Lab 1.3 - AWS VPC Flow Log Analysis
Analyzed 173K VPC flow records across 579 log files: isolated 33,232 attacker flows from 20.106.124.93, determined a 6.5-hour attack window, quantified 265MB exfiltrated on port 8889 and 190MB on port 80, and confirmed the full attack surface (HTTP, SSH, 8889) using PCAP-to-NetFlow conversion with nfpcapd/nfdump.
Commands
1. List and identify VPC flow log files
Listed all files in the log directory: 579 gzip-compressed VPC flow log files. Used the file command to confirm they were gzip compressed data from a FAT filesystem, original size ~32KB each.
ls /sec401/labs/1.3/20230928/ | wc -l file /sec401/labs/1.3/20230928/2226771286B0_vpcflowlogs_us-east-2_fl-0272f42338e6eeaaf_20230928T23552_e92fb168.log.gz
2. Inspect flow log format and sample records
Decompressed a log file with zcat and piped to head -4 to see the header and first records. The VPC flow log format includes: version, region, account-id, instance-id, interface-id, type, srcaddr, dstaddr, srcport, dstport, protocol, bytes, packets, tcp-flags, start, end, action, log-status, flow-direction, traffic-path. First records showed 35.203.211.65 being REJECT'd and 10.130.8.94 ACCEPT'd traffic.
zcat file /sec401/labs/1.3/20230928/2226771286B0_vpcflowlogs_us-east-2_fl-0272f42338e6eeaaf_20230928T23552_e92fb168.log.gz | head -4
3. Count total flow records
Decompressed all 579 log files and counted total lines: 173,198 flow records to investigate.
zcat /sec401/labs/1.3/20230928/*log.gz | wc -l
4. Extract attacker flows
Used zgrep to search all compressed log files for the known attacker IP (20.106.124.93) and redirected matches to attacker-flows.log. Result: 33,232 flow records from the attacker.
zgrep --no-filename 20.106.124.93 /sec401/labs/1.3/20230928/*log.gz > /sec401/labs/1.3/attacker-flows.log wc -l /sec401/labs/1.3/attacker-flows.log
5. Determine attack timeframe
Sorted attacker flows by the start-time epoch field (column 15) to find the earliest and latest timestamps. Converted epochs with date -d: the attack ran from Sep 28, 2023 5:22 PM to 11:59 PM UTC, roughly 6.5 hours.
sort -nk 15 /sec401/labs/1.3/attacker-flows.log | head -1 date -d @1695921755 sort -nk 15 /sec401/labs/1.3/attacker-flows.log | tail -1 date -d @1695945545
6. Quantify data transfer by port
Used awk to filter attacker flows by destination port and sum the bytes field (column 12). Port 8889 transferred 265,183,813 bytes (~265MB) and port 80 transferred 190,703,527 bytes (~190MB). The high volume on port 8889 is a strong indicator of data exfiltration over a non-standard port.
cat attacker-flows.log | awk '$10 == "8889"' | awk '{SUM=SUM+$12} END{print "Total bytes transferred: "SUM}'
cat attacker-flows.log | awk '$9 == "80"' | awk '{SUM=SUM+$12} END{print "Total bytes transferred: "SUM}'7. Convert PCAP to NetFlow with nfpcapd
Used nfpcapd to convert the investigate.pcap from Lab 1.2 into NetFlow format, outputting to exported-netflow/ directory. This enables flow-level analysis of the same traffic using NetFlow tools.
nfpcapd -r /sec401/labs/1.2/investigate.pcap -w exported-netflow/
8. Analyze NetFlow with nfdump
Dumped the converted NetFlow data to a text file and opened it. The output shows Date first seen, Duration, Proto, Src/Dst IP:Port, Packets, Bytes, and Flows columns. This structured format makes it easy to filter and correlate with VPC flow log findings.
nfdump -R exported-netflow/ > pcap-derived-netflow.txt
9. Filter NetFlow for attacker on port 80
Filtered the PCAP-derived NetFlow for the attacker IP on port 80. Confirmed HTTP traffic: 20.106.124.93:51278 to 10.130.8.94:80, matching the WordPress brute-force activity found in Labs 1.1 and 1.2.
head -1 pcap-derived-netflow.txt; cat pcap-derived-netflow.txt | grep 20.106.124.93 | head -2
10. Filter for attacker SSH traffic
Excluded port 80 and filtered for remaining attacker flows. Found SSH connections on port 22 from 20.106.124.93:38504 to 10.130.8.94:22, indicating the attacker also accessed the server via SSH.
head -1 pcap-derived-netflow.txt; cat pcap-derived-netflow.txt | grep 20.106.124.93 | grep -v :80 | head -2
11. Identify non-standard port activity
Excluded ports 80 and 22, revealing traffic on port 8889: 20.106.124.93:8889 to 10.130.8.94:36072. Port 8889 is not a well-known service (confirmed via /etc/services), making this a likely data exfiltration channel consistent with the 265MB volume found in VPC flow logs.
head -1 pcap-derived-netflow.txt; cat pcap-derived-netflow.txt | grep 20.106.124.93 | grep -v :80 | grep -v :22 | head -2
12. Confirm complete attack surface
Excluded all three known ports (80, 22, 8889) from attacker flows. Empty result confirmed the attacker used only these three services: HTTP for the initial brute-force, SSH for interactive access, and port 8889 for data exfiltration.
head -1 pcap-derived-netflow.txt; cat pcap-derived-netflow.txt | grep 20.106.124.93 | grep -v :80 | grep -v :22 | grep -v :8889 | head -2
Key Findings
- 579 compressed VPC flow log files, 173,198 total flow records
- 33,232 flows from attacker IP 20.106.124.93 (~19% of all traffic)
- Attack window: Sep 28, 2023 5:22 PM to 11:59 PM UTC (~6.5 hours)
- Port 8889: 265MB transferred (data exfiltration via non-standard port)
- Port 80: 190MB transferred (HTTP brute-force and web access)
- Port 22: SSH access confirmed via NetFlow correlation
- No additional attacker ports found, confirming complete attack surface enumeration
Security Controls
- Enable VPC Flow Logs on all subnets and ENIs
- Alert on high-volume outbound traffic to non-standard ports
- Network ACLs restricting egress to approved ports only
- Security group rules limiting SSH access to known IPs
- GuardDuty for automated anomaly detection on flow data
- Centralized log aggregation (CloudWatch, S3, SIEM)