VPC Flow Logs - Understanding the REJECT Record

Understanding VPC Flow Logs - REJECT Record

Prev Question Next Question

Question

You've set up VPC Flow logs for your EC2 Instance ENI in a subnet.

You can see the below REJECT record in the VPC Flow logs.

What does this indicate? 2 123456789911 eni-abc123de 172.31.9.69 172.31.9.12 49761 3389 6 20 4249 1418530010 1418530070 REJECT OK.

Answers

A. Arequest was made on port 80 to the Instance.

B. Someone was trying to log into the instance via SSH.

C. Someone was trying to log into the Instance via RDP.

D. A request was made on port 443 to the Instance.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - C.

In the record which is recorded in VPC Flow logs, the highlighted field shown below shows that a request was made to port 3389 which is the RDP protocol.

2 123456789911 eni-abc123de 172.31.9.69 172.31.9.12 49761 3389 6 20 4249 1418530010 1418530070 REJECT OK.

There are also other possibilities such as a "port sniffer" that tried to use port 3389 ( for RDP ) or any other application that might have established contact with port 3389 ( using cross-scripting for attacks )

Here 'someone' might refer to an individual user ( hacker ) or even other malicious application to gain entry through the backdoor.

By default, all other options become invalid since the log clearly shows what the port number recorded is.

For more information on VPC Flow Logs, one can visit the below URL.

https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html

The VPC Flow Logs is a feature provided by AWS to capture information about the IP traffic flowing in and out of a VPC (Virtual Private Cloud), subnet, or network interface within a VPC. It can be used for troubleshooting, monitoring, and security analysis of the network traffic.

The given VPC Flow Log record indicates a REJECT action taken by the security group or Network ACL (Access Control List) associated with the ENI (Elastic Network Interface) of the EC2 instance. The fields in the log record provide the following information:

2: The version of the flow log record.
123456789911: The ID of the VPC flow log group.
eni-abc123de: The ID of the ENI associated with the instance.
172.31.9.69: The source IP address of the traffic.
172.31.9.12: The destination IP address of the traffic.
49761: The source port number of the traffic.
3389: The destination port number of the traffic.
6: The protocol number (TCP in this case) of the traffic.
20: The number of packets transferred in the flow.
4249: The number of bytes transferred in the flow.
1418530010: The start time of the flow, in epoch seconds.
1418530070: The end time of the flow, in epoch seconds.
REJECT: The action taken by the security group or NACL associated with the ENI.
OK: The status of the flow log record.

From the above fields, we can determine that the traffic was TCP traffic, from source IP address 172.31.9.69 to destination IP address 172.31.9.12, with source port number 49761 and destination port number 3389. Port 3389 is the default port number for Remote Desktop Protocol (RDP), used for remote access to Windows-based EC2 instances. The REJECT action indicates that the traffic was blocked by the security group or NACL associated with the ENI, which could be due to a misconfigured firewall rule or an attempt to access the instance from an unauthorized source.

Therefore, the correct answer to the question is C. Someone was trying to log into the instance via RDP.

Prev Question Next Question