Full Report
us-east-1 is the most popular region at AWS. Since the name is in many domains, such as S3 domains, the author decided to purchase us-east-1.com to see if it got any exciting traffic. The connecting computers are likely misconfigured somehow, but it's interesting nonetheless. They are flat out, but this domain or some higher-level domain string was accidentally left out. prod-backend-db.cc66xuedqt2t.us-east-1.com had the most DNS queries. Given that there's some random identifier, I'd expect this to be some hosted database service URL from AWS. The root domain had a lot of hits as well. loopback-streaming.us-east-1.com is likely some internal testing URL at AWS because it has loopback. Another interesting one was Cisco Static File Reputation Host. Apparently, this is part of the legacy version of their email security gateway. Since this domain is incorrect, this email security gateway is misconfigured and could allow malicious files into the org. Many other domains like storagegateway.us-east-1.com and s3.us-east-1.com were in there as well. The author thinks it was from somebody types out the wrong domain by hand instead of copying it. It's weird that these lasted for this long, as I'd expect them to notice the errors in the returned data. My personal favorite was the final one: smtp.mail.us-east-1.com They kept getting a lots of emails from the AWS test environments as well. It appears that these test domains were configured incorrectly. For instance, [email protected] sent loads of emails. This is interesting and could potentially lead to data exposure of testing accounts. The security of this domain matters. To me, many of the requests would be a lot more if it was the expected result to the end user. Once it fails, they probably reconfigured things. A malicious adversary could have returned unintended data or harvested the data if it was a storage system like S3. Additionally, phishing can be an issue as well. Overall, a good write up and money well spent on the domain!
Analysis Summary
# Research: I bought us-east-1.com: A Look at Security, DNS Traffic, and Protecting AWS Users
## Metadata
- **Authors:** Gabriel Koo
- **Institution:** AWS Community Builders
- **Publication:** DEV Community (AWS Builders)
- **Date:** October 27, 2024 (Updated April 27, 2025)
## Abstract
This technical analysis explores the security implications of "typosquatting" a high-traffic infrastructural string. By registering `us-east-1.com`—a domain mimicking the most popular AWS region—the author captured significant unintentional DNS traffic and email communications. The results reveal widespread configuration errors in production environments, potentially exposing sensitive database identifiers, internal testing parameters, and security gateway vulnerabilities.
## Research Objective
The research aims to investigate the volume and nature of "leakage" traffic directed at a domain that mimics a major cloud infrastructure region. It seeks to identify the types of misconfigurations prevalent in enterprise environments and the risks associated with such data exposure.
## Methodology
### Approach
The researcher utilized a **Passive DNS Observation and Sinkholing** strategy. By purchasing an available domain that is a common sub-string of official AWS endpoints, the author acted as a benign "sinkhole" to collect and analyze incoming requests.
### Dataset/Environment
- **Domain:** `us-east-1.com`
- **Duration:** Data collected between December 2021 and late 2024.
- **Traffic Types:** DNS query logs and SMTP (email) traffic.
### Tools & Technologies
- Domain Registrar/DNS Management tools.
- Log analysis of DNS queries.
- SMTP server for capturing misdirected emails.
- OSINT (Google, Cisco documentation) for mapping captured subdomains to specific services.
## Key Findings
### Primary Results
1. **High-Volume Database Leakage:** The subdomain `prod-backend-db.cc66xuedqt2t.us-east-1.com` generated ~23,420 queries per day, likely representing a misconfigured hosted database service.
2. **Legacy Security Vulnerabilities:** Traffic intended for Cisco’s Email Security Gateway was intercepted due to legacy configurations (approx. 2,000 queries/day).
3. **Internal Infrastructure Exposure:** Significant traffic from AWS "Gamma" (internal testing) environments was captured, including automated system emails.
4. **Service-Specific Typos:** Users frequently omit suffix parts of VPC endpoints (e.g., forgetting `.vpce.amazonaws.com`), leading traffic to the researcher's domain.
### Supporting Evidence
- **Daily Query Volume:** 10,890 queries to the root domain and 8,140 queries to `loopback-streaming` subdomains.
- **Email Influx:** In December 2023 alone, thousands of emails were received from internal AWS test environments (e.g., `[email protected]`).
### Novel Contributions
- Identifies the specific risk of "Regional Typosquatting," where the name of a cloud region itself becomes a vector for data leakage.
- Demonstrates that even if a full URL is not "squatted," partial matches in configuration files can redirect traffic to top-level domains owned by third parties.
## Technical Details
The traffic pattern suggests manual configuration errors. For example, a user might enter `s3.us-east-1.com` instead of the correct `s3.us-east-1.amazonaws.com`. Because `us-east-1.com` is a valid TLD structure, the DNS resolver attempts to resolve it globally rather than failing locally, leading the request to hit the author’s authoritative nameservers.
## Practical Implications
### For Security Practitioners
- **Data Exfiltration Risk:** An adversary could host a fake S3 API or Database endpoint on this domain to harvest credentials or uploaded data.
- **Phishing:** The domain is highly convincing for social engineering against AWS administrators.
### For Defenders
- **DNS Filtering:** Implement **AWS Route 53 Resolver DNS Firewall** to block outbound requests to non-official domains.
- **Validation:** Audit Infrastructure-as-Code (IaC) templates for truncated region strings.
- **Email Security:** Update legacy Cisco Email Security configurations to ensure file reputation checks use correct, fully qualified endpoints.
### For Researchers
- Highlights the need for studies on "Infrastructural Typosquatting" (targeting regions, zones, or service prefixes rather than brand names).
## Limitations
- The analysis is based on a single domain (`us-east-1.com`); other regions (e.g., `us-west-2.com`) were not analyzed.
- The researcher did not interact with the connecting systems to avoid ethical violations, meaning the exact content of the "prod-backend" traffic remains hypothesized.
## Comparison to Prior Work
While traditional typosquatting targets end-users (e.g., `gogle.com`), this research highlights **Machine-to-Machine (M2M) typosquatting**, where automated scripts and backend configs are the primary source of the "typo."
## Real-world Applications
- **Infrastructure Auditing:** Companies can search their codebases for the string `.us-east-1.com` (missing `.amazonaws`) to find latent bugs.
- **Honeypots:** Organizations can register similar internal-lookalike domains to detect misconfigured assets within their networks.
## Future Work
- Analysis of other major cloud providers (Azure/GCP) for similar regional naming vulnerabilities.
- Evaluation of the effectiveness of automated linting tools in catching these specific domain truncations.
## References
- Cisco Systems. *Configuring Static File Reputation Host.* [https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/210534-Configuring-static-File-Reputation-host.html](https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/210534-Configuring-static-File-Reputation-host.html)
- AWS Documentation. *Route 53 Resolver DNS Firewall.* [https://aws.amazon.com/route53/details/resolver-dns-firewall/](https://aws.amazon.com/route53/details/resolver-dns-firewall/)