The Scale of Cloud Abuse
If you look at any threat intelligence feed, including WAYSCloud's own data, you will see familiar names dominating the top sources of malicious traffic: Amazon Web Services, Google Cloud Platform, Microsoft Azure, DigitalOcean, Hetzner, OVH, Linode, and Vultr. This is not a coincidence, nor does it mean these companies are malicious. It is the direct result of how cloud computing works.
WAYSCloud tracks millions of threat reports. Among the most frequently reported ASNs (Autonomous System Numbers), cloud and hosting providers consistently rank in the top positions. Amazon AWS alone accounts for over 100,000 unique IPs flagged in our threat database. CTG Server Limited, Cloudie Limited, and similar hosting providers show even higher numbers in some periods.
Understanding why this happens is essential for anyone making blocking decisions. Blindly blocking entire cloud providers would break legitimate services. But ignoring cloud-sourced threats leaves you exposed to the majority of modern attacks.
Why Attackers Love Cloud Providers
Several characteristics of cloud computing make it attractive for malicious use:
-
Low cost, instant provisioning
A VPS on DigitalOcean or Hetzner costs $4-10/month. AWS and Google offer free tiers. An attacker can spin up a fresh server in 30 seconds, use it for scanning or brute force for a few hours, then destroy it. The total cost is a fraction of a cent. Some attackers use stolen credit cards or compromised accounts to avoid even that cost. -
Clean IP reputation (initially)
Newly allocated cloud IPs often have a clean reputation. They have not been on any blocklist yet. This gives attackers a window of hours to days before the IP is flagged. By then, they have moved on to a new one. -
Anonymity
Signing up for a cloud account requires minimal identity verification. Prepaid cards, cryptocurrency payments, and throwaway email addresses make it trivial to create accounts that cannot be traced back. Some providers have stricter KYC (Know Your Customer) than others, but determined attackers always find a way. -
High bandwidth and global presence
Cloud providers offer gigabit connectivity in data centers across the globe. An attacker in one country can launch attacks from servers in a dozen different countries simultaneously, making geographic blocking ineffective and complicating forensics. -
Legitimate traffic cover
Because millions of legitimate services run on the same infrastructure, cloud IPs are difficult to block wholesale. Blocking all of AWS means blocking countless legitimate APIs, websites, and services that your own systems probably depend on. -
Abuse response time
Even diligent providers take time to process abuse reports. The typical cycle is: attack detected, abuse report filed, provider investigates, account suspended. This can take hours to days, during which the attacker has already achieved their objective and moved on.
Cloud Providers in WAYSCloud Threat Data
These are some of the most frequently appearing providers in our threat intelligence database, along with context for why they appear:
- Amazon AWS (AS16509) — Largest cloud provider. Massive IP space means high absolute numbers of abuse. AWS actively fights abuse through their Trust & Safety team but the scale makes it a constant presence in threat data.
- DigitalOcean (AS14061) — Popular with developers for its simplicity and low cost ($4-5/month droplets). The low barrier to entry makes it frequently abused for scanning and brute force operations.
- Hetzner (AS24940) — German hosting provider known for extremely competitive pricing. Popular among both legitimate users and threat actors for its European infrastructure and fast provisioning.
- OVH/OVHcloud (AS16276) — Large European provider. Historically associated with higher abuse rates, though they have improved their abuse handling significantly in recent years.
- Smaller VPS providers — Companies like CTG Server Limited, Cloudie Limited, and various "bulletproof hosting" providers appear disproportionately in threat data. These smaller operators often have weaker or non-existent abuse handling, making them preferred by persistent threat actors.
What It Means When You See a Cloud IP in Your Logs
When a cloud provider IP appears in your security logs, the context determines how you should respond:
SSH brute force from a cloud IP
Almost certainly malicious. Legitimate cloud services do not make SSH login attempts against random servers. The IP is likely a throwaway VPS being used for credential stuffing. Safe to block immediately. Check if it is part of a larger campaign by looking up the IP on WAYSCloud.
Web scanning or vulnerability probing
Could be malicious or could be a legitimate security scanner (Shodan, Censys, security researchers). Check the reverse DNS and user agent. Known scanners often identify themselves. Unknown scanners probing for specific vulnerabilities (phpMyAdmin, WordPress exploits, .env files) are hostile.
