Last Modified: Apr 10, 2019
See more info
Known Affected Versions:
5.2.0, 5.3.0, 5.4.0, 5.4.0 HF1, 5.4.0 HF2
Opened: May 19, 2017
Upon deploying a new BIG-IQ AMI instance and a successful login to the BIG-IQ web user interface, within minutes Amazon EC2 flags an abuse report about potential port scanning activities from the BIG-IQ instance to the client machine initiating the browser session.
The customer owning the EC2/AMI deployment of BIG-IQ will get an email with the Amazon EC2 Abuse Report.
New BIG-IQ AMI instance deployed and running in EC2, with first successful login from an arbitrary client into the BIG-IQ web user interface, using an internet browser with websocket support (Firefox, Chrome, Safari, etc.). Even the idle user interface left untouched (without browsing BIG-IQ UI pages) would trigger the EC2 Abuse report.
At this time there are no clear indications of illegal port scanning activities originated from the BIG-IQ AMI instance to the client machine initiating the BIG-IQ UI browser session. A current assumption is that Amazon EC2 may have some initial sensitivity for websocket-based browser connections, with a relatively high number of websocket frames being exchanged between a client browser and the BIG-IQ AMI instance, although the number of websocket ports involved in this traffic remains relatively low (below a dozen).