Secure IP Address Allocation at Cloud Scale

TL;DR

This work addresses security risks from dynamic IP address reuse in public clouds, where adversaries can sample large portions of a provider's IP pool to exploit reputation and latent configurations. It develops a comprehensive model of tenant behavior, latent configurations, and adversarial strategies, and introduces IP scan segmentation as a practical defense evaluated with the Elastic IP Simulator (EIPSim). Through extensive synthetic and real-world trace experiments, the approach substantially reduces adversarial success, including large reductions in latent configuration exposure and unique IP yield, even under strong multi-tenant Sybil scenarios. The results demonstrate that principled cloud IP address allocation can yield meaningful security gains for tenants and providers, and the authors provide open-source artifacts to enable adoption and further research.

Abstract

Public clouds necessitate dynamic resource allocation and sharing. However, the dynamic allocation of IP addresses can be abused by adversaries to source malicious traffic, bypass rate limiting systems, and even capture traffic intended for other cloud tenants. As a result, both the cloud provider and their customers are put at risk, and defending against these threats requires a rigorous analysis of tenant behavior, adversarial strategies, and cloud provider policies. In this paper, we develop a practical defense for IP address allocation through such an analysis. We first develop a statistical model of cloud tenant deployment behavior based on literature and measurement of deployed systems. Through this, we analyze IP allocation policies under existing and novel threat models. In response to our stronger proposed threat model, we design IP scan segmentation, an IP allocation policy that protects the address pool against adversarial scanning even when an adversary is not limited by number of cloud tenants. Through empirical evaluation on both synthetic and real-world allocation traces, we show that IP scan segmentation reduces adversaries' ability to rapidly allocate addresses, protecting both address space reputation and cloud tenant data. In this way, we show that principled analysis and implementation of cloud IP address allocation can lead to substantial security gains for tenants and their users.

Figures (9)

• Figure 1: Taxonomy of threats () to the (C)onfidentiality, (I)ntegrity, and (A)vailability of cloud-based network services from IP address reuse. Threats apply to previous tenants (retrospective), future tenants (prospective), and leverage the reputation of IP addresses or associated configuration.
• Figure 2: IP Scan Segmentation - ➊ The mean IP allocation duration for tenant $T$ is tracked (i.e., $\Bar{d_a}$), ➋ each released IP $n$ is first associated (i.e., tagged) with tenant $T$ & the allocated duration , ➌ the duration associated with the IP $n$ then decays linearly with rate $1/\alpha$ (stored as the cooldown time $t_{cd}$), and ➍ when an IP is allocated for tenant $T^*$, preference is first given to a $T^*$-tagged IP, then to an IP from the general pool whose $t_{cd}$ is closest to $t+\alpha\cdot\Bar{d_a}$.
• Figure 3: Overview of our analysis - ➊ We first define agents who (A)llocate and (R)elease IP addresses in varying modalities (including adversarial behaviors), ➋ we then evaluate a suite of IP pool allocation policies that govern IPs associated with tenants, ➌ we then simulate interactions between agents and policies, and ➍ collect various statistics concerning pool utilization, adversarial goals, etc.
• Figure 4: Modeling tenant allocations ($p_c=0.1$).
• Figure 5: Modeling the single-tenant adversary.