Summary:
It has come to my attention that AWS sometimes generates weird, unexplained traffic - when we first noticed it, it appeared to be mostly rDNS queries, but further investigation has shown it's far more than that. In fact - rDNS isn't even the typical traffic seen. We're seeing this from accounts/instances that have no resources which should be capable of generating said traffic, and it's frequently (but not always) 40 bytes of source traffic.
TL;DR: AWS generating weird 40-byte packets with no discernible cause/source/reason
EDIT: This appears to be due to a quirk in how AWS logs things. Jump to the end for more details.
Disclaimers:
This is a joint discovery with Alex Heacock, and he's basically done all the work on this, including coming up with the first and second versions of the "steps to reproduce", first and second version of the YAML file, and working with AWS Support to see if we can figure out what's going on. I have written and tested this final version of the "steps to reproduce" in my own personal AWS account and confirmed the behavior observed.
Disclaimer: I am a nobody. (Alex is smart though.) It could be we're missing something obvious, but the fact that it can be reproduced so easily and has no obvious explanation, seems somewhat concerning. Speculation has ranges from worst-case (AWS rootkit?) to the more benign (Athena logs pulling in traffic from other VPC resources on the same hardware?).
Prerequisites:
- AWS account
- Payment setup in AWS account
- Willingness to spend ~$32/month as long as you leave the stack up
Steps to reproduce:
- Login to AWS and go to CloudFormation
- Click "Create Stack"
- Set radio button: "Template is ready"
- Set radio button: "Upload a template file"
- Browse to "vpc_flow_log_test2.yml" (provided below)
- Click "Next"
- Stack name: "weird-aws-traffic-test" (or your preference)
- Click "Next"
- Check the box "I acknowledge that AWS CloudFormation might create IAM resources."
- Click "Submit"
- Refresh a few times to watch progress
- Go to Resources tab; confirm all show CREATE_COMPLETE with green/white checkmark/circle
- Open Athena
- Set radio button: "Query your data"
- Click "Launch query editor"
- If you don't have an s3 bucket with Athena setup already, follow steps 17-21. Otherwise, you might be able to continue at step 22.
- On the banner "Before you run your first query, you need to set up a query result location in Amazon S3." Click "Edit settings"
- Click "Browse S3"
- Click the radio button for the name that matches step 7 (like: weird-aws-traffic-test-vpcblahblah)
- Click "Choose"
- Click "Save"
- Click "Editor" tab again
- Paste query (provided below)
- Click "Run"
- If you don't see any traffic, wait an hour or two and try again.
- Repeat steps 24-25 until you see something. Odd traffic is "egress" though there's no resources spun up that should be generating. Appears to be DNS, possibly rDNS, considering it's port 53
- Done! It's like watching fish in an aquarium.
Steps to cleanup:
- Login to AWS and go to CloudFormation
- Click the radio button next to the stack you created
- Click "Delete"
- Click "Delete" again.
- Wait a few minutes; refresh the page to confirm deleted.
- Done!
