , , , , , |
|---|---|
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext bestellen |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | |
| container_title | |
| container_volume | |
| creator | Pauley, Eric Domico, Kyle Hoak, Blaine Sheatsley, Ryan Burke, Quinn Beugin, Yohan Kirda, Engin McDaniel, Patrick |
| description | Public clouds necessitate dynamic resource allocation and sharing. However,
the dynamic allocation of IP addresses can be abused by adversaries to source
malicious traffic, bypass rate limiting systems, and even capture traffic
intended for other cloud tenants. As a result, both the cloud provider and
their customers are put at risk, and defending against these threats requires a
rigorous analysis of tenant behavior, adversarial strategies, and cloud
provider policies. In this paper, we develop a practical defense for IP address
allocation through such an analysis. We first develop a statistical model of
cloud tenant deployment behavior based on literature and measurement of
deployed systems. Through this, we analyze IP allocation policies under
existing and novel threat models. In response to our stronger proposed threat
model, we design IP scan segmentation, an IP allocation policy that protects
the address pool against adversarial scanning even when an adversary is not
limited by number of cloud tenants. Through empirical evaluation on both
synthetic and real-world allocation traces, we show that IP scan segmentation
reduces adversaries' ability to rapidly allocate addresses, protecting both
address space reputation and cloud tenant data. In this way, we show that
principled analysis and implementation of cloud IP address allocation can lead
to substantial security gains for tenants and their users. |
| doi_str_mv | 10.48550/arxiv.2210.14999 |
| format | Article |
| fullrecord | <record><control><sourceid>arxiv_GOX</sourceid><recordid>TN_cdi_arxiv_primary_2210_14999</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2210_14999</sourcerecordid><originalsourceid>FETCH-arxiv_primary_2210_149993</originalsourceid><addsrcrecordid>eNpjYJA0NNAzsTA1NdBPLKrILNMzMgIKGJpYWlpyMmgHpyaXFqUqeAYoOKakFKUWFys45uTkJyeWZObnKSSWKDjn5JemKAQnJ-ak8jCwpiXmFKfyQmluBnk31xBnD12wsfEFRZm5iUWV8SDj48HGGxNWAQDVsy4O</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Secure IP Address Allocation at Cloud Scale</title><source>arXiv.org</source><creator>Pauley, Eric ; Domico, Kyle ; Hoak, Blaine ; Sheatsley, Ryan ; Burke, Quinn ; Beugin, Yohan ; Kirda, Engin ; McDaniel, Patrick</creator><creatorcontrib>Pauley, Eric ; Domico, Kyle ; Hoak, Blaine ; Sheatsley, Ryan ; Burke, Quinn ; Beugin, Yohan ; Kirda, Engin ; McDaniel, Patrick</creatorcontrib><description>Public clouds necessitate dynamic resource allocation and sharing. However,
the dynamic allocation of IP addresses can be abused by adversaries to source
malicious traffic, bypass rate limiting systems, and even capture traffic
intended for other cloud tenants. As a result, both the cloud provider and
their customers are put at risk, and defending against these threats requires a
rigorous analysis of tenant behavior, adversarial strategies, and cloud
provider policies. In this paper, we develop a practical defense for IP address
allocation through such an analysis. We first develop a statistical model of
cloud tenant deployment behavior based on literature and measurement of
deployed systems. Through this, we analyze IP allocation policies under
existing and novel threat models. In response to our stronger proposed threat
model, we design IP scan segmentation, an IP allocation policy that protects
the address pool against adversarial scanning even when an adversary is not
limited by number of cloud tenants. Through empirical evaluation on both
synthetic and real-world allocation traces, we show that IP scan segmentation
reduces adversaries' ability to rapidly allocate addresses, protecting both
address space reputation and cloud tenant data. In this way, we show that
principled analysis and implementation of cloud IP address allocation can lead
to substantial security gains for tenants and their users.</description><identifier>DOI: 10.48550/arxiv.2210.14999</identifier><language>eng</language><subject>Computer Science - Cryptography and Security</subject><creationdate>2022-10</creationdate><rights>http://creativecommons.org/licenses/by-nc-nd/4.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,780,885</link.rule.ids><linktorsrc>$$Uhttps://arxiv.org/abs/2210.14999$$EView_record_in_Cornell_University$$FView_record_in_$$GCornell_University$$Hfree_for_read</linktorsrc><backlink>$$Uhttps://doi.org/10.48550/arXiv.2210.14999$$DView paper in arXiv$$Hfree_for_read</backlink></links><search><creatorcontrib>Pauley, Eric</creatorcontrib><creatorcontrib>Domico, Kyle</creatorcontrib><creatorcontrib>Hoak, Blaine</creatorcontrib><creatorcontrib>Sheatsley, Ryan</creatorcontrib><creatorcontrib>Burke, Quinn</creatorcontrib><creatorcontrib>Beugin, Yohan</creatorcontrib><creatorcontrib>Kirda, Engin</creatorcontrib><creatorcontrib>McDaniel, Patrick</creatorcontrib><title>Secure IP Address Allocation at Cloud Scale</title><description>Public clouds necessitate dynamic resource allocation and sharing. However,
the dynamic allocation of IP addresses can be abused by adversaries to source
malicious traffic, bypass rate limiting systems, and even capture traffic
