3

For example, I have an instance, and using a Security Group allowing income traffic from only my own IP address. My question is: if an attacker got the instance IP address, is there still any way he can attack(something like DDOS) my instance?

Elect2
  • 1,349
  • 2
  • 12
  • 22

2 Answers2

4

It is pretty difficult for most people to spoof an ip address. It is even more difficult for them to guess the IP address you're allowing through the AWS security group to the instance. Still harder is completing a TCP handshake with a spoofed IP, so I'd say you're pretty safe.

devonlazarus
  • 1,277
  • 10
  • 24
  • You said it's "harder", so it is still possible? – Elect2 Mar 08 '16 at 21:15
  • In my opinion, yes, it is always possible for a system connected to a public network-- even with proper security-- to be at risk. This is why vital services such as utilities are typically isolated from public networks. – devonlazarus Mar 09 '16 at 04:39
  • If an employee who knows the allowed source IP and has ssh key. Can he be able to connect? – Venkateswara Rao Apr 08 '18 at 08:29
  • @VenkateswaraRao, only if the employee has the skills to hide their origin IP and make it appear as the IP address that is allowed. This is often referred to as 'spoofing' the IP. It is somewhat difficult, but is is possible. – devonlazarus Mar 14 '19 at 17:54
  • In the case of an SSH connection, souldn't it be impossible since there are random seed values involved when negotatiating an SSH connection? You wouldn't see anything coming from the server so you would not be able to correctly setup the connection. – DMSilva May 30 '19 at 18:02
  • 1
    @DMSilva, it is still theoretically possible, but difficult for sure. Here's a great [discussion from stackexchange](https://security.stackexchange.com/questions/92526/can-an-attacker-simulate-a-private-ip-address) that fits here. – devonlazarus Jun 28 '19 at 16:51
  • even if all that works the way you want it to, usually your ISP will change your public IP at some point in time. I shouldn't be thought of as static. personally, I see changes every 3-6 months but your mileage may vary – nate Jun 07 '22 at 12:25
0

A DDOS on AWS services? Amazon own firewall will be first line of defense before your Security Group. Spoofing multiples IP to make DDOS, normally it is defeated by the firewall packet filtering.

If attacker spoof YOUR IP that allow them connect to your instance IP, they need your SSH keypair in order to make a connection. This is NOT DDOS.

(Well, there is endless list of security attack, such as MITM , since the question is about DDOS, I will stick to DDOS)

mootmoot
  • 12,845
  • 5
  • 47
  • 44