Secure IP Address Allocation at Cloud Scale

TL;DR

This paper presents a new IP address allocation policy for public clouds that enhances security by preventing adversarial scanning, based on a statistical model of tenant behavior and empirical evaluation.

Contribution

It introduces IP scan segmentation, a novel IP allocation policy designed to defend against adversarial scanning even with unlimited tenants.

Findings

IP scan segmentation reduces adversaries' address allocation speed

The policy protects address space reputation and tenant data

Empirical results show significant security improvements

Abstract

Public clouds necessitate dynamic resource allocation and sharing. However, the dynamic allocation of IP addresses can be abused by adversaries to source malicious traffic, bypass rate limiting systems, and even capture traffic intended for other cloud tenants. As a result, both the cloud provider and their customers are put at risk, and defending against these threats requires a rigorous analysis of tenant behavior, adversarial strategies, and cloud provider policies. In this paper, we develop a practical defense for IP address allocation through such an analysis. We first develop a statistical model of cloud tenant deployment behavior based on literature and measurement of deployed systems. Through this, we analyze IP allocation policies under existing and novel threat models. In response to our stronger proposed threat model, we design IP scan segmentation, an IP allocation policy that protects the address pool against adversarial scanning even when an adversary is not limited by number of cloud tenants. Through empirical evaluation on both synthetic and real-world allocation traces, we show that IP scan segmentation reduces adversaries' ability to rapidly allocate addresses, protecting both address space reputation and cloud tenant data. In this way, we show that principled analysis and implementation of cloud IP address allocation can lead to substantial security gains for tenants and their users.