TY - GEN
T1 - A Large-scale Analysis of Cloud Service Abuse
AU - Fukushi, Naoki
AU - Chiba, Daiki
AU - Akiyama, Mitsuaki
AU - Uchida, Masato
N1 - Funding Information:
ACKNOWLEDGMENT This work was supported in part by the Japan Society for the Promotion of Science through Grants-in-Aid for Scientific Research (C) (17K00135).
Publisher Copyright:
© 2020 IEEE.
PY - 2020/6
Y1 - 2020/6
N2 - Cyber-attackers abuse cloud services as an infrastructure for their attacks. In a cloud service, the assigned Internet Protocol (IP) address for a server is owned by the cloud service provider. When the server is shut down, the assigned IP address is released and then assigned to another server in the same cloud service. Thus, cyber-attackers abusing cloud services pose a risk to legitimate service providers, developers, and end users of potentially being falsely blacklisted, which results in a poorer reputation for the service. In this study, we conducted a large-scale measurement of cloud service abuse using blacklisted IP addresses. Our analysis of four cloud services over 154 days using 39 blacklists revealed that a total of 61, 060 IP addresses from these cloud service providers were blacklisted, approximately 14, 000 IP addresses continue to be blacklisted, and approximately 5% are replaced daily. Moreover, our study revealed trends in attacks that abuse cloud services with respect to attack type, region, duration, and anti-abuse actions. Finally, we discussed recommendations for cloud service users, cloud service providers, and blacklist providers.
AB - Cyber-attackers abuse cloud services as an infrastructure for their attacks. In a cloud service, the assigned Internet Protocol (IP) address for a server is owned by the cloud service provider. When the server is shut down, the assigned IP address is released and then assigned to another server in the same cloud service. Thus, cyber-attackers abusing cloud services pose a risk to legitimate service providers, developers, and end users of potentially being falsely blacklisted, which results in a poorer reputation for the service. In this study, we conducted a large-scale measurement of cloud service abuse using blacklisted IP addresses. Our analysis of four cloud services over 154 days using 39 blacklists revealed that a total of 61, 060 IP addresses from these cloud service providers were blacklisted, approximately 14, 000 IP addresses continue to be blacklisted, and approximately 5% are replaced daily. Moreover, our study revealed trends in attacks that abuse cloud services with respect to attack type, region, duration, and anti-abuse actions. Finally, we discussed recommendations for cloud service users, cloud service providers, and blacklist providers.
UR - http://www.scopus.com/inward/record.url?scp=85090134439&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85090134439&partnerID=8YFLogxK
U2 - 10.1109/CNS48642.2020.9162303
DO - 10.1109/CNS48642.2020.9162303
M3 - Conference contribution
AN - SCOPUS:85090134439
T3 - 2020 IEEE Conference on Communications and Network Security, CNS 2020
BT - 2020 IEEE Conference on Communications and Network Security, CNS 2020
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2020 IEEE Conference on Communications and Network Security, CNS 2020
Y2 - 29 June 2020 through 1 July 2020
ER -