Cloud metadata service abuse via ICMP

Attack pattern

Cloud metadata service abuse via ICMP represents a sophisticated attack methodology that leverages the Internet Control Message Protocol to interact with and exploit cloud instance metadata services. These techniques enable attackers to discover, query, and harvest sensitive information from cloud metadata services while potentially evading traditional security controls designed for HTTP-based metadata access.

1. Cloud metadata service abuse [OR]

    1.1 IMDS exploitation [OR]
    
        1.1.1 ICMP-based IMDSv1 queries
            1.1.1.1 AWS instance metadata service discovery via ICMP
            1.1.1.2 Metadata harvesting through crafted ICMP packets
            1.1.1.3 Instance role credential extraction via ICMP
            1.1.1.4 User data retrieval through ICMP manipulation
            
        1.1.2 Instance metadata service discovery
            1.1.2.1 Cloud provider metadata endpoint identification
            1.1.2.2 Metadata service version detection via ICMP
            1.1.2.3 Regional metadata service discovery
            1.1.2.4 Multi-cloud metadata service enumeration
            
        1.1.3 Cloud credential harvesting
            1.1.3.1 Temporary security credential extraction
            1.1.3.2 IAM role information gathering
            1.1.3.3 Access key ID and secret key harvesting
            1.1.3.4 Session token collection through ICMP
            
    1.2 Serverless SSRF attacks [OR]
    
        1.2.1 ICMP-triggered serverless SSRF
            1.2.1.1 Lambda function metadata service access via ICMP
            1.2.1.2 Cloud function metadata exploitation
            1.2.1.3 Serverless environment credential harvesting
            1.2.1.4 Function-as-a-service metadata compromise
            
        1.2.2 Container metadata service access
            1.2.2.1 Kubernetes pod metadata service targeting
            1.2.2.2 Container role credential extraction
            1.2.2.3 Docker container metadata exploitation
            1.2.2.4 Container orchestration platform metadata access
            
        1.2.3 Kubernetes API server targeting
            1.2.3.1 API server discovery via ICMP techniques
            1.2.3.2 Service account token harvesting
            1.2.3.3 Cluster metadata extraction
            1.2.3.4 Kubernetes role-based access control bypass
            
    1.3 Cloud network reconnaissance [OR]
    
        1.3.1 VPC metadata discovery via ICMP
            1.3.1.1 Virtual private cloud configuration analysis
            1.3.1.2 Subnet and routing table information gathering
            1.3.1.3 Network access control list enumeration
            1.3.1.4 Cloud router configuration discovery
            
        1.3.2 Cloud security group mapping
            1.3.2.1 Security group rule inference through ICMP responses
            1.3.2.2 Network security policy enumeration
            1.3.2.3 Inbound and outbound rule discovery
            1.3.2.4 Implicit deny rule identification
            
        1.3.3 Service endpoint discovery
            1.3.3.1 Private service endpoint identification
            1.3.3.2 Cloud service interface discovery
            1.3.3.3 API gateway endpoint enumeration
            1.3.3.4 Load balancer and proxy service mapping
            
    1.4 Metadata service evasion [OR]
    
        1.4.1 Hop limit manipulation
            1.4.1.1 TTL/hop limit adjustment for local metadata access
            1.4.1.2 Route manipulation to reach metadata services
            1.4.1.3 Network namespace traversal techniques
            1.4.1.4 Container escape via metadata service targeting
            
        1.4.2 Protocol conversion attacks
            1.4.2.1 ICMP to HTTP protocol conversion for metadata access
            1.4.2.2 Packet crafting for service communication
            1.4.2.3 Protocol tunnelling through ICMP
            1.4.2.4 Metadata service API call simulation
            
    1.5 Persistence and access maintenance [OR]
    
        1.5.1 Credential persistence techniques
            1.5.1.1 Regular credential refresh through automated queries
            1.5.1.2 Long-lived access maintenance
            1.5.1.3 Token renewal automation
            1.5.1.4 Credential caching and storage
            
        1.5.2 Access expansion methods
            1.5.2.1 Privilege escalation through harvested credentials
            1.5.2.2 Lateral movement using cloud credentials
            1.5.2.3 Cross-account access achievement
            1.5.2.4 Service role assumption attacks
            
