Thread Info
  • Locked Locked
  • Replies 6 replies
  • Subscribers 5 subscribers
  • Views 1356 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Portscans from ec2-54-....-12.compute-1.amazonaws.com

martin_sh

Hello,

I have created a "black hole" that I update with IPs received from Portscan notifications. I have done this in the last two or three years. Recently,  I noticed most of IPs are coming from compute-1.amazonaws.com, i.e.,

Source IP address: 54.92.255.12 (ec2-54-92-255-12.compute-1.amazanaws.com

I have Alexa at home. I noticed that as soon as I blacklist those IPs I receive more Portscan notifications. Then Alexa complains it has trouble to connect to Internet.

I am wondering if this is related to Alexa services. Any thoughts?

Thank you,

Martin



This thread was automatically locked due to age.

  • Update

    I had forgotten. Alexa is not connected through Sophos. My modem has two IPs (Spectrum). So, I have created two networks. One is managed by Sophos, and the other one is managed by Ubiquity. Alexa is connected to the other network.

  • in reply to martin_sh

    Update 2

    Alexa Echo devices are not even part of any subnets managed by Sophos UTM, so my initial impression that these portscans were related to Alexa Amazon services may not be correct. However, it concerns me because more IP ranges I enter in my "black hole" then more portscans I receive from compute-1.amazanaws.com. So, I thought maybe there is a different device in my Sophos home network. There are two of them: one is Wyze camera and the one is Pumpspy. At this point, I wonder if these portscans from compute-1.amazanaws.com are just portscans or are related/needed by my devices.

    Thank you,

    Martin

  • My personal experience with port scans from AWS is that they come from reputable companies that are "mapping" the Internet.  Every time they scan, it comes from a different AWS IP, so trying whack-a-mole with a blackhole rule won't succeed.  You might forward the portscan alert to abuse@amazonaws.com. You will want to include your time zone, the line from the Intrusion Prevention log related to the alert and a request to ask their customer to cease port scanning your IP.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Thank you Bob,

    Thank you for your clarification! It was very helpful to clear my confusion on aws services as related to portscans.

    Thank you,

    Martin

  • AWS is not amazon alexa or anything. AWS is a web based service to rent services in the internet. Actually even Sophos rent services on AWS for Central. Most vendors do this but as a "scanner" or "attacker" you can easily rent a EC2 instance (a small server in aws), do your scan and release this instance within seconds. This is part of the magic of AWS. Do not mix this with Alexa or any server of amazon itself.

    __________________________________________________________________________________________________________________

  • in reply to LuCar Toni

    Thank you Toni,

    Yes, and I noticed these portscans tripled in the last week.

    Thank you,

    Martin

Unfiltered HTML