[Snort-sigs] Akamai X Forwarding Proxy as Attack Vector

Martin Holste mcholste at ...2420...
Thu Apr 28 10:09:07 EDT 2011

> Akamai-Origin-Hop: 1
> Via: 1.1 akamai.net(ghost) (AkamaiGHost)
> X-Forwarded-For:  123.456.789.101

Akamai runs an open proxy?  Can you show what the attacker would do to
run their requests through Akamai?  This is indeed cause for concern!

> I believe attackers are using Akamai's proxy in the hopes that any alerts
> generated will be ignored due to the large amount of false positives caused
> by Akamai's legitimate activity.  There is also a chance that some people
> have simply whitelisted traffic from Akamai.

Absolutely.  I'm sure many have used a BPF to ignore Akamai traffic
entirely as it is a huge load on sensors.

> Would it be beneficial to create a snort sig to detect X Forwarded from
> Akamai as 'Likely Hostile Traffic'?

Maybe, how often do you see this?

More information about the Snort-sigs mailing list