Bug ID 665639: Amazon EC2 Abuse Report upon a new deployment of BIG-IQ AMI instance

Last Modified: Dec 05, 2017

Bug Tracker

Affected Product:  See more info
BIG-IQ Platform(all modules)

Known Affected Versions:
5.2.0, 5.3.0, 5.4.0, 5.4.0 HF1, 5.4.0 HF2

Opened: May 19, 2017
Severity: 3-Major

Symptoms

Upon deploying a new BIG-IQ AMI instance and a successful login to the BIG-IQ web user interface, within minutes Amazon EC2 flags an abuse report about potential port scanning activities from the BIG-IQ instance to the client machine initiating the browser session.

Impact

The customer owning the EC2/AMI deployment of BIG-IQ will get an email with the Amazon EC2 Abuse Report.

Conditions

New BIG-IQ AMI instance deployed and running in EC2, with first successful login from an arbitrary client into the BIG-IQ web user interface, using an internet browser with websocket support (Firefox, Chrome, Safari, etc.). Even the idle user interface left untouched (without browsing BIG-IQ UI pages) would trigger the EC2 Abuse report.

Workaround

At this time there are no clear indications of illegal port scanning activities originated from the BIG-IQ AMI instance to the client machine initiating the BIG-IQ UI browser session. A current assumption is that Amazon EC2 may have some initial sensitivity for websocket-based browser connections, with a relatively high number of websocket frames being exchanged between a client browser and the BIG-IQ AMI instance, although the number of websocket ports involved in this traffic remains relatively low (below a dozen).

Fix Information

None

Behavior Change