intended for other cloud tenants. As a result, both the cloud provider and
their customers are put at risk, and defending against these threats requires a
rigorous analysis of tenant behavior, adversarial strategies, and cloud
provider policies. In this paper, we develop a practical defense for IP address
allocation through such an analysis. We first develop a statistical model of
cloud tenant deployment behavior based on literature and measurement of
deployed systems. Through this, we analyze IP allocation policies under
existing and novel threat models. In response to our stronger proposed threat
model, we design IP scan segmentation, an IP allocation policy that protects
the address pool against adversarial scanning even when an adversary is not
limited by number of cloud tenants. Through empirical evaluation on both
synthetic and real-world allocation traces, we show that IP scan segmentation
reduces adversaries' ability to rapidly allocate addresses, protecting both
address space reputation and cloud tenant data. In this way, we show that
principled analysis and implementation of cloud IP address allocation can lead
to substantial security gains for tenants and their users.</description><subject>Computer Science - Cryptography and Security</subject><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2022</creationdate><recordtype>article</recordtype><sourceid>GOX</sourceid><recordid>eNpjYJA0NNAzsTA1NdBPLKrILNMzMgIKGJpYWlpyMmgHpyaXFqUqeAYoOKakFKUWFys45uTkJyeWZObnKSSWKDjn5JemKAQnJ-ak8jCwpiXmFKfyQmluBnk31xBnD12wsfEFRZm5iUWV8SDj48HGGxNWAQDVsy4O</recordid><startdate>20221026</startdate><enddate>20221026</enddate><creator>Pauley, Eric</creator><creator>Domico, Kyle</creator><creator>Hoak, Blaine</creator><creator>Sheatsley, Ryan</creator><creator>Burke, Quinn</creator><creator>Beugin, Yohan</creator><creator>Kirda, Engin</creator><creator>McDaniel, Patrick</creator><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20221026</creationdate><title>Secure IP Address Allocation at Cloud Scale</title><author>Pauley, Eric ; Domico, Kyle ; Hoak, Blaine ; Sheatsley, Ryan ; Burke, Quinn ; Beugin, Yohan ; Kirda, Engin ; McDaniel, Patrick</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-arxiv_primary_2210_149993</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2022</creationdate><topic>Computer Science - Cryptography and Security</topic><toplevel>online_resources</toplevel><creatorcontrib>Pauley, Eric</creatorcontrib><creatorcontrib>Domico, Kyle</creatorcontrib><creatorcontrib>Hoak, Blaine</creatorcontrib><creatorcontrib>Sheatsley, Ryan</creatorcontrib><creatorcontrib>Burke, Quinn</creatorcontrib><creatorcontrib>Beugin, Yohan</creatorcontrib><creatorcontrib>Kirda, Engin</creatorcontrib><creatorcontrib>McDaniel, Patrick</creatorcontrib><collection>arXiv Computer Science</collection><collection>arXiv.org</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Pauley, Eric</au><au>Domico, Kyle</au><au>Hoak, Blaine</au><au>Sheatsley, Ryan</au><au>Burke, Quinn</au><au>Beugin, Yohan</au><au>Kirda, Engin</au><au>McDaniel, Patrick</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Secure IP Address Allocation at Cloud Scale</atitle><date>2022-10-26</date><risdate>2022</risdate><abstract>Public clouds necessitate dynamic resource allocation and sharing. However,
the dynamic allocation of IP addresses can be abused by adversaries to source
malicious traffic, bypass rate limiting systems, and even capture traffic
intended for other cloud tenants. As a result, both the cloud provider and
their customers are put at risk, and defending against these threats requires a
rigorous analysis of tenant behavior, adversarial strategies, and cloud
provider policies. In this paper, we develop a practical defense for IP address
allocation through such an analysis. We first develop a statistical model of
cloud tenant deployment behavior based on literature and measurement of
deployed systems. Through this, we analyze IP allocation policies under
existing and novel threat models. In response to our stronger proposed threat
model, we design IP scan segmentation, an IP allocation policy that protects
the address pool against adversarial scanning even when an adversary is not
limited by number of cloud tenants. Through empirical evaluation on both
synthetic and real-world allocation traces, we show that IP scan segmentation
reduces adversaries' ability to rapidly allocate addresses, protecting both
address space reputation and cloud tenant data. In this way, we show that
principled analysis and implementation of cloud IP address allocation can lead
to substantial security gains for tenants and their users.</abstract><doi>10.48550/arxiv.2210.14999</doi><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | DOI: 10.48550/arxiv.2210.14999 |
| ispartof | |
| issn | |
| language | eng |
| recordid | cdi_arxiv_primary_2210_14999 |
| source | arXiv.org |
| subjects | Computer Science - Cryptography and Security |
| title | Secure IP Address Allocation at Cloud Scale |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-02T23%3A18%3A16IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-arxiv_GOX&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Secure%20IP%20Address%20Allocation%20at%20Cloud%20Scale&rft.au=Pauley,%20Eric&rft.date=2022-10-26&rft_id=info:doi/10.48550/arxiv.2210.14999&rft_dat=%3Carxiv_GOX%3E2210_14999%3C/arxiv_GOX%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true |