好的,我现在需要帮用户总结这篇文章的内容,控制在100字以内。首先,我得通读整篇文章,抓住主要信息。 文章主要讲的是攻击者试图利用代理服务器访问云元数据服务。攻击者通过不同的URL路径和IP地址格式来尝试绕过过滤机制。这些请求的目标是获取安全凭证,进而可能引发进一步的攻击。 接下来,我需要提取关键点:攻击者使用了多种URL前缀,包括IPv4、IPv6映射地址以及不同的表示方式。他们试图利用SSRF漏洞,而现代元数据服务虽然增加了防护措施,但攻击者假设存在一个完整的代理服务器,可能绕过这些防护。 最后,我需要将这些信息浓缩成简洁的句子,确保不超过100字,并且直接描述内容,不使用总结性的开头。 </think> 文章描述了攻击者通过代理服务器尝试访问云元数据服务的活动,利用不同URL路径和IP地址格式绕过滤网,目标是获取安全凭证并进一步发起攻击。 2026-3-16 13:48:54 Author: isc.sans.edu(查看原文) 阅读量:6 收藏
Attempts to find proxy servers are among the most common scans our honeypots detect. Most of the time, the attacker attempts to use a host header or include the hostname in the URL to trigger the proxy server forwarding the request. In some cases, common URL prefixes like "/proxy/" are used. This weekend, I noticed a slightly different pattern in our logs:
| First Seen | Last Seen | Count | Path |
|---|---|---|---|
| 2026-03-15 | 2026-03-16 | 2 | /proxy/http:/[::ffff:a9fe:a9fe]/latest/meta-data/iam/security-credentials/ |
| 2026-03-15 | 2026-03-16 | 2 | /proxy/169.254.169.254/latest/meta-data/iam/security-credentials/ |
| 2026-03-15 | 2026-03-16 | 2 | /proxy/http:/169.254.169.254/latest/meta-data/iam/security-credentials/ |
| 2026-03-15 | 2026-03-16 | 2 | /proxy/absolute/[0:0:0:0:0:ffff:a9fe:a9fe]/latest/meta-data/iam/security-credentials/ |
| 2026-03-15 | 2026-03-16 | 2 | /proxy/absolute/[::ffff:a9fe:a9fe]/latest/meta-data/iam/security-credentials/ |
| 2026-03-15 | 2026-03-16 | 2 | /proxy/absolute/169.254.169.254/latest/meta-data/iam/security-credentials/ |
| 2026-03-15 | 2026-03-16 | 2 | /proxy/[0:0:0:0:0:ffff:a9fe:a9fe]/latest/dynamic/instance-identity/document |
| 2026-03-15 | 2026-03-16 | 2 | /proxy/[0:0:0:0:0:ffff:a9fe:a9fe]/latest/meta-data/iam/security-credentials/ |
| 2026-03-15 | 2026-03-16 | 2 | /proxy/[::ffff:a9fe:a9fe]/latest/dynamic/instance-identity/document |
| 2026-03-15 | 2026-03-16 | 2 | /proxy/[::ffff:a9fe:a9fe]/latest/meta-data/iam/security-credentials/ |
| 2026-03-15 | 2026-03-16 | 2 | /proxy/169.254.169.254/latest/dynamic/instance-identity/document |
| 2026-03-16 | 2026-03-16 | 1 | /proxy/2852039166/latest/meta-data/iam/security-credentials/ |
The intent of these requests is to reach the cloud metadata service, which is typically listening on 169.254.169.254, a non-routable link-local address. The "security-credentials" directory should list entities with access to the service, and can then lead to requests for key material used for authentication.
The attacker does not just use the IPv4 address, but attempts to bypasspass some filters by using the IPv4 mapped IPv6 address. The prefix ::ffff/96, followed by the IPv4 address, is used to express IPv4 addresses in IPv6. Note that these addresses are not intended to be routable, but just like 169.254.169.254 they may work on the host itself. In addition, the attacker is used the "less apprviated" form by specifying the first few bytes with 0:0:0:0. Finally, the long unsigned integer form of the IP address is used.
The meta data service is often exploited using SSRF vulenrabilities. However, the more modern "version 2" of the meta data service is attempting to prevent simple SSRF attacks by requiring two requests with different methods and specific custom headers. SSRF vulnerabilities are just like a less functional open proxy. In this case, the attacker assumes a full proxy, and an attack may not be prevented by the more modern meta data service implementation.
Modern web applications use proxies in many different forms. For example you may have API gateways, load balancers, web application firewalls or even still some proxies to bypass CORS constraints. Any of these cases is potentially vulenrable if badly configured. The above list of URLs may make a good starting point to test the implementation of your proxy.
--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
如有侵权请联系:admin#unsafe.sh