3

This is weird, I'm having some instances running in a private subnet. Those subnets are not exposed to the Internet directly, they don't have a public IP and all outgoing traffic is routed through a NAT instance.

However, GuardDuty gives me warnings like this for all instances in this private subnet:

Recon:EC2/PortProbeUnprotectedPort
Action
Action type
PORT_PROBE


Blocked
false
First seen
12-21-2019 22:22:10 (a month ago)
Last seen
01-19-2020 11:18:12 (38 minutes ago)
Actor
IP address
159.65.11.106
Location
country:
Singapore
lat:
1.314
lon:
103.6839
Organization
asn:
14061
asnOrg:
DigitalOcean, LLC
isp:
Digital Ocean
org:
Digital Ocean

Additional information
Threat name
Scanner
Threat list name
ProofPoint
Local port
30539
Archived
false
Remote IP details
ipAddress:
5.101.0.209
location:
Moscow, Russia
organization:
PinSPB

So, multiple questions arise here:

  • How is it even possible my instance gets scanned when it doesn't have a public IP adres?
  • Why is the actor IP address different from the remote IP?
Jeroen Jacobs
  • 1,386
  • 3
  • 16
  • 25

1 Answers1

3

I think I might have found the reason myself, and I'll post it as an answer in case other people come accross this issue as well:

Those instances were part of a Kubernetes cluster, and I use nginx as the ingress controller. This ingress controller is exposed via type:Loadbalancer and with an annotation that causes AWS to use a Network LoadBalancer (NLB).

Since NLB's preserve the origin IP address, those IP's are also shown in the AWS GuardDuty logs.

Jeroen Jacobs
  • 1,386
  • 3
  • 16
  • 25