nonMasqueradeCIDR DoS

[iterion]

Running a cluster built from Kops we recently got a notification from AWS that they had believed a server was experiencing a DoS attack. The IP they gave was in the 100.96 nonMasqueradeCIDR that is used by kops by default.

Correct me if I'm wrong, but it seems that this CIDR is a public IP range. Perhaps we should choose a CIDR that is private to avoid this scary warning in the future?

I'm also just looking for some background on why the above CIDR was chosen.

[jkemp101]

100.96 is in 10.64.0.0/10 and is reserved as described here https://tools.ietf.org/html/rfc6598#section-7. Still kind of a weird address space.

[iterion]

Cool, thanks I was unaware of that block.
It seems that AWS is maybe considering this as public. We'll follow up with them with the doc you linked and see what they have to say.

[iterion]

Also, for more background, the IP was linked to an instance of Prometheus that we're using to scrape cluster metrics. It is pulling and pushing a lot of data on a single port which probably triggered the AWS alert.

[justinsb]

The IP range was chosen as the default because it is a weird one, but is reserved and big. 10.0.0.0/8 conflicts with EC2 classic. 172.16 conflicts with VPCs. 192.168 is pretty small.

I hope that someone at AWS is just confused... if you can DM me the message that would be super-helpful!

[iterion]

Seems like AWS liked our answer! Thanks for all the info and quick response! TIL about 100.64/10

Hello,

Thanks for your response. Based off of the information you provided, we will resolve this case. Thank you for your attention to this matter. 

Regards,
EC2 Abuse Team