more explained comment on why to use IP 169.254.169.254

Signed-off-by: Kapil Sharma <[email protected]>
falcosecurity · Apr 9, 2024 · 7bc50fb · 7bc50fb
1 parent a29607a
commit 7bc50fb
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/events/syscall/contact_cloud_metadata_service_from_container.go b/events/syscall/contact_cloud_metadata_service_from_container.go
@@ -29,7 +29,11 @@ var _ = events.Register(
 
 func ContactCloudMetadataServiceFromContainer(h events.Helper) error {
     if h.InContainer() {
-        //This event works on GCP, AWS, and Azure using the common link-local IP address 169.254.169.254.
+        // The IP address 169.254.169.254 is reserved for the Cloud Instance Metadata Service,
+        // a common endpoint used by cloud instances (GCP, AWS and Azure) to access
+        // metadata about the instance itself. Detecting attempts to communicate with this
+        // IP address from a container can indicate potential unauthorized access to
+        // sensitive cloud infrastructure metadata.
         cmd := exec.Command("timeout", "1s", "nc", "169.254.169.254", "80")
 
         if err := cmd.Run(); err != nil {