Why did I receive a GuardDuty Denial of Service (DoS) finding type for my Amazon EC2 instance?

1 minute read
0

I want to troubleshoot a Denial of Service (DoS) finding that Amazon GuardDuty detected for my Amazon Elastic Compute Cloud (Amazon EC2) instance.

Short description

The GuardDuty Backdoor:EC2/DenialOfService finding type shows that an Amazon EC2 instance is sending large amounts of outbound TCP or UDP traffic to another remote host. This might be because of a Denial of Service (DoS) attack. If this behavior isn't expected, then your Amazon EC2 instance might have unauthorized activity.

Note: The Backdoor:EC2/DenialOfService finding type only detects EC2 instances that perform Denial of Service (DoS) attacks with public routable IP addresses.

For more information, see Backdoor:EC2/DenialOfService.Tcp.

Resolution

Follow these instructions to remediate a potentially compromised Amazon EC2 instance.

For more information, see GuardDuty foundational data sources.

Related information

Creating custom responses to GuardDuty findings with Amazon CloudWatch Events

How to use Amazon GuardDuty and AWS Web Application Firewall to automatically block suspicious hosts

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago