I've observed some unusual traffic from an IP address from Nov 9 through Dec 10 in our application logs. We're not seeing the ip address associated with any of our instances currently. This IP was making requests that increased usage data for a client of ours. We'd like to be able to state correctly that it was a bot, and not some testing tool malfunctioning on our side. Doing a quick review of CloudTrail events within a few days of those dates, I'm not seeing any events for resource creations, updates, or deletions that contain that IP. Is there any suggestion to investigate it with details or does anyone suggest some tools to investigate more on it?
Asked
Active
Viewed 89 times
0
-
Is the IP in your CIDR range, or is it from the internet? Have you looked at VPC flow logs? You can easily block a single IP with NACLs. – Tim Jan 27 '22 at 07:56
-
You can also use tools like WAF, GuardDuty, Shield to secure your account. – shearn89 Mar 02 '22 at 13:51
1 Answers
0
You can run whois <ip address> to get details for the owner of the IP address. If you do not have any services with that operator, then it is some third party.
Tero Kilkanen
- 36,796
- 3
- 41
- 63