Snort mailing list archives
Re: Akamai X Forwarding Proxy as Attack Vector
From: jack mort <saiga12ftw () gmail com>
Date: Thu, 28 Apr 2011 10:34:53 -0400
I am not positive how they are accomplishing this. It could have something to do with Akamai web caching service. I have been told the attackers may not be doing this intentionally and it could just be a glitch (attacks being cached by akamai). I am not sure I believe this is the case because of the consistency with which certain malicious IPs will mysteriously utilize this 'glitch' repeatedly over the course of weeks. On Thu, Apr 28, 2011 at 10:09 AM, Martin Holste <mcholste () gmail com> wrote:
Akamai-Origin-Hop: 1 Via: 1.1 akamai.net(ghost) (AkamaiGHost) X-Forwarded-For: 123.456.789.101Akamai runs an open proxy? Can you show what the attacker would do to run their requests through Akamai? This is indeed cause for concern!I believe attackers are using Akamai's proxy in the hopes that any alerts generated will be ignored due to the large amount of false positivescausedby Akamai's legitimate activity. There is also a chance that some people have simply whitelisted traffic from Akamai.Absolutely. I'm sure many have used a BPF to ignore Akamai traffic entirely as it is a huge load on sensors.Would it be beneficial to create a snort sig to detect X Forwarded from Akamai as 'Likely Hostile Traffic'?Maybe, how often do you see this?
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- Akamai X Forwarding Proxy as Attack Vector jack mort (Apr 28)
- Re: Akamai X Forwarding Proxy as Attack Vector Martin Holste (Apr 28)
- Re: Akamai X Forwarding Proxy as Attack Vector jack mort (Apr 28)
- Re: Akamai X Forwarding Proxy as Attack Vector Martin Holste (Apr 28)