AWS Guard Duty reporting suspicious activity (DGA domain name queried by EC2 instance)

AnthonyRyanEQL · ‎07-24-2023

Hi there,

I have an AWS VPC with ALB, subnets, etc with ArcGIS Enterprise 11.1 setup comprising of Portal in HA, Hosting Server site with 2 x EC2s and Relational Data Store in Primary/Standby from 2 x EC2s for testing purposes.

A few days after I installed ArcGIS Server 11.1 and setup the server site, AWS Guard Duty detected some suspicious activity around querying algorithmically generated domains. The alert raised was 'EC2 instance i-xxxxxxxxxxxx is querying algorithmically generated domains. Such domains are commonly used by malware and could be an indication of a compromised EC2 instance.'

Has anybody seen this before and what did they do with it?

Thanks

MikeSchonlau · ‎07-25-2023

What are you doing for DNS? Route53? Another DNS host? Are you using Web Adaptors? We use Route53 domains with 3rd party SSL certs imported into AWS ACM. Those Route53 domains point to the ALB endpoint. We also use the ArcGIS Enterprise web adaptors as well. We have a very similar deployment to yours, but have never seen any GuardDuty warnings like yours. I'm wondering what is different about your deployment. That could help us troubleshoot your issue.

AnthonyRyanEQL · ‎07-25-2023

We have DNS and Route53. No web adaptors (no AD). Using certificates from our CA are loaded into Cert Manager/attached to ALB. Cert loaded into Portal, Server & Data store. Correct on Route 53 to the ALB endpoint.

It's weird that 2 DGA domain name were queried within 2 secs of each other and hasn't been detected since.

MikeSchonlau · ‎07-27-2023

This is the article I referred to a while back to help me understand why one would want to use the Web Adaptor AND a load balancer. Not sure if this helps your situation, but could be worth a look:

https://community.esri.com/t5/implementing-arcgis-blog/planning-load-balancer-configuration-for-high...