Updated on 2022-09-08 GMT+08:00

VPC Alarms

DDoSTcpDns

Your ECSs may have been used to perform Denial of Service (DoS) attacks using the DNS protocol. The port number is 53.

Severity: high

Data source: VPC flow logs

Some ECSs may be performing DoS attacks using the DNS protocol. The port number is 53.

Suggestions: If this activity is unexpected, your ECS may have been compromised. Check whether the processes on port 53 are abnormal and clear any detected malware. If necessary, stop the ECS and start a new ECS to take over the workloads.

DDoSTcp

Your ECSs may have been used to perform Denial of Service (DoS) attacks using the TCP protocol. As a result, a large volume of inbound/outbound TCP traffic is generated.

Severity: high

Data source: VPC flow logs

Some ECSs may have been used to perform Denial of Service (DoS) attacks using the TCP protocol. As a result, a large volume of inbound/outbound TCP traffic is generated.

Suggestions: If this activity is unexpected, your ECS may have been compromised. Check whether suspicious processes exist and clear any detected malware. If necessary, stop the ECS and start a new ECS to take over the workloads.

DDoSUdp

Your ECSs may have been used to perform Denial of Service (DoS) attacks using the UDP protocol. As a result, a large volume of inbound/outbound UDP traffic is generated.

Severity: high

Data source: VPC flow logs

Some ECSs may have been used to perform Denial of Service (DoS) attacks using the UDP protocol. As a result, a large volume of inbound/outbound UDP traffic is generated.

Suggestions: If this activity is unexpected, your ECS may have been compromised. Check whether suspicious processes exist and clear any detected malware. If necessary, stop the ECS and start a new ECS to take over the workloads.

DDoSTcp2Udp

Your ECSs may have been used to perform Denial of Service (DoS) attacks using the UDP protocol on a TCP port. For example, port 80 usually used for TCP communications is found used for UDP communications at a specific time point. As a result, a large volume of inbound/outbound UDP traffic is generated.

Severity: high

Data source: VPC flow logs

Some ECSs may be performing a DoS attack using the UDP protocol on a TCP port. For example, port 80 usually used for TCP communications is found used for UDP communications at a specific time point. As a result, a large volume of inbound/outbound UDP traffic is generated.

Suggestions: If this activity is unexpected, your ECS may have been compromised. Check whether suspicious processes exist and clear any detected malware. If necessary, stop the ECS and start a new ECS to take over the workloads.

DDoSUnusualProtocol

Your ECSs may have been used to perform Denial of Service (DoS) attacks using an unusual protocol. Unusual protocols are those except TCP, UDP, ICMP, IPv4, IPv6 and STP protocols.

Severity: high

Data source: VPC flow logs

Some ECSs may be performing a DoS attack using an unusual protocol. Unusual protocols are those except TCP, UDP, ICMP, IPv4, IPv6 and STP protocols.

Suggestions: If this activity is unexpected, your ECS may have been compromised. Check whether suspicious processes exist and clear any detected malware. If necessary, stop the ECS and start a new ECS to take over the workloads.

JunkMail

Your ECSs are communicating with remote hosts through port 25 and sending junk mails.

Severity: medium

Data source: VPC flow logs

Some ECSs are communicating with remote hosts through port 25 and sending junk mails.

Suggestions: If this activity is unexpected, your ECS may be compromised. Check whether port 25 is enabled. If necessary, disable port 25 in the security group and clear any detected malware.

UnusualNetworkPort

Your ECSs are using abnormal ports to communicate with remote hosts and may be engaged in malicious activities. The abnormal port may be any custom open port.

Severity: medium

Data source: VPC flow logs

Some ECSs are using abnormal ports to communicate with remote hosts and may be engaged in malicious activities. The abnormal port may be any custom open port.

Suggestions: If this activity is unexpected, your ECS may have been compromised. Check whether suspicious processes exist and clear any detected malware. If necessary, stop the ECS and start a new ECS to take over the workloads.

UnusualTrafficFlow

Your ECSs are generating a large volume of outbound traffic that deviates from the normal baseline and is all directed to the remote host.

Severity: medium

Data source: VPC flow logs

Some ECSs are generating a large volume of outbound traffic that deviates from the normal baseline and is all directed to the remote host.

Suggestions: If this activity is unexpected, your ECS may have been compromised. Check whether suspicious processes exist and clear any detected malware. If necessary, stop the ECS and start a new ECS to take over the workloads.

Cryptomining

Your ECSs are accessing IP addresses that are associated with crypto-mining-related activity and may be engaged in illegal activities.

Severity: high

Data source: VPC flow logs

Some ECSs are accessing IP addresses that are associated with crypto-mining-related activity and may be engaged in illegal activities.

Suggestions: If this activity is unexpected, your ECS may have been compromised. Check whether suspicious processes exist and clear any detected malware. If necessary, stop the ECS and start a new ECS to take over the workloads.

CommandControlActivity

Your ECS is used to send messages to a high-risk network.

Severity: high

Data source: VPC flow logs

The IP address of the ECS is querying an IP address that is associated with a known command and control server.

Suggestions: If this activity is unexpected, your ECS may have been compromised. Check whether suspicious processes exist and clear any detected malware. If necessary, stop the ECS and start a new ECS to take over the workloads.

PortDetection

Your ECS is probing a port on a large number of IP addresses.

Severity: high

Data source: VPC flow logs

Some ECSs are scanning ports that are active on a large number of IP addresses. The ECSs may have been compromised for slow remote port scan attacks.

Suggestions: If this activity is unexpected, your ECS may have been compromised. Check whether suspicious processes exist and clear any detected malware. If necessary, stop the ECS and start a new ECS to take over the workloads.

PortScan

Your ECS is scanning a port on a large number of IP addresses.

Severity: medium

Data source: VPC flow logs

Some ECSs are scanning the outbound ports of remote resources and may be engaged in malicious activities.

Suggestions: If this activity is unexpected, your ECS may have been compromised. Check whether suspicious processes exist and clear any detected malware. If necessary, stop the ECS and start a new ECS to take over the workloads.