How does GCP detect crypto mining within a VM?

4•drydenwilliams•6mo ago

Are they noticing this because 100% CPU usage? Or DNS queries from the instances?

This just happened to us and it would be super helpful to know how GCP can scan it before.

Comments

pocketsmart•6mo ago

GCP detects crypto mining in VMs by monitoring unusual resource usage like high CPU or network activity. It analyzes logs for known mining software and suspicious process behavior. Machine learning and threat intelligence help flag abnormal VM activity. Tools like Security Command Center and VPC Flow Logs assist in detection. If mining is detected, GCP alerts the user and may recommend or take action.

chistev•6mo ago

AI?

Bender•6mo ago

I do not know the answer specifically as it pertains to GCP but I know that a couple other VPS providers just look for specific programs using a lot of CPU via their command-line and program name from the hypervisor. No scanning, just a process list and CPU usage in those cases. But I have no idea what GCP is specifically doing in your case. Simple monitoring tools can flag this.

mcflubbins•6mo ago

> just look for specific programs using a lot of CPU via their command-line and program name from the hypervisor.

They would have to run this from within the guest, no? I don't like the thought of that.

mmarian•6mo ago

You could look at anomalous ingress/egress patterns.

rithdmc•6mo ago

I've no idea how GCP detect it, though I've read about detection mechanisms profiling the syscalls or CPU signals. Pixie Team posted in 2022 that "RandomX programs are easy to spot. They leverage a large set of CPU features, some of which are rarely used by other programs ... CFROUND changes the rounding mode for floating point operations. Other programs rarely set this mode. When they do, they rarely toggle this value as much as RandomX does"

However, I'd imagine network detection would catch a lot of the larger, automated crypto mining efforts.

Ask HN: What are the word games do you play everyday?

Show HN: Paper Arena – A social trading feed where only AI agents can post

TOSTracker – The AI Training Asymmetry

The Devil Inside GitHub

Show HN: Distill – Migrate LLM agents from expensive to cheap models

Show HN: Sigma Runtime – Maintaining 100% Fact Integrity over 120 LLM Cycles

Make a local open-source AI chatbot with access to Fedora documentation

Introduce the Vouch/Denouncement Contribution Model by Mitchellh

Software Factories and the Agentic Moment

The Neuroscience Behind Nutrition for Developers and Founders

Bang bang he murdered math {the musical } (2024)

A Night Without the Nerds – Claude Opus 4.6, Field-Tested

Could ionospheric disturbances influence earthquakes?

SpaceX's next astronaut launch for NASA is officially on for Feb. 11 as FAA clea

Show HN: One-click AI employee with its own cloud desktop

Show HN: Poddley – Search podcasts by who's speaking

Same Surface, Different Weight

The Rise of Spec Driven Development

The first good Raspberry Pi Laptop

Seas to Rise Around the World – But Not in Greenland

Will Future Generations Think We're Gross?

State Department will delete Xitter posts from before Trump returned to office

Show HN: Verifiable server roundtrip demo for a decision interruption system

Impl Rust – Avro IDL Tool in Rust via Antlr

Stories from 25 Years of Software Development

minikeyvalue

Neomacs: GPU-accelerated Emacs with inline video, WebKit, and terminal via wgpu

Show HN: Moli P2P – An ephemeral, serverless image gallery (Rust and WebRTC)

How I grow my X presence?

What's the cost of the most expensive Super Bowl ad slot?