When you move to a new neighbourhood, you do some research. Are the schools good? The neighbours cooking the finest meth? That sort of thing. Its a reputation associated with that neighbourhood.
In the cloud, that neighbourhood is two things: the IaaS provider itself, and, who had that public IP last. And, well, cloud instances are short-lived (minutes to hours in many cases). So you could get assigned an IP that is the technical equivalent of “that house all the murders occurred in”. For us, here was the move-in day experience. Zero-hour, new instance, in Azure. Seems like 220.127.116.11 would really like to see if we are vulnerable to something (and its not just that address).
If we look at our ‘attacker’ in everyone’s favourite search engine, Shodan.io, we see its running PHP/5.4.7 on Windows 32, OpenSSL 1.0.1c. Are they vulnerable (e.g. is this someone using them as a bot?) You bet (CVE here).
It also has PPTP open.
Lets try a new toy, Greynoise.io. It has a lot to say on this IP:
So, well, what can you do? Not use cloud? Put in the contract you’ll only get ‘clean’ IP? Setup an HOA?