Eric Pauley (University of Wisconsin–Madison), Kyle Domico (University of Wisconsin–Madison), Blaine Hoak (University of Wisconsin–Madison), Ryan Sheatsley (University of Wisconsin–Madison), Quinn Burke (University of Wisconsin–Madison), Yohan Beugin (University of Wisconsin–Madison), Engin Kirda (Northeastern University), Patrick McDaniel (University of Wisconsin–Madison)

Public clouds necessitate dynamic resource allocation and sharing. However, the dynamic allocation of IP addresses can be abused by adversaries to source malicious traffic, bypass rate limiting systems, and even capture traffic intended for other cloud tenants. As a result, both the cloud provider and their customers are put at risk, and defending against these threats requires a rigorous analysis of tenant behavior, adversarial strategies, and cloud provider policies. In this paper, we develop a practical defense for IP address allocation through such an analysis. We first develop a statistical model of cloud tenant deployment behavior based on literature and measurement of deployed systems. Through this, we analyze IP allocation policies under existing and novel threat models. In response to our stronger proposed threat model, we design IP scan segmentation, an IP allocation policy that protects the address pool against adversarial scanning even when an adversary is not limited by number of cloud tenants. Through empirical evaluation on both synthetic and real-world allocation traces, we show that IP scan segmentation reduces adversaries' ability to rapidly allocate addresses, protecting both address space reputation and cloud tenant data. In this way, we show that principled analysis and implementation of cloud IP address allocation can lead to substantial security gains for tenants and their users.

View More Papers

ReThink: Reveal the Threat of Electromagnetic Interference on Power...

Fengchen Yang (Zhejiang University; ZJU QI-ANXIN IoT Security Joint Labratory), Zihao Dan (Zhejiang University; ZJU QI-ANXIN IoT Security Joint Labratory), Kaikai Pan (Zhejiang University; ZJU QI-ANXIN IoT Security Joint Labratory), Chen Yan (Zhejiang University; ZJU QI-ANXIN IoT Security Joint Labratory), Xiaoyu Ji (Zhejiang University; ZJU QI-ANXIN IoT Security Joint Labratory), Wenyuan Xu (Zhejiang University; ZJU…

Read More

DUMPLING: Fine-grained Differential JavaScript Engine Fuzzing

Liam Wachter (EPFL), Julian Gremminger (EPFL), Christian Wressnegger (Karlsruhe Institute of Technology (KIT)), Mathias Payer (EPFL), Flavio Toffalini (EPFL)

Read More

RAIFLE: Reconstruction Attacks on Interaction-based Federated Learning with Adversarial...

Dzung Pham (University of Massachusetts Amherst), Shreyas Kulkarni (University of Massachusetts Amherst), Amir Houmansadr (University of Massachusetts Amherst)

Read More

Evaluating Machine Learning-Based IoT Device Identification Models for Security...

Eman Maali (Imperial College London), Omar Alrawi (Georgia Institute of Technology), Julie McCann (Imperial College London)

Read More