An open source security tool has been released with the promise of detecting dangling elastic IP takeovers in a “fool-proof way”
Organisations are vulnerable to these subdomain takeover cyberattacks when they delete Amazon Web Services (AWS) EC2 instances or assign new IPs to them, but forget to delete DNS records that points to IPs connected with the instances.
Attackers can uncover these vulnerable subdomains by continually claiming elastic IPs until they find an IP related with a targeted organization’s subdomain.
This ‘lottery’ approach was also proposal as a way for defenders to detect dangling elastic IPs in research into the attack technique dating back to 2015.
The Australian cybersecurity firm Assetnote’s ‘Ghostbuster’ tool, on the other hand, takes a different approach: It enumerates all public IPs linked with its AWS accounts and checks for DNS records pointing to elastic IPs that aren’t owned by an AWS accounts.