Stale dns entry ip address takeover

We received an email from a whitehat security researcher who was leased a public ip address that we used to own and still had an dns entry pointing to. Does aws have mechanisms to prevent this? Can a potential attacker request any free ip that they want or they must request multiple ips hoping to get a match? If the later is this behavior monitored and flagged?

Thanks!

Tags

Network Security

Language

English

carboncreak

asked 2 months ago176 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Accepted Answer

The attacker can't choose which IPs they get. In very general terms, without familiarity with your case, chances are they wouldn't be after you specifically but probably in the business of hijacking similar setups of many customers. They wouldn't need to go to a lot of effort to get just the IP you were using, but instead they would simply start grabbing whatever IPs they randomly got assigned to them, in the hopes of finding customers who had useful DNS names pointing to them.

In general terms, when we run websites in AWS with security in mind, we don't expose EC2 instances (VMs) directly to the internet with public, static or long-term IPs. AWS has a security posture assessment service called AWS Security Hub that even explicitly checks for this and advises against it: https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-9

Instead, we would place our EC2 instances, container tasks, or other compute capacity hosting our service behind an Application Load Balancer (ALB). We could further place a CloudFront distribution in front of the ALB, but to keep this concise, I'll just talk about the ALB. We would configure alias records in a Route 53 hosted zone or CNAME records in a third-party DNS service to make our own, customer-specific DNS names aliases that point to the AWS-managed DNS name for the ALB.

When we later deleted the ALB, releasing its IP addresses for use by other AWS customers, our DNS names will immediately stop pointing to them, because AWS's automation deletes the AWS-managed DNS records where our DNS names are still pointing. In effect, our custom DNS name will no longer point to any IP, because the ALB to which our alias record is pointing doesn't exist.

Incidentally, an ALB changes its IP addresses relatively frequently, so we would quickly notice if we made the mistake of configuring our DNS names to point to the individual IPs of the ALB. This would help to ensure that when we delete the resource, we won't accidentally be left with DNS names pointing to IP addresses reassigned to others.

EXPERT

Leo K

answered 2 months ago

EXPERT

shibata

reviewed 2 months ago

carboncreak
2 months ago
Thanks! Yes we have everything behind cloudfront alb or api gateway, using aliases in route53 or cnames. the ipv4 address in question was used for an old preview website provided by a third party

Relevant content

Internal DNS resolves to wrong IP address
Marco
asked 5 months ago
DNS Error after IP address reset
SneakyPete
asked 2 years ago
Why it isn’t re-assigned a public IP address and public IP DNS for a Instance in a public subnet after stopped and started in case of attached 2 eni.
Accepted Answer
Felix
asked 2 years ago
Change CNAME to point to a hosted server, using public IP address.
rePost-User-3433316
asked a year ago
Why do I receive errors when I delete a static IP address from the Amazon Lightsail console?
AWS OFFICIALUpdated 7 months ago
Can I recover the public IP address or Elastic IP address associated with an EC2 instance, and how can I avoid these being changed in the future?
AWS OFFICIALUpdated 2 years ago
How do I find the resource that currently owns an unknown IP address in my Amazon VPC?
AWS OFFICIALUpdated a year ago
Why can't I disassociate or release my Elastic IP address from my EC2 instance?
AWS OFFICIALUpdated a year ago
VPC IP Address Manager's 'Public IP Insights': A free and simple feature for customers to get insights on their public IPv4 usage
EXPERT
Nawaz
published 8 months ago
How can we map entire AWS VPC CIDR to a single IP address using Private NAT Gateway via AWS Site to Site VPN connection.
EXPERT
Narinder Singh Kharbanda
published a year ago