Cloud squatting happens when a company leases space and IP addresses on a public server, uses them, releases the space, and sends them back to the cloud vendors. The server space providers such as Amazon, Google, or Microsoft assign the same addresses to another company. If the new company is a bad actor, it could take advantage of the information coming into the address intended for the previous organisation.

The study conducted by Penn State researchers on a small fraction of IP addresses on Amazon Web Services showed over 5,400 organisations, including 23 of the top 1000 websites, potentially affected. “Because of how our study was structured, the actual number of affected organisations is likely far higher,” said Eric Pauley. Examples of the leaked data included mobile devices sending analytics and tracking data intended for other organisations; financial services organisations sending transaction data between their various cloud services; domain names for government websites pointed to IP addresses they no longer controlled. 

The cloud squatting process/ Source: Penn State Paper

The experiment 

The team conducted a study to determine if cloud tenants were vulnerable to such attacks and to quantify the extent of the problem. The study was carried out in compliance with Amazon’s Vulnerability Reporting program. The team set up a series of cloud server rentals from Amazon Web Services and rented server space for 10-minute intervals. Within this time, they received information addressed to the previous tenants and moved to another server location. The cycle was repeated several times, but they did not ask for or send any information.

The team received 5 million pieces of cloud messages, many containing sensitive data of financial transactions, GPS location, and personally identifiable information. Further, they identified dozens of exploitable software systems spanning hundreds of servers and 5,446 exploitable domains, including 23 in the top 1,000 popular domains. The results were observed across government, academic, and industrial organisations. 

The team also discovered three major root causes for this:

A. Lack of organisational controls

B. Poor service hygiene

C. Failure to follow best practices. 

One of the researchers, Patrick McDaniel, spoke about how the team did not receive health data but said an adversary might receive such data. For instance, one of their IP addresses received requests to the Health and Human Services website, HHS.gov. “We did not further interact, but others could pretend to be an HHS service and get people to interact,” he said. 

Solutions

After identifying the key issues, the research team suggested solutions to address cloud squatting concerns for both cloud vendors and the clients who rent server space. 

The vendors can prevent cloud squatting by preventing IP address reuse. Additionally, they can create reserved IP address blocks. Here, a large client organisation could be assigned a fixed range of recyclable addresses within the company. Organisations can also bring their own IP addresses in the cloud or private IP addresses.

When designing services on public clouds, it should be ensured that references to service IPs are either managed by the cloud provider or some configuration manager or policy. Organisations should also prevent lingering references and ensure they never directly reference IP addresses. Instead, companies can refer to their servers through DNS. 

Source: Penn State Paper

Users can avoid producing IP address configurations that linger after cloud server IP addresses are let go from the client-side. While this is a rarity, the researchers identified that organisations have little visibility into how different accounts use cloud computing capabilities.