We’re excited to release a new detection type, allowing you to detect advanced metadata DNS rebind activities in real time.
A metadata DNS rebind detection alerts you that a virtual machine or a container is querying a domain that resolves to the metadata service IP address (169.254.169.254).
What is Cloud Instance Metadata Service (IMDS)?
When cloud instances/containers in AWS, Microsoft Azure or Google Cloud require access to data about itself or the cloud environment, it can query its Instance Metadata Service (IMDS) that typically listens to the IPv4 address of 169.254.169.254 as well as, in the case of AWS, the IPv6 address of fd00:ec2::254.
Using IMDS, machines can discover things like the region and availability zone they run in, the subnet the instance/VM is a part of, the image used to launch the system and the security groups used to control network access to the system.
There are some more sensitive items that can be retrieved as well, like:
- User-data (startup/boot script) passed to the system at boot time (could contain secrets)
- IAM role credentials (could allow access to the greater AWS cloud account)
- Managed identity credentials (could allow access to the Azure account)
- Service account tokens (allowing access to the Google Cloud account)
Indicators of Metadata Compromise
When a metadata DNS rebind is detected, it can indicate compromise or that a malicious action is being attempted. For example, it could signify that an attacker is attempting to carry out a DNS rebinding to obtain instance or user metadata from a virtual machine, such as its IAM credentials, and use them to do anything that the virtual machine or the application is permitted to do.
In a DNS rebind attack, a malicious entity tricks an application running on a virtual machine to load return data from a URL, getting the domain name in the URL to resolve to the virtual machine metadata IP address (169.254.169.254). In doing so, the application accesses the virtual machine and can make its instance and user metadata available to the attacker.
It’s worth noting that a DNS rebind attack can only successfully access virtual machine metadata if the virtual machine is running a vulnerable application that will allow for the injection of URLs, or if a user accesses the URL in a web browser that is running on the virtual machine. Upwind leverages runtime context to determine real risk and immediately identify if your applications are vulnerable and if a DNS rebind attack poses a true risk to your organization.
Read more about Metadata DNS Rebind detections in the Upwind Documentation Center.