    1.6 Cloud provider-specific exploitation [OR]
    
        1.6.1 Multi-cloud metadata targeting
            1.6.1.1 AWS instance metadata service exploitation
            1.6.1.2 Azure instance metadata service targeting
            1.6.1.3 Google cloud metadata service access
            1.6.1.4 Oracle cloud infrastructure metadata exploitation
            
        1.6.2 Provider-specific feature abuse
            1.6.2.1 Cloud-specific metadata field exploitation
            1.6.2.2 Custom metadata service feature targeting
            1.6.2.3 Provider-specific API endpoint discovery
            1.6.2.4 Unique cloud service metadata access

Why it works

  • Protocol necessity: ICMP is essential for network operations and cannot be completely blocked

  • Metadata service accessibility: Cloud metadata services are designed to be easily accessible from instances

  • Security control gaps: Many cloud security controls focus on HTTP traffic while overlooking ICMP

  • Instance trust assumptions: Cloud platforms inherently trust instance-originated communications

  • Protocol conversion: ICMP can be used to trigger or facilitate other protocol communications

  • Monitoring limitations: Cloud monitoring often lacks deep ICMP analysis capabilities

Mitigation

Metadata service protection

  • Action: Implement robust metadata service protection measures

  • How:

    • Use IMDSv2 with mandatory session tokens where available

    • Implement metadata service access restrictions

    • Configure instance metadata service hop limits

    • Use cloud provider metadata service security features

  • Best practice: Employ the latest metadata service versions with enhanced security features

Network security hardening

  • Action: Harden cloud network configurations against metadata abuse

  • How:

    • Implement strict network security group rules

    • Use virtual private cloud flow logging

    • Deploy cloud-native firewall capabilities

    • Implement network access control lists with explicit deny rules

  • Best practice: Principle of least privilege for network access

Instance security measures

  • Action: Strengthen instance security against metadata service attacks

  • How:

    • Use instance roles with minimal necessary permissions

    • Implement host-based firewalls with ICMP filtering

    • Regularly update and patch operating systems

    • Use security-enhanced operating system images

  • Best practice: Regular security assessment and hardening of cloud instances

Monitoring and detection

  • Action: Deploy comprehensive monitoring for metadata service abuse

  • How:

    • Implement cloud trail logging and monitoring

    • Use cloud security posture management tools

    • Deploy intrusion detection systems with metadata service awareness

    • Monitor for unusual ICMP patterns and metadata access attempts

  • Best practice: Continuous monitoring with real-time alerting capabilities

Access control and authentication

  • Action: Implement strong access controls for cloud resources

  • How:

    • Use role-based access control with least privilege principles

    • Implement multi-factor authentication for cloud access

    • Regularly review and audit IAM policies and permissions

    • Use conditional access policies based on device and network context

  • Best practice: Regular access review and privilege minimisation

Key insights from real-world attacks

  • Metadata service exploitation: Cloud metadata services remain a popular attack target

  • Protocol versatility: Attackers increasingly use non-HTTP protocols for metadata access

  • Cloud configuration complexity: Misconfigurations are common in cloud environments

  • Detection challenges: ICMP-based metadata attacks are difficult to detect

  • Increasing sophistication: Metadata service attacks will continue to evolve

  • Multi-protocol attacks: More protocols will be exploited for metadata access

  • Cloud security evolution: Providers will enhance metadata service protections

  • Automated defence: Machine learning will improve detection capabilities

Conclusion

Cloud metadata service abuse via ICMP represents a significant and evolving threat to cloud security. These attacks leverage the fundamental necessity of ICMP for network operations while exploiting the accessibility of cloud metadata services. The techniques enable attackers to discover sensitive information, harvest credentials, and conduct reconnaissance while potentially evading traditional security controls. Defence requires a comprehensive approach including metadata service protection, network security hardening, instance security measures, advanced monitoring, and robust access controls. As cloud adoption continues to grow and attack techniques become more sophisticated, organisations must maintain vigilance and implement cloud-specific security best practices. The future of cloud security will depend on addressing these evolving threats while maintaining the flexibility and accessibility that make cloud platforms valuable.