79

I am seeing for about 10 days now a bunch of EC2 machines (about 30, distributed in all regions) which are attacking a server of mine.

The interesting (or uninteresting, I do not know yet) fact is that

  • they target an open web service on a non-descriptive port (which was probably found through an earlier scan)
  • this port replies with a 200 to a HTTP request
  • the queries are only on the root of the URL ...
  • ... which brings them an empty page

In other words, they are continuously doing a GET / on that web service.

It could have been a DDoS, except that

  • the number of machines is very limited and well defined
  • there are 4 queries per minute, all of them neatly grouped (within ~5 seconds) around the middle of the minute

So this not a DoS (the rate is insignificant), not a DDoS (beside the rate, the population is small), not hacking attempts (the request is stubbornly on one URL, I looked at the traffic and this is the only port targeted).

I will classify it as "rich (many EC2 machines, they may also use the free tier) but dumb not-sure-what" if nobody has an idea about what this is.

WoJ
  • 8,957
  • 2
  • 32
  • 51
  • 58
    Do you have an "uptime" service? This sounds very much like the connection pattern they would use. – Matthew Jun 08 '16 at 06:37
  • 28
    Ahhhh.... you are absolutely right. I tested recently an alerting service - for that specific webservice... (and forgot about it in the meantime). Thank you - if you just could turn that into an answer, I will gladly accept it (and be ashamed for the eternity :)). That would also explain the distributed EC2 machines. – WoJ Jun 08 '16 at 06:44
  • 9
    @WoJ Please do not be ashamed! :-) It's a good question that can help others who are perplexed by the same thing in the future. – Anders Jun 08 '16 at 07:00
  • Maybe you should make Amazon aware of this. – Quora Feans Jun 09 '16 at 07:53
  • 2
    @QuoraFeans: please read the answer (and my comment above) - it ended up not being an attack at all. – WoJ Jun 09 '16 at 08:02

1 Answers1

145

This sounds like the behaviour of an uptime service. These connect from multiple locations at a regular interval, and are designed to alert the server owner in the event of problems.

In this case, it looks like the server owner had set up such a service, and then forgotten about it, since the server didn't have any problems - the alerting service wouldn't send alerts unless there were issues, so it's easy to forget about them.

Answering question in comment: why perform extra checks? Several reasons:

  • Verifies that an issue exists on the target server, rather than on the testing server
  • Allows for geographical testing, by making requests from multiple locations
  • Allows for more complex tests, such as response times, whilst avoiding network problems which might affect individual servers
  • Ensures that the uptime service itself doesn't suffer outages from single servers going down!
Matthew
  • 27,233
  • 7
  • 87
  • 101
  • 2
    Wouldn't one such "ping" every minute (or five) be sufficient? Why have 30 of them? –  Jun 08 '16 at 13:55
  • 2
    Depends on the service. Some offer multiple test locations, so you can see if there is a routing problem from a specific country (e.g. if customers from Japan can't see your site, there might connectivity problems between Japan and your server). Others do timing tests, so run multiple tests to ensure that intermittent issues can be ignored. Some services even load entire pages and take screenshots, so you can see if a changing page has an issue which only shows given some time based factor – Matthew Jun 08 '16 at 14:05
  • 5
    If you've had a total memory loss of which uptime service you've used, you could add some of these IPs temporarily to your firewall to block them, or shut off your service for a couple of minutes if it's none critical - and wait to see who contacts you. – i-CONICA Jun 08 '16 at 14:11
  • 1
    A ping only tells you the machine is reachable on the network, not that your web server is running, or your web application is responding. – i-CONICA Jun 08 '16 at 14:12
  • 3
    @i-CONICA The question doesn't say that it's a ping - it's an HTTP GET request. – Matthew Jun 08 '16 at 14:14
  • @Matthew I was responding to the first comment on this answer, I didn't read properly the meaning of "one such 'ping' requests" using the term ping non-literally. – i-CONICA Jun 08 '16 at 14:20