Domain resolves to 169.254.169.254 indicating an AWS rebinding attack
Description
AlphaSOC detected a domain resolving to the IP address 169.254.169.254, which serves as the endpoint for AWS Elastic Compute Cloud (EC2) metadata services. In a DNS rebinding attack, a malicious website can circumvent same-origin policy protections, enabling unauthorized access to internal resources. This tactic often involves deceiving the victim's browser into initiating requests to sensitive metadata services, exposing critical information.
Impact
By rebinding, threat actors can circumvent the same-origin policy and gain unauthorized access to sensitive metadata from EC2 instances, including IAM role credentials. This could potentially be used by an attacker to gain access to and manipulate other AWS services and resources associated with the compromised instance.
Severity
| Severity | Condition |
|---|---|
High | A domain resolves to 169.254.169.254 |
Investigation and Remediation�
Investigate the affected EC2 instances and review DNS and HTTP requests for metadata access. Check for any unauthorized access attempts or suspicious API calls made using instance metadata credentials. Rotate any exposed IAM role credentials immediately.
Known False Positives
- Internal security testing or penetration testing activities simulating DNS rebinding attacks
- Legitimate applications or scripts designed to interact with the EC2 metadata service
- Development or staging environments mimicking AWS infrastructure for testing purposes