EC2 instance requested a suspicious domain
Incident Management is now generally available! Incident Management is now generally available!
<  Back to rules search

EC2 instance requested a suspicious domain

route53

Classification:

attack

Set up the route53 integration.

Overview

Goal

Detect when a requested domain has a suspicious TLD.

Strategy

Inspect the Route 53 logs and determine if the TLD of the DNS question (@dns.question.name) matches one of the top 5 TLDs on Spamhaus’s Most Abused Top Level Domains list.

Triage and Response

  1. Determine which instance is associated with the DNS request.
  2. Determine whether the domain name which was requested (dns.question.name) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.