AWS Abuse Report

 

AWS를 잘 사용하던 어느날, 그분에게서 아래와 같은 메일이 왔습니다.

 

From: ec2-abuse@amazon.com <ec2-abuse@amazon.com>  Sent:  To:  Cc:  Subject: Your AWS Abuse Report [일련번호] [AWS ID ~~~]   Account ID: ~~~ Account contact email: ~~~ Security contact: ~~~ Security contact email: ~~~ Hello, We've received a report(s) that your AWS resource(s) AWS ID: ~~~    Region: ~~~    EC2 Instance Id: ~~~ has been implicated in activity that resembles a Denial of Service attack against remote hosts; please review the information provided below about the activity. Please take action to stop the reported activity and reply directly to this email with details of the corrective actions you have taken. If you do not consider the activity described in these reports to be abusive, please reply to this email with details of your use case. If you're unaware of this activity, it's possible that your environment has been compromised by an external attacker, or a vulnerability is allowing your machine to be used in a way that it was not intended. We are unable to assist you with troubleshooting or technical inquiries. However, for guidance on securing your instance, we recommend reviewing the following resources: * Amazon EC2 Security Groups User Guide: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html (Linux) https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/using-network-security.html (Windows) * Tips for Securing EC2 Instances: https://aws.amazon.com/answers/security/aws-securing-ec2-instances (Linux) https://aws.amazon.com/answers/security/aws-securing-windows-instances (Windows) * AWS Security Best Practices: https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf If you require further assistance with this matter, you can take advantage of our developer forums: https://forums.aws.amazon.com/index.jspa Or, if you are subscribed to a Premium Support package, you may reach out for one-on-one assistance here: https://console.aws.amazon.com/support/home#/case/create?issueType=technical Please remember that you are responsible for ensuring that your instances and all applications are properly secured. If you require any further information to assist you in identifying or rectifying this issue, please let us know in a direct reply to this message. Regards, AWS Trust & Safety Amazon Web Services, LLC Case Number: ~~~ ---Beginning of forwarded report(s)--- * Log Extract:  <<< An instance from your network was reported for participating in a DDoS attack. AWS Account: ~~~ Instance Id: ~~~ Report begin time: ~~~ Report end time: ~~~ Protocol: UDP Target Ip: ~~~ Public Ip(s): N/A Remote port(s): 80 Total Gbits sent: 숫자숫자 Total packets sent: 숫자숫자 Total Gbits received: 숫자숫자 Total packets received: 숫자숫자 Average Gbits/sec sent: 숫자숫자 It appears there may be an exposed vulnerability that has triggered a DoS attack. It is advisable to update all applications and ensure the most current patches are applied. It is recommended that no ports be open to the public (0.0.0.0/0 or ::0). Opening ports with vulnerable applications can cause abusive behavior. >>> * Comments:  <<< >>>   How can I contact a member of the AWS abuse team or the reporter?  Reply to this email with the original subject line.  Amazon Web Services Amazon Web Services LLC is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message produced and distributed by Amazon Web Services, LLC, 410 Terry Avenue North, Seattle, WA 98109-5210.

평화롭게 aws ec2를 사용하던 나에게 갑자기 온 메일을 잘 이해할 수 없어 한참을 읽어 보았다.

 

메일에서 말하는 내용은 너가 가지고 있는 ec2 한 개가 Ddos 공격에 사용되고 있으니 해결을 하고 회신을 해라. 라는 간단한 내용이었다.

 

내용은 간단하지만 처리는 쉽지 않았다.

 

내부적으로 사용하는 수많은 서비스들이 해당 인스턴스에서 돌아가고 있는데 정확히 어디가 문제인지를 알 수가 없었기 때문이다.

 

게다가 이 리포트를 제때(1~2일 이내) 조치하고 회신하지 않는다면, aws에서는 강제로 우리의 ec2를 죽이거나, 계정 자체를 사용하지 못하게도 할 수 있다고 하였다.

 

그래서 일단 문제를 찾지 못한채로 1차로 회신을 하였다. 문제를 찾으려고 노력하였지만 찾지 못하였다. 너네들이 줄 수 있는 가이드는 없는가?

 

그래서 받은 가이드가... 외부로 나가는 모든 포트랑 아이피를 막으라고... 하는 가이드를 받았다.

 

그럴순 없었기에 다시 한번 원인을 찾아 보았으나 실패.

 

그래서 결국은 해당 인스턴스를 삭제 하고 새로운 인스턴스를 다시 띄운 다음 다시 회신을 하였다.

 

우리는 root cause를 찾으려 노력하였으나 딱히 정확한 문제를 발견하지 못하였다. 그래서 아래와 같이 조치를 하였다.

1. 문제가 된 ec2 instance 삭제 및 신규 instance 생성

2. 문제가 된 target ip는 outbound 막기

3. 향후 모니터링 및 root cause를 찾기 위해 노력 하겠음.

 

이라고 회신을 하여, aws abuse report 케이스를 종료할 수 있었다.

 

결국 그리고 추후에 문제를 찾긴 찾았다 ㅎㅎ