[VMC] "Your Amazon EC2 Abuse Report" Email from VMware support
search cancel

[VMC] "Your Amazon EC2 Abuse Report" Email from VMware support

book

Article ID: 329872

calendar_today

Updated On:

Products

VMware Cloud on AWS

Issue/Introduction

  • An email regarding an Amazon EC2 Abuse Report was received.
  • Below is an example of the email that VMC on AWS customers may receive.

We have received an Abuse alert activity that resembles a Denial of Service attack against remote hosts. Please find the details below.
AWS Account: xxxxxxxxxxx <-------- This is the VMware shadow account.

Instance Id: i-000000000000 <------- This is the instance ID of the VMware ESXi host the active NSX Edge is on.

Report begin time: 
Report end time: 
Remote Ip: x.x.x.x <--------- This IP has been identified by AWS as a malicious source and the SDDC is communicating with it.

Private Ip(s): x.x.x.x <--------- This will be the ESXi host the NSX Edge is on. This is reported as all traffic leaving VMC to AWS goes through the NSX Edge. This IP does not represent the problematic VM it only represents the network egress point for the environment.

Public Ip(s): N/A

Remote port(s): 

Total packets sent: 

Total bytes received: 

Total packets received: 

Actions Needed:

Block all outbound TCP traffic going out to remote Ip: x.x.x.x

Environment

VMC on AWS

Cause

  • VMware, AWS, and product users are part of what is referred to as a shared responsibility model: AWS Shared Responsibility Model & VMC Shared Responsibility Model
  • Part of the shared responsibility model means that customers are responsible for the security of their environment.
  • AWS monitors for specific traffic flows for known malicious IPs or malicious behavior coming from a customers environment which is what these reports identify. VMC on AWS administrators are responsible to identify and prevent future traffic flows.

Resolution

  • VMware suggests that customers create a Deny All rule in the Compute Gateway Firewall for all traffic going to the identified "Remote IP".
  • Administrators can further identify what VM is sending this traffic by enabling logging on the firewall rule and then monitoring vRNI logs to identify the IP attempting to communicate with the identified malicious IP.
  • An example log: FIREWALL_PKTLOG: 123571f INET match DROP 13313 OUT 80 TCP x.x.x.x/5432->x.x.x.x/50635
  • Administrators may also use third party antivirus to identify and block the malicious traffic.

Additional Information

Powered by Wolken Software