Snort mailing list archives
Akamai X Forwarding Proxy as Attack Vector
From: jack mort <saiga12ftw () gmail com>
Date: Thu, 28 Apr 2011 04:49:38 -0400
Lately I have been seeing an increase in attacks, mostly RFIs, which at first glance appear to originate from Akamai Technologies. Upon checking the payload however, I will see that the attack originated elsewhere. Akamai-Origin-Hop: 1 Via: 1.1 akamai.net(ghost) (AkamaiGHost) X-Forwarded-For: 123.456.789.101 I believe attackers are using Akamai's proxy in the hopes that any alerts generated will be ignored due to the large amount of false positives caused by Akamai's legitimate activity. There is also a chance that some people have simply whitelisted traffic from Akamai. Would it be beneficial to create a snort sig to detect X Forwarded from Akamai as 'Likely Hostile Traffic'? Would a sig just generate large amounts of false positives from legitimate proxied traffic? How much legitimate proxied traffic is there? In any case I would hope that people will remain vigilant and not ignore traffic simply because it appears to be from a legitimate source. Keep an eye out for these and if you see them report it to Akamai, hopefully they will do something about it.
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- Akamai X Forwarding Proxy as Attack Vector jack mort (Apr 28)
- Re: Akamai X Forwarding Proxy as Attack Vector Martin Holste (Apr 28)
- Re: Akamai X Forwarding Proxy as Attack Vector jack mort (Apr 28)
- Re: Akamai X Forwarding Proxy as Attack Vector Martin Holste (Apr 28)