Akamai X Forwarding Proxy as Attack Vector

[jack mort <saiga12ftw () gmail com>]

Lately I have been seeing an increase in attacks, mostly RFIs, which at
first glance appear to originate from Akamai Technologies.  Upon checking
the payload however, I will see that the attack originated elsewhere.

Akamai-Origin-Hop: 1
Via: 1.1 akamai.net(ghost) (AkamaiGHost)
X-Forwarded-For:  123.456.789.101

I believe attackers are using Akamai's proxy in the hopes that any alerts
generated will be ignored due to the large amount of false positives caused
by Akamai's legitimate activity.  There is also a chance that some people
have simply whitelisted traffic from Akamai.

Would it be beneficial to create a snort sig to detect X Forwarded from
Akamai as 'Likely Hostile Traffic'?

Would a sig just generate large amounts of false positives from legitimate
proxied traffic?  How much legitimate proxied traffic is there?

In any case I would hope that people will remain vigilant and not ignore
traffic simply because it appears to be from a legitimate source.  Keep an
eye out for these and if you see them report it to Akamai, hopefully they
will do something about it.

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org