Snort mailing list archives
Re: Akamai X Forwarding Proxy as Attack Vector
From: Martin Holste <mcholste () gmail com>
Date: Thu, 28 Apr 2011 09:09:07 -0500
Akamai-Origin-Hop: 1 Via: 1.1 akamai.net(ghost) (AkamaiGHost) X-Forwarded-For: 123.456.789.101
Akamai runs an open proxy? Can you show what the attacker would do to run their requests through Akamai? This is indeed cause for concern!
I believe attackers are using Akamai's proxy in the hopes that any alerts generated will be ignored due to the large amount of false positives caused by Akamai's legitimate activity. There is also a chance that some people have simply whitelisted traffic from Akamai.
Absolutely. I'm sure many have used a BPF to ignore Akamai traffic entirely as it is a huge load on sensors.
Would it be beneficial to create a snort sig to detect X Forwarded from Akamai as 'Likely Hostile Traffic'?
Maybe, how often do you see this? ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- Akamai X Forwarding Proxy as Attack Vector jack mort (Apr 28)
- Re: Akamai X Forwarding Proxy as Attack Vector Martin Holste (Apr 28)
- Re: Akamai X Forwarding Proxy as Attack Vector jack mort (Apr 28)
- Re: Akamai X Forwarding Proxy as Attack Vector Martin Holste (Apr 28)