This is weird, I'm having some instances running in a private subnet. Those subnets are not exposed to the Internet directly, they don't have a public IP and all outgoing traffic is routed through a NAT instance.
However, GuardDuty gives me warnings like this for all instances in this private subnet:
Recon:EC2/PortProbeUnprotectedPort
Action
Action type
PORT_PROBE
Blocked
false
First seen
12-21-2019 22:22:10 (a month ago)
Last seen
01-19-2020 11:18:12 (38 minutes ago)
Actor
IP address
159.65.11.106
Location
country:
Singapore
lat:
1.314
lon:
103.6839
Organization
asn:
14061
asnOrg:
DigitalOcean, LLC
isp:
Digital Ocean
org:
Digital Ocean
Additional information
Threat name
Scanner
Threat list name
ProofPoint
Local port
30539
Archived
false
Remote IP details
ipAddress:
5.101.0.209
location:
Moscow, Russia
organization:
PinSPB
So, multiple questions arise here:
- How is it even possible my instance gets scanned when it doesn't have a public IP adres?
- Why is the actor IP address different from the remote IP?
I think I might have found the reason myself, and I'll post it as an answer in case other people come accross this issue as well:
Those instances were part of a Kubernetes cluster, and I use nginx as the ingress controller. This ingress controller is exposed via
type:Loadbalancerand with an annotation that causes AWS to use a Network LoadBalancer (NLB).Since NLB's preserve the origin IP address, those IP's are also shown in the AWS GuardDuty logs.