0

I have been on GCP for roughly 3 months now. In that 3 months I have received 6 notices from GCP saying that one of my compute engines is creating a denial of service attack. They provide the IP address of the CE, and the time the attack triggered the compliance alert (which this last notice was 2021-11-25 00:10 to 2021-11-25 00:10).

I have taken as many steps as I can possibly take. I have 2 kinds of IDS software installed on the machine (neither have captured any attempts at compromise) and I have a local firewall on the server blocking all inbound and outbound traffic except for traffic specifically required. Additionally I have taken one last step and used the firewall on GCP to block all inbound and outbound traffic except for traffic specifically required.

I simply do not know where to go from here. It would seem as though these compliance notifications are meant to require me to purchase support so I can discuss this with GCP support staff. Does anyone else have any thoughts before I drop unknown $$$$ at support?

Thank you kindly...

G. Malsack
  • 1
  • 1
  • 1) Your first step is to shut down that system - e.g. do it right now. 2) Google will soon suspend that system and/or your account. I am surprised that your system has not already been terminated. 3) Create a snapshot of the disk drive(s), create a new system, and restore the snapshot as an additional disk. Perform forensics to figure out what is wrong. 4) It is unlikely that Google Support can help you. The actual forensics will need to be performed by you or a consultant that has access to the system. 5) If money is a concern, create a new system and reinstall your application. – John Hanley Nov 25 '21 at 16:09
  • Hi John, I see your point. I'll go ahead and do that to see if anything changes. Having operated an investigation company performing computer forensics for several years. I am certain this machine is not performance any attacks. It's a Debian OpenVPN endpoint, that's its entire purpose. Nothing else has been installed on the machine. OS file hashes for network binaries match documented file hashes by Debian. It's just baffling that they continue to make these claims then 2 weeks later respond to my objection and tell me everything is fine. They're also never able to provide any details... – G. Malsack Nov 28 '21 at 00:24
  • Difficult situation. You have both politics, policies, and technology at play. However, if Google decides your VM is a risk ... I would just create a new VM. Consider this disaster recovery practice for your backup procedures. – John Hanley Nov 28 '21 at 00:27
  • Note: In 100% of the cases I have been involved with (~20), Google was correct. There are a few brilliant hackers out there. Hint: double-check that a trojan is not being launched from CRON. – John Hanley Nov 28 '21 at 00:30

0 Answers0