0

I just implemented AWS X-Ray on my web application. But I noticed traces for domains that are not mine. How can this happen?

enter image description here

These are not my websites ... how can its traces enter my account?

After further checks, it seems like this particular IP did hit my server from what I can see from NGINX logs ... but now I am just wondering why? Did someone point his DNS/host file to my IP address or something?

enter image description here

Jiew Meng
  • 84,767
  • 185
  • 495
  • 805
  • 1
    Are you sure those requests did not reach your servers? (you can specify any `Host` in the request). – zerkms Jul 01 '18 at 03:13
  • @zerkms, I updated my post. It appears these requests did hit my NGINX but now I am just wondering why? Isit some bot just trying to hack into the server or something like that? – Jiew Meng Jul 01 '18 at 03:27
  • 1
    You don't even need to change dns - you just query against an IP address and put a particular value in the `Host` header. Who knows why they did it. It's also possible it was DNS misconfiguration somewhere, but there is no way to find it out. – zerkms Jul 01 '18 at 03:28
  • @zerkms, I guess this is quite common? In that case, how can I only allow traffic to my site if its going thru the expected domain? Or whats the best way to prevent such unnecessary traffic? – Jiew Meng Jul 01 '18 at 03:30
  • 2
    For nginx it would be https://stackoverflow.com/q/47237633/251311 or https://serverfault.com/q/708446/45086 – zerkms Jul 01 '18 at 03:48
  • 1
    Or if you're using an Application Load Balancer, https://serverfault.com/a/918342/153161 – Michael - sqlbot Jul 01 '18 at 04:08
  • @zerkms thank you. You can add these as answers and I will close this – Jiew Meng Jul 01 '18 at 04:32
  • As @zerkms said if requests hit your server with a random host header then xray sdk may generate segments with name containing the host header. However if you specify the default segment name when initializing the sdk then this behavior can be overridden. Can you please tell which language xray sdk and version you are using? – Rohit Banga Jul 01 '18 at 17:12

1 Answers1

4

As we have found in the comments:

  1. Those requests reached your servers - hence they are in the aws x-ray

  2. It's not possible to find out why it had happened: it could be malicious requests, when somebody deliberately connected to your ip addresses and specified arbitrary Host header; or it could be misconfigured DNS somewhere. Either way - it's not possible to know.

  3. It's possible to restrict your webserver or load balancer to only accept requests for the hostnames you care about, see:

zerkms
  • 249,484
  • 69
  • 436
  • 539