Skip to main content

Port Scan leads to Automated IP Ban System

Hacking starts from vulnerability scanning done through nmap. We can prevent this from the start by blocking network bruteforce scanning. Automated IP Ban Architecture

1 Detection Layer

We will first establish the detection mechanisms. An automated response is only as good as its triggers.

1.1 Amazon GuardDuty with VPC FlowLogs

For internal threats or compromised instances scanning outwards, we use GuardDuty. We are specifically looking for the Impact:EC2/PortSweep finding type.

2 Automation

Next, we need to route these findings to our remediation logic. We use Amazon EventBridge to filter the noise and trigger our response workflow.

2.1 Eventbridge trigger pattern

{
  "source": ["aws.guardduty"],
  "detail-type": ["GuardDuty Finding"],
  "detail": {
    "type": ["Impact:EC2/PortSweep"],
    "resource": {
      "resourceType": ["Instance"]
    },
    "severity": [
      {
        "numeric": [">=", 4]
      }
    ]
  }
}

3 Remediation

GuardDuty findings are routed through EventBridge to trigger AWS Lambda, which updates AWS Network Firewall rules to block the offending source IP.

3.1 Why not NACL?

NACLs have a hard limit on the number of rules of default 20!

4 Conclusion

After writing this, I found this aws security blog article which says the same thing…RIP

References