December 8, 2023

An open-source security tool has been launched with the promise of a “fool-proof way” to detect dangling elastic IP takeovers.

Organizations were vulnerable to these takeover attacks when they delete AWS EC2 instances or assign them new IPs but forget to remove DNS records that point to IPs associated with the instances. Attackers can identify these vulnerable subdomains by continually claiming elastic IPs until they find an IP associated with the subdomain of a targeted organization.


Ghostbuster tool enumerates all public IPs associated with an organization’s AWS accounts and checks for DNS records pointing to elastic IPs that its AWS accounts don’t own.

This approach is, as the name suggests, like a lottery: you may get, you may not. Dangling elastic IP subdomain takeovers are one of many frequently occurring misconfiguration vulnerabilities to arise from the “shared responsibility” security model used by major cloud providers, Shah said in a blog post.

This subdomain takeover is becoming more common, as organizations migrate services to the public cloud and inadvertently misconfigure their instances something that is exacerbated by automatic provisioning. The Impact is major when comparing to other take over techniques

As well as hosting malicious content or leveraging a ‘trusted’ domain for phishing attacks, attackers can also potentially claim the subdomain’s SSL certificates via ACME TLS challenges; intercept sensitive information being sent to the subdomain; and run server-side scripts that steal HTTPOnly cookies, thus enabling one-click account takeover attacks.


AWS currently combats the threat by blocking accounts that perform suspicious attack patterns, which raises the bar for exploitation to some extent (particularly at scale) but is not an effective long-term mitigation to the underlying issue.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.