[Snort-sigs] Akamai X Forwarding Proxy as Attack Vector

jack mort saiga12ftw at ...2420...
Thu Apr 28 04:49:38 EDT 2011

Lately I have been seeing an increase in attacks, mostly RFIs, which at
first glance appear to originate from Akamai Technologies.  Upon checking
the payload however, I will see that the attack originated elsewhere.

Akamai-Origin-Hop: 1
Via: 1.1 akamai.net(ghost) (AkamaiGHost)
X-Forwarded-For:  123.456.789.101

I believe attackers are using Akamai's proxy in the hopes that any alerts
generated will be ignored due to the large amount of false positives caused
by Akamai's legitimate activity.  There is also a chance that some people
have simply whitelisted traffic from Akamai.

Would it be beneficial to create a snort sig to detect X Forwarded from
Akamai as 'Likely Hostile Traffic'?

Would a sig just generate large amounts of false positives from legitimate
proxied traffic?  How much legitimate proxied traffic is there?

In any case I would hope that people will remain vigilant and not ignore
traffic simply because it appears to be from a legitimate source.  Keep an
eye out for these and if you see them report it to Akamai, hopefully they
will do something about it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20110428/431fe570/attachment.html>

More information about the Snort-sigs mailing list