Skip to main content

Route Table Change

This alert occurs when Lacework detects a route table change.

Why this Alert is Important

A route table is one of the key components in networking. Route table change alerts can be used to detect the route that packets take in a network to reach a certain destination. Sometimes this may indicate a DOS (Denial Of Service) or DDOS (Distributed Denial Of Service) where an attacker might try to forward the network traffic to a malicious gateway, causing loss of availability.

Investigation

Analyze the logs to find any unauthorized route changes. If you have any WAFs (Web Application Firewalls), review the rules and modify the ones that increase exposure.

Resolution

Ensure that all allowed routes are documented and that these changes are made by authorized personnel.

https://attack.mitre.org/techniques/T1100/

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html