Skip to main content

Inbound Connection From a Bad External IP Address

This alert occurs when Lacework detects a bad external IP address is connecting to one or more internal hosts.

Why this alert is important

The term "Bad IP address" typically refers to malicious activity by the owner of the address. Inbound connections from bad external IP addresses can signify a potential cyber attack, such as a port scan, a brute-force attack, or a phishing attempt. For example, an attacker may attempt to exploit a vulnerability in a network service by connecting to a specific port from a known bad IP address.

Investigation

The following is helpful guidance that helps to identify malicious traffic on your network:

  • Continuously inspect the top hosts generating the highest traffic volume. In most cases, after malware infects a host, it will try to make an outbound connection back to a server. An attacker uses this connection to send commands to the infected host. The infected host may download more malware, scan the network for other hosts to infect, or exfiltrate data. These behaviors sometimes lead to ongoing traffic patterns that indicate a breach.
  • Look for anomalies. In addition to checking hosts with these characteristics, network administrators should be aware of the usual traffic that flows through the network. If a host starts sending an abnormal amount of data, malware has infected the host and is performing unwanted actions. Monitor individual hosts' connections, data transfer, and real connections and inspect variations.
  • Watch for "deny" entries in network firewall logs. An external host trying to connect to a blocked port multiple times could result from misconfiguration or an attacker.
  • Check for traffic from desktops and laptops trying to connect to each other. Desktops and laptops on the network typically have no reason to connect to one another.

Resolution

Follow these recommended steps to prevent inbound connections from a bad IP address:

  • Regularly monitor top IP addresses that match one or more of the following patterns to make sure the traffic is legitimate:
    • The longest connections
    • The largest amount of data transfer
    • The most connections
  • Monitor the connections, data transfer and total connections for individual hosts and inspect variations.
  • Limit open ports. To maximize the number of blocked ports around critical hosts, break networks down into smaller networks (network segmentation). Make hosts accessing private networks and critical systems pass through a network with broader rules to networks with more restricted access. When malware scans for open ports, correctly configured traffic logs will include invalid access attempts.
  • Configure network firewalls on the perimeter of networks to block unnecessary ports between internal and external networks and between network segments.
  • Block access between individual hosts on the network by installing a host-based firewall. Create rules that only allow the specific access needed by each host.
  • Monitor traffic sent to or from unexpected locations, abnormal network packet sizes, or improperly formed network requests.