[Snort-sigs] Akamai X Forwarding Proxy as Attack Vector
mcholste at ...2420...
Thu Apr 28 10:09:07 EDT 2011
> Akamai-Origin-Hop: 1
> Via: 1.1 akamai.net(ghost) (AkamaiGHost)
> X-Forwarded-For: 123.456.789.101
Akamai runs an open proxy? Can you show what the attacker would do to
run their requests through Akamai? This is indeed cause for concern!
> I believe attackers are using Akamai's proxy in the hopes that any alerts
> generated will be ignored due to the large amount of false positives caused
> by Akamai's legitimate activity. There is also a chance that some people
> have simply whitelisted traffic from Akamai.
Absolutely. I'm sure many have used a BPF to ignore Akamai traffic
entirely as it is a huge load on sensors.
> Would it be beneficial to create a snort sig to detect X Forwarded from
> Akamai as 'Likely Hostile Traffic'?
Maybe, how often do you see this?
More information about the Snort-sigs