Investigating blocked ingress spikes
Things to look at while investigating a spike in blocked access:
- Is the spike isolation to that application? If there is an attack it could be either cluster wide or specifically targeted at a single app.
- Is the ingress using modsec?
- Access denied with code 406 in the last 24 hours. Not every user uses the custom
406
status so this is not a catch all solution. - Are there any suspect logs in the namespace?
- Is there a wider impact on the platform?
- Has the cluster scaled up due to extra resource usage?
- Are there more 4xx/5xx errors than usual?
- Are we seeing ingress related alarms in #lower-priority-alarms
- Note any suspicious IP addresses.
- Has modsec been misconfigured? Further information can be found here
Communication
It’s important to clearly and efficiently communicate between the Cloud Platform team and user. It may be required to call an incident. Where possible keep a record of findings as either part of the a Slack thread or Google document.
Further issues can be raised in the Cloud Platform issue tracker.
Other Links
This page was last reviewed on 28 August 2024.
It needs to be reviewed again on 28 February 2025
by the page owner #cloud-platform
.
This page was set to be reviewed before 28 February 2025
by the page owner #cloud-platform.
This might mean the content is out of date.