Re: Akamai X Forwarding Proxy as Attack Vector

[jack mort <saiga12ftw () gmail com>]

I am not positive how they are accomplishing this.  It could have something
to do with Akamai web caching service.  I have been told the attackers may
not be doing this intentionally and it could just be a glitch (attacks being
cached by akamai).  I am not sure I believe this is the case because of the
consistency with which certain malicious IPs will mysteriously utilize this
'glitch' repeatedly over the course of weeks.

On Thu, Apr 28, 2011 at 10:09 AM, Martin Holste <mcholste () gmail com> wrote:

> > Akamai-Origin-Hop: 1
> > Via: 1.1 akamai.net(ghost) (AkamaiGHost)
> > X-Forwarded-For:  123.456.789.101
>
> Akamai runs an open proxy?  Can you show what the attacker would do to
> run their requests through Akamai?  This is indeed cause for concern!
>
> > I believe attackers are using Akamai's proxy in the hopes that any alerts
> > generated will be ignored due to the large amount of false positives
> caused
> > by Akamai's legitimate activity.  There is also a chance that some people
> > have simply whitelisted traffic from Akamai.
>
> Absolutely.  I'm sure many have used a BPF to ignore Akamai traffic
> entirely as it is a huge load on sensors.
>
> > Would it be beneficial to create a snort sig to detect X Forwarded from
> > Akamai as 'Likely Hostile Traffic'?
>
> Maybe, how often do you see this?
------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org