VPC Alarms
DDoSTcpDns
Your ECSs may have been used to perform Denial of Service (DoS) attacks using the DNS protocol. The port number is 53.
Severity: high
Data source: VPC flow logs
Some ECSs may be performing DoS attacks using the DNS protocol. The port number is 53.
Suggestions: If this activity is unexpected, your ECS may have been compromised. Check whether the processes on port 53 are abnormal and clear any detected malware. If necessary, stop the ECS and start a new ECS to take over the workloads.
DDoSTcp
Your ECSs may have been used to perform Denial of Service (DoS) attacks using the TCP protocol. As a result, a large volume of inbound/outbound TCP traffic is generated.
Severity: high
Data source: VPC flow logs
Some ECSs may have been used to perform Denial of Service (DoS) attacks using the TCP protocol. As a result, a large volume of inbound/outbound TCP traffic is generated.
Suggestions: If this activity is unexpected, your ECS may have been compromised. Check whether suspicious processes exist and clear any detected malware. If necessary, stop the ECS and start a new ECS to take over the workloads.
DDoSUdp
Your ECSs may have been used to perform Denial of Service (DoS) attacks using the UDP protocol. As a result, a large volume of inbound/outbound UDP traffic is generated.
Severity: high
Data source: VPC flow logs
Some ECSs may have been used to perform Denial of Service (DoS) attacks using the UDP protocol. As a result, a large volume of inbound/outbound UDP traffic is generated.
Suggestions: If this activity is unexpected, your ECS may have been compromised. Check whether suspicious processes exist and clear any detected malware. If necessary, stop the ECS and start a new ECS to take over the workloads.
DDoSTcp2Udp
Your ECSs may have been used to perform Denial of Service (DoS) attacks using the UDP protocol on a TCP port. For example, port 80 usually used for TCP communications is found used for UDP communications at a specific time point. As a result, a large volume of inbound/outbound UDP traffic is generated.
Severity: high
Data source: VPC flow logs
Some ECSs may be performing a DoS attack using the UDP protocol on a TCP port. For example, port 80 usually used for TCP communications is found used for UDP communications at a specific time point. As a result, a large volume of inbound/outbound UDP traffic is generated.
Suggestions: If this activity is unexpected, your ECS may have been compromised. Check whether suspicious processes exist and clear any detected malware. If necessary, stop the ECS and start a new ECS to take over the workloads.
DDoSUnusualProtocol
Your ECSs may have been used to perform Denial of Service (DoS) attacks using an unusual protocol. Unusual protocols are those except TCP, UDP, ICMP, IPv4, IPv6 and STP protocols.
Severity: high
Data source: VPC flow logs
Some ECSs may be performing a DoS attack using an unusual protocol. Unusual protocols are those except TCP, UDP, ICMP, IPv4, IPv6 and STP protocols.
Suggestions: If this activity is unexpected, your ECS may have been compromised. Check whether suspicious processes exist and clear any detected malware. If necessary, stop the ECS and start a new ECS to take over the workloads.
JunkMail
Your ECSs are communicating with remote hosts through port 25 and sending junk mails.
Severity: medium
Data source: VPC flow logs
Some ECSs are communicating with remote hosts through port 25 and sending junk mails.
Suggestions: If this activity is unexpected, your ECS may be compromised. Check whether port 25 is enabled. If necessary, disable port 25 in the security group and clear any detected malware.
UnusualNetworkPort
Your ECSs are using abnormal ports to communicate with remote hosts and may be engaged in malicious activities. The abnormal port may be any custom open port.
Severity: medium
Data source: VPC flow logs
Some ECSs are using abnormal ports to communicate with remote hosts and may be engaged in malicious activities. The abnormal port may be any custom open port.
Suggestions: If this activity is unexpected, your ECS may have been compromised. Check whether suspicious processes exist and clear any detected malware. If necessary, stop the ECS and start a new ECS to take over the workloads.
UnusualTrafficFlow
Your ECSs are generating a large volume of outbound traffic that deviates from the normal baseline and is all directed to the remote host.
Severity: medium
Data source: VPC flow logs
Some ECSs are generating a large volume of outbound traffic that deviates from the normal baseline and is all directed to the remote host.
Suggestions: If this activity is unexpected, your ECS may have been compromised. Check whether suspicious processes exist and clear any detected malware. If necessary, stop the ECS and start a new ECS to take over the workloads.
Cryptomining
Your ECSs are accessing IP addresses that are associated with crypto-mining-related activity and may be engaged in illegal activities.
Severity: high
Data source: VPC flow logs
Some ECSs are accessing IP addresses that are associated with crypto-mining-related activity and may be engaged in illegal activities.
Suggestions: If this activity is unexpected, your ECS may have been compromised. Check whether suspicious processes exist and clear any detected malware. If necessary, stop the ECS and start a new ECS to take over the workloads.
CommandControlActivity
Your ECS is used to send messages to a high-risk network.
Severity: high
Data source: VPC flow logs
The IP address of the ECS is querying an IP address that is associated with a known command and control server.
Suggestions: If this activity is unexpected, your ECS may have been compromised. Check whether suspicious processes exist and clear any detected malware. If necessary, stop the ECS and start a new ECS to take over the workloads.
PortDetection
Your ECS is probing a port on a large number of IP addresses.
Severity: high
Data source: VPC flow logs
Some ECSs are scanning ports that are active on a large number of IP addresses. The ECSs may have been compromised for slow remote port scan attacks.
Suggestions: If this activity is unexpected, your ECS may have been compromised. Check whether suspicious processes exist and clear any detected malware. If necessary, stop the ECS and start a new ECS to take over the workloads.
PortScan
Your ECS is scanning a port on a large number of IP addresses.
Severity: medium
Data source: VPC flow logs
Some ECSs are scanning the outbound ports of remote resources and may be engaged in malicious activities.
Suggestions: If this activity is unexpected, your ECS may have been compromised. Check whether suspicious processes exist and clear any detected malware. If necessary, stop the ECS and start a new ECS to take over the workloads.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
