[Snort-