AWS ec2 instance getting many requests from private IP addresses?

Question

I have a website on AWS, recently I decided to run a php function to keep track of where/who is requesting my website. I am getting a persistent request to my homepage from 3 private IP addresses. They are 20 seconds apart, and each one occurs every 30 seconds.
172.31.44.xxx
172.31.8.xxx
172.31.29.xx
How is a private IP requesting my website? I am not able to determine the source of the connection.
I am using this PHP code to get the IP.

if(!empty($_SERVER['HTTP_CLIENT_IP'])){
    $ip = $_SERVER['HTTP_CLIENT_IP'];
}elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])){
    $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
    $ip = $_SERVER['REMOTE_ADDR'];
}

Is there an error in my code to retrieve the IP properly? Or is there something else going on that I am not aware of. Let me know what you think,
thanks!
EDIT - PHP $_SERVER response from request

{
  "array": {
    "USER": "apache",
    "HOME": "/usr/share/httpd",
    "SCRIPT_NAME": "/index.php",
    "REQUEST_URI": "/",
    "QUERY_STRING": "",
    "REQUEST_METHOD": "GET",
    "SERVER_PROTOCOL": "HTTP/1.1",
    "GATEWAY_INTERFACE": "CGI/1.1",
    "REMOTE_PORT": "29208",
    "SCRIPT_FILENAME": "/var/www/html/index.php",
    "SERVER_ADMIN": "root@localhost",
    "CONTEXT_DOCUMENT_ROOT": "/var/www/html",
    "CONTEXT_PREFIX": "",
    "REQUEST_SCHEME": "http",
    "DOCUMENT_ROOT": "/var/www/html",
    "REMOTE_ADDR": "172.31.29.19",
    "SERVER_PORT": "80",
    "SERVER_ADDR": "172.31.22.151",
    "SERVER_NAME": "172.31.22.151",
    "SERVER_SOFTWARE": "Apache/2.4.46 ()",
    "SERVER_SIGNATURE": "",
    "PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin",
    "HTTP_ACCEPT_ENCODING": "gzip, compressed",
    "HTTP_USER_AGENT": "ELB-HealthChecker/2.0",
    "HTTP_CONNECTION": "close",
    "HTTP_HOST": "172.31.22.151",
    "proxy-nokeepalive": "1",
    "UNIQUE_ID": "X@7byXAPCfpNYTyp8Hv5xAAAAAQ",
    "FCGI_ROLE": "RESPONDER",
    "PHP_SELF": "/index.php",
    "REQUEST_TIME_FLOAT": 1609489353.920435,
    "REQUEST_TIME": 1609489353
  }
}

echo '
; 'print_r($_SERVER); die; what thing print on array please check first step after go check REMOTE_ADDR found or not — Darshan Malani, Jan 01 '21 at 08:02
Do you have any health checks setup, e.g., load balancer, route 53? — Marcin, Jan 01 '21 at 08:21
i just updated the question with the server response as you suggested @Darshan — , Jan 01 '21 at 08:26
This is the health checker, it will ensure the load balancer can speak to the host.It will be doing this internally, it will run on a schedule based on your health check configuration. — Chris Williams, Jan 01 '21 at 08:48
@JillConway now echo $ip; i hope now IP address print and display. — Darshan Malani, Jan 01 '21 at 11:27

score 1 · Answer 1 · answered Jan 01 '21 at 15:18

172.31.0.0/16 is the CIDR of Default VPC, as you can see below, so these requests comes from inside your VPC. This is why a private IP can request you website.
https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html

As you can see from your request you have "HTTP_USER_AGENT": "ELB-HealthChecker/2.0", which means it comes from ELB healthcheck. You can read more about ALB healthcheck on link below:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/target-group-health-checks.html

score 0 · Answer 2 · answered Jan 01 '21 at 09:41

0

Instead of writing your own code to track who is requesting your website, you can consider using X-Forwarded-For header in ELB to capture your client IP address.

This tutorial may help you. This discussion also may help.

answered Jan 01 '21 at 09:41

Teddy Aryono

350
2
10

score 0 · Answer 3 · answered Jan 01 '21 at 15:13

A typical ec2 machine in AWS would be located in the AWS public network (within an availability zone within a region). Facing the outside world (outside AWS), there are external/global IP addresses that AWS owns and can be assigned to an interface of your ec2 machine. However, internally within AWS, your machine and others are in subnets with private IP addresses like 172.31.xx.yy.

You can verify this by ssh'ing into your ec2 machine and doing an ifconfig. With a basic network configuration, you may see eth0 with inet address 172.31.xx.yy, and lo (loopback). Hence, it is not surprising that you're getting requests from 172.31.yy.zz - these are coming from inside the AWS cloud.

How about your public IP address? That just gets associated with your ec2 machine through AWS configuration (you can change the assignment to a different IP address at any time), and AWS has NAT/NAPT technology to do the mapping between internal and external IP addresses.

If you still wish to prevent such requests from other internal machines, you may wish to consider AWS Virtual Private Cloud (VPC), which allows your ec2 machine(s) to be off by themselves in a logically isolated cloud, isolating your machine(s) from those pesky requests from other internal machines. I think there is no extra charge for the use of VPC. Once, a client requested it, and that's how we found out about it. Turns out, we could easily set it up in minutes.

AWS ec2 instance getting many requests from private IP addresses?

3 Answers3