Outbound connections from your network to a cloud IP
This requires careful analysis. Many legitimate SaaS tools, APIs, and services run on cloud infrastructure. But malware also hosts its C2 (command-and-control) servers on cloud platforms to blend in. Cross-reference the IP with threat intelligence before deciding to block.
DDoS traffic from cloud IPs
Cloud instances are increasingly used as DDoS amplifiers because they have high bandwidth. An attacker can rent 50 cheap VPS instances across multiple providers and coordinate them for a volumetric attack, then destroy the instances before abuse reports are processed.
How to Handle Cloud IPs in Your Security Policy
A blanket approach does not work. You need a layered strategy:
-
1. Never block entire cloud provider IP ranges
AWS alone has hundreds of millions of IPs. Blocking them would break half the internet. Instead, block specific IPs that are flagged for malicious activity. Use threat scores to prioritize which IPs to block. -
2. Use threat intelligence to distinguish abuse from legitimate traffic
A cloud IP with a WAYSCloud threat score of 85/100, flagged by multiple independent sources for SSH brute force, should be blocked. A cloud IP with no threat history that just made one unusual request should be monitored, not blocked. -
3. Set short ban durations for cloud IPs
Cloud IPs are frequently recycled. An IP that was used by an attacker today might be assigned to a legitimate customer tomorrow. Use 24-hour bans rather than permanent blocks for cloud provider IPs. -
4. Monitor ASN-level trends
Track which providers are generating the most abuse in your logs. If a small hosting provider consistently appears, consider rate-limiting their entire ASN rather than blocking. WAYSCloud's ASN intelligence helps with this analysis. -
5. Report abuse to the provider
Most major cloud providers have abuse reporting mechanisms. Filing reports helps the provider shut down malicious accounts and improves the ecosystem for everyone. AWS, Google, and DigitalOcean all have automated abuse reporting APIs.
The "Bulletproof Hosting" Problem
While major cloud providers like AWS, Google, and DigitalOcean actively fight abuse, a category of hosting providers exists specifically to enable it. Known as "bulletproof hosting," these operators intentionally ignore abuse complaints, provide anonymity to their customers, and sometimes actively assist in evading law enforcement.
Bulletproof hosting providers often operate from jurisdictions with weak cybercrime laws or limited international cooperation. Their IPs should generally be treated with higher suspicion. WAYSCloud tracks these networks through Spamhaus DROP lists and other threat intelligence sources that specifically identify professional criminal infrastructure.
When you see IPs from small, unfamiliar hosting providers in your logs — especially from providers with names you do not recognize and websites in languages you cannot read — the probability of malicious intent is significantly higher than with mainstream cloud providers. Check the ASN reputation on WAYSCloud before making blocking decisions.
Using WAYSCloud for Cloud IP Analysis
WAYSCloud provides several tools specifically designed to help with cloud IP analysis:
# Look up a specific cloud IP curl -s "https://ip.wayscloud.services/api/v1/ip/54.234.187.12" | jq '.' # Check ASN-level threat data for AWS curl -s "https://ip.wayscloud.services/api/asn/16509" | jq '.' # Get top threatening ASNs globally curl -s "https://ip.wayscloud.services/api/asn/top?limit=20" | jq '.' # Compare abuse levels between providers curl -s "https://ip.wayscloud.services/api/asn/16509" # AWS curl -s "https://ip.wayscloud.services/api/asn/14061" # DigitalOcean curl -s "https://ip.wayscloud.services/api/asn/24940" # Hetzner
The Future of Cloud Abuse
Cloud abuse is unlikely to decrease. As cloud computing continues to grow, so does its attractiveness to threat actors. Several trends are worth watching:
- Serverless abuse — Functions-as-a-service (AWS Lambda, Google Cloud Functions) allow attackers to run code without managing servers at all, making infrastructure even more ephemeral and harder to track.
- AI-generated accounts — Automated account creation using AI to solve CAPTCHAs and generate realistic profiles makes it easier to scale cloud abuse across multiple providers simultaneously.
- Container-based attacks — Kubernetes clusters and container registries being abused to run attack infrastructure at scale, with automatic recovery and migration when individual nodes are shut down.
- Provider consolidation — As more services move to a smaller number of large cloud providers, the impact of false positives when blocking becomes more severe, giving attackers more effective cover.
The defense against cloud abuse requires a combination of IP-level threat intelligence, ASN-level monitoring, behavioral analysis, and close cooperation between cloud providers and the security community. WAYSCloud contributes to this defense by aggregating threat data from multiple sources and making it available for automated blocking decisions.