Received abuse warning from an Elastic IP, no instances match that IP. How can we track it down?

Question

Hello.  We recently received an abuse report saying an Elastic IP of ours was being used to send a malicious payload.  We do indeed have that IP, but it isn't mapped or associated with anything (perhaps it was at one point.  If so, it was before I was on the team).  We dug through everything we could to find any instance using this IP and found nothing.  No EC2 instances.  Nothing in load balancers.  I checked in every region, just in case.  Has anyone come across something similar?  If so, how did you track it down?  Can we find what might be using the IP?  We see the network interface mapped to it, but it's associated with a VPC used by a number of instances (none of which are the IP in the report).

Otherwise, if we can't find the IP being used anywhere, I'm assuming it's safe to just get rid of it, correct?  We do not currently have a dedicated AWS person, so any help is appreciated.  Thank you so much for any assistance you can provide.

Edit to add: Is it possible someone is spoofing the IP? The gateway says it was created in 2016 and I do not know the last time that IP was associated with an EC2 instance (if there's a way of finding that out).

Steve Kinsman · Answer

In the EC2 console, under "Elastic IPs" you can check if the EIP has an "Association ID".  If not then it isn't in use and should be deleted - you get charged for unused EIPS so BTW that would appear on your bill.  If it does have an Association ID you can also see the associated instance ID or NAT Gateway etc.

Received abuse warning from an Elastic IP, no instances match that IP. How can we track it down?

Add your answer

Relevant content