Re: Akamai X Forwarding Proxy as Attack Vector

[Martin Holste <mcholste () gmail com>]

> Akamai-Origin-Hop: 1
> Via: 1.1 akamai.net(ghost) (AkamaiGHost)
> X-Forwarded-For:  123.456.789.101

Akamai runs an open proxy?  Can you show what the attacker would do to
run their requests through Akamai?  This is indeed cause for concern!

> I believe attackers are using Akamai's proxy in the hopes that any alerts
> generated will be ignored due to the large amount of false positives caused
> by Akamai's legitimate activity.  There is also a chance that some people
> have simply whitelisted traffic from Akamai.

Absolutely.  I'm sure many have used a BPF to ignore Akamai traffic
entirely as it is a huge load on sensors.

> Would it be beneficial to create a snort sig to detect X Forwarded from
> Akamai as 'Likely Hostile Traffic'?

Maybe, how often do you see this?

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org