I have created a "black hole" that I update with IPs received from Portscan notifications. I have done this in the last two or three years. Recently, I noticed most of IPs are coming from compute-1.amazonaws.com, i.e.,
Source IP address: 220.127.116.11 (ec2-54-92-255-12.compute-1.amazanaws.com
I have Alexa at home. I noticed that as soon as I blacklist those IPs I receive more Portscan notifications. Then Alexa complains it has trouble to connect to Internet.
I am wondering if this is related to Alexa services. Any thoughts?
I had forgotten. Alexa is not connected through Sophos. My modem has two IPs (Spectrum). So, I have created two networks. One is managed by Sophos, and the other one is managed by Ubiquity. Alexa is connected to the other network.
Alexa Echo devices are not even part of any subnets managed by Sophos UTM, so my initial impression that these portscans were related to Alexa Amazon services may not be correct. However, it concerns me because more IP ranges I enter in my "black hole" then more portscans I receive from compute-1.amazanaws.com. So, I thought maybe there is a different device in my Sophos home network. There are two of them: one is Wyze camera and the one is Pumpspy. At this point, I wonder if these portscans from compute-1.amazanaws.com are just portscans or are related/needed by my devices.
My personal experience with port scans from AWS is that they come from reputable companies that are "mapping" the Internet. Every time they scan, it comes from a different AWS IP, so trying whack-a-mole with a blackhole rule won't succeed. You might forward the portscan alert to firstname.lastname@example.org. You will want to include your time zone, the line from the Intrusion Prevention log related to the alert and a request to ask their customer to cease port scanning your IP.
Cheers - Bob
Thank you Bob,
Thank you for your clarification! It was very helpful to clear my confusion on aws services as related to portscans.
AWS is not amazon alexa or anything. AWS is a web based service to rent services in the internet. Actually even Sophos rent services on AWS for Central. Most vendors do this but as a "scanner" or "attacker" you can easily rent a EC2 instance (a small server in aws), do your scan and release this instance within seconds. This is part of the magic of AWS. Do not mix this with Alexa or any server of amazon itself.
Thank you Toni,
Yes, and I noticed these portscans tripled in the last week.