New defense against attacks that can cause more damage than other flavors of subdomain takeover

Introducing Ghostbuster - AWS security tool protects against dangling elastic IP takeovers

An open source security tool has been launched with the promise of a “fool-proof way” to detect dangling elastic IP takeovers.

Organizations leave themselves vulnerable to these subdomain takeover attacks when they delete Amazon Web Services (AWS) EC2 instances or assign them new IPs but forget to remove DNS records that point to IPs associated with the instances.

Attackers can identify these vulnerable subdomains by continually claiming elastic IPs until they find an IP associated with the subdomain of a targeted organization.

This ‘lottery’ approach has also been proposed as a means for defenders to detect dangling elastic IPs in research into the attack technique dating back to 2015.

However, the ‘Ghostbuster’ tool, developed by Australian cybersecurity firm Assetnote, offers a different approach: It enumerates all public IPs associated with an organization’s AWS accounts and checks for DNS records pointing to elastic IPs that its AWS accounts don’t own.

Attack vector eliminated

Shubham Shah, co-founder and CTO at Assetnote, said the firm’s own hit-and-miss experiments with the lottery approach had prompted AWS to tell its researchers to stop using the technique.

“This approach is, as the name suggests, like a lottery: you may get lucky, you may not,” he told The Daily Swig. “It is not a fool-proof way at detecting dangling elastic IP takeovers, whereas Ghostbuster is.

Catch up with the latest cloud security news

He added: “Whereas the lottery approach is the only approach attackers can use, with Ghostbuster, you can eliminate dangling elastic IP takeovers entirely.”

The only caveat is that you need “access to all of your AWS accounts and your DNS records” in order to obtain “accurate and complete results”.

High impact

Dangling elastic IP subdomain takeovers are one of many frequently occurring misconfiguration vulnerabilities to arise from the “shared responsibility” security model used by major cloud providers, Shah said in a blog post.

This particular flavor of subdomain takeover is becoming more common, as organizations migrate services to the public cloud and inadvertently misconfigure their instances – something that is “exacerbated by automatic provisioning”.

The potential impact is also more serious than for other subdomain takeover techniques where attackers can only control the content being served.

YOU MIGHT ALSO LIKE Microsoft bolsters Edge browser security with enhanced features

As well as hosting malicious content or leveraging a ‘trusted’ domain for phishing attacks, attackers can also potentially claim the subdomain’s SSL certificates via ACME TLS challenges; intercept sensitive information being sent to the subdomain; and run server-side scripts that steal HTTPOnly cookies, thus enabling one-click account takeover attacks.

“Almost every company that uses AWS suffers from this attack vector,” said Shah. “In many cases, it is possible to perform account takeover attacks due to broad cookie scoping as well.”

Some bug hunters earn as much as $50,000 a month exploiting the issue on AWS customers, said Shah.

AWS currently combats the threat by blocking accounts that perform suspicious attack patterns, which “raises the bar for exploitation to some extent (particularly at scale)”, but “is not an effective long-term mitigation to the underlying issue”.

AWS is apparently working on additional mitigations. The Daily Swig has asked AWS when these mitigations might arrive, so we will update the article if and when we receive a reply.


Ghostbuster “uses your .aws/config and .aws/credentials files to iterate through every configured account and perform processing”, said Shah.

You can use Route53, Cloudflare, or manual inputs to manage your DNS zones, and “it is also possible to configure a Slack webhook so that this tool will send a notification upon detecting a potential takeover”.

Ghostbuster can also “run as a cron job on a frequent basis, informing you of potential elastic IP takeovers over time”.

RECOMMENDED Poisoned pipelines: Security researcher explores attack methods in CI environments