cancel
Showing results for 
Search instead for 
Did you mean: 

port scan coming in from amazon ec2 instance?

jimbof
Grafter
Posts: 348
Thanks: 2
Registered: 02-05-2013

port scan coming in from amazon ec2 instance?

For 10 hours this morning my IP was persistently scanned from an IP which looks to be an Amazon EC2 instance.  Seems they've gone all the way from 50600 up to 61400.  Anyone seen anything like this?
5 REPLIES
Plusnet Help Team
Plusnet Help Team
Posts: 13,017
Thanks: 145
Fixes: 48
Registered: 27-04-2007

Re: port scan coming in from amazon ec2 instance?

Hi Jimbof,
I'm assuming you don't actually use Amazon's web services in any way? http://aws.amazon.com/ec2/instance-types/
Adam
If this post resolved your issue please click the 'This fixed my problem' button
 Adam Walker
 Plusnet Help Team
jimbof
Grafter
Posts: 348
Thanks: 2
Registered: 02-05-2013

Re: port scan coming in from amazon ec2 instance?

No I don't; I have a Youview box and some of the backend for that seems to be hosted on Amazon's servers, and I use crashplan which also uses Amazon for some stuff, but this was definitely a prolonged and thorough port scan attempt.  It definitely looked from the logs that someone was scanning every single port on my router between the range specified.  Weird though as Amazon specifically exclude port scanning from their T&C's so it is a prohibited use of their service (though perhaps that is why they took over 8 hours to do 10000 ports - equates to around one every couple of seconds - perhaps to get around some automated countermeasure at Amazon to block such use).
Here is the beginning of the probe:
Jun  2 00:57:08 Router kern.warn kernel: [300833.709032] DROP(wan):IN=pppoe-wan OUT= MAC= SRC=176.34.242.27 DST=xxx LEN=305 TOS=0x00 PREC=0x80 TTL=51 ID=59954 DF PROTO=TCP SPT=80 DPT=50645 WINDOW=80 RES=0x00 ACK PSH URGP=0 
Jun  2 00:57:08 Router kern.warn kernel: [300833.841950] DROP(wan):IN=pppoe-wan OUT= MAC= SRC=176.34.242.27 DST=xxx LEN=305 TOS=0x00 PREC=0x80 TTL=51 ID=59956 DF PROTO=TCP SPT=80 DPT=50645 WINDOW=80 RES=0x00 ACK PSH URGP=0
Jun  2 00:57:09 Router kern.warn kernel: [300834.113795] DROP(wan):IN=pppoe-wan OUT= MAC= SRC=176.34.242.27 DST=xxx LEN=305 TOS=0x00 PREC=0x80 TTL=51 ID=59957 DF PROTO=TCP SPT=80 DPT=50645 WINDOW=80 RES=0x00 ACK PSH URGP=0
Jun  2 00:57:09 Router kern.warn kernel: [300834.657479] DROP(wan):IN=pppoe-wan OUT= MAC= SRC=176.34.242.27 DST=xxx LEN=305 TOS=0x00 PREC=0x80 TTL=51 ID=59958 DF PROTO=TCP SPT=80 DPT=50645 WINDOW=80 RES=0x00 ACK PSH URGP=0
Jun  2 00:57:10 Router kern.warn kernel: [300835.749842] DROP(wan):IN=pppoe-wan OUT= MAC= SRC=176.34.242.27 DST=xxx LEN=305 TOS=0x00 PREC=0x80 TTL=51 ID=59959 DF PROTO=TCP SPT=80 DPT=50645 WINDOW=80 RES=0x00 ACK PSH URGP=0
Jun  2 00:57:14 Router kern.warn kernel: [300839.974377] DROP(wan):IN=pppoe-wan OUT= MAC= SRC=176.34.242.27 DST=xxx LEN=305 TOS=0x00 PREC=0x80 TTL=51 ID=12186 DF PROTO=TCP SPT=80 DPT=50646 WINDOW=68 RES=0x00 ACK PSH URGP=0

Here is the end of the probe:
Jun  2 09:57:24 Router kern.warn kernel: [333250.008397] DROP(wan):IN=pppoe-wan OUT= MAC= SRC=176.34.242.27 DST=xxx LEN=305 TOS=0x00 PREC=0x80 TTL=51 ID=56751 DF PROTO=TCP SPT=80 DPT=61408 WINDOW=159 RES=0x00 ACK PSH URGP=0 
Jun  2 09:57:31 Router kern.warn kernel: [333256.143807] DROP(wan):IN=pppoe-wan OUT= MAC= SRC=176.34.242.27 DST=xxx LEN=305 TOS=0x00 PREC=0x80 TTL=51 ID=54671 DF PROTO=TCP SPT=80 DPT=61413 WINDOW=68 RES=0x00 ACK PSH URGP=0
Jun  2 09:57:37 Router kern.warn kernel: [333263.007793] DROP(wan):IN=pppoe-wan OUT= MAC= SRC=176.34.242.27 DST=xxx LEN=305 TOS=0x00 PREC=0x80 TTL=51 ID=31483 DF PROTO=TCP SPT=80 DPT=61403 WINDOW=68 RES=0x00 ACK PSH URGP=0
Jun  2 09:57:43 Router kern.warn kernel: [333268.191761] DROP(wan):IN=pppoe-wan OUT= MAC= SRC=176.34.242.27 DST=xxx LEN=305 TOS=0x00 PREC=0x80 TTL=51 ID=36774 DF PROTO=TCP SPT=80 DPT=61411 WINDOW=80 RES=0x00 ACK PSH URGP=0
Jun  2 09:57:48 Router kern.warn kernel: [333273.856443] DROP(wan):IN=pppoe-wan OUT= MAC= SRC=176.34.242.27 DST=xxx LEN=305 TOS=0x00 PREC=0x80 TTL=51 ID=56753 DF PROTO=TCP SPT=80 DPT=61408 WINDOW=159 RES=0x00 ACK PSH URGP=0
Jun  2 09:57:54 Router kern.warn kernel: [333279.999853] DROP(wan):IN=pppoe-wan OUT= MAC= SRC=176.34.242.27 DST=xxx LEN=305 TOS=0x00 PREC=0x80 TTL=51 ID=54673 DF PROTO=TCP SPT=80 DPT=61413 WINDOW=68 RES=0x00 ACK PSH URGP=0
Plusnet Help Team
Plusnet Help Team
Posts: 13,017
Thanks: 145
Fixes: 48
Registered: 27-04-2007

Re: port scan coming in from amazon ec2 instance?

Quote
No I don't; I have a Youview box and some of the backend for that seems to be hosted on Amazon's servers, and I use crashplan which also uses Amazon for some stuff, but this was definitely a prolonged and thorough port scan attempt.

OK I wonder if it might be more to do with crashplan maybe? It's something you might want to broach with Amazon perhaps.
Adam
If this post resolved your issue please click the 'This fixed my problem' button
 Adam Walker
 Plusnet Help Team
jimbof
Grafter
Posts: 348
Thanks: 2
Registered: 02-05-2013

Re: port scan coming in from amazon ec2 instance?

I can't see either of them performing a scan in that fashion though, does seem to be malicious.
I'll get in touch with Amazon though imagine it may be fruitless...
jimbof
Grafter
Posts: 348
Thanks: 2
Registered: 02-05-2013

Re: port scan coming in from amazon ec2 instance?

Reported to Amazon, I'll post details of any reply from them.