Using AWS Flow Logs to Detect Network Intruders

network-intruder1

How do you know if there are people in your network that shouldn’t be?  The easiest way to know is by using your AWS Flow Logs.  It is an AWS feature that captures meta data from all IP traffic flowing through your AWS network.  It captures information such as IPs, ports, and protocols (no data payload) that allows you to see what is legitimate traffic and what is not.

Unfortunately, Amazon doesn’t make it easy. AWS gives you an API and a console to access this information.  With the console, you can only search through one network interface at a time.  If you are running multiple nodes, you will have to look through each interface one at a time.  Or, you can use the API and write a program to sort through it the data.

interface-logs

This is where FlowLog-Stats.com can help you out.  We will pull the data nightly and create a dashboard for you to review. We parse the mountains of information into actionable data so you don’t have to.

dashboard1

We also provide value-added information by cross referencing the IP list with malicious threat lists. You can see at a glance if your network is communicating with known bad IPs and what threat level these IPs are to you.  For example, you most likely don’t want to leave port 3389 (Windows remote desktop protocol) or port 3306 (MySQL) open to the internet.  The table below shows that these ports are being actively scanned by malicious sources.

gh-threats-all.png

Head on over to FlowLog-Stats.com to see how we can help you out and produce a useful daily dashboard on what is happening in your cloud.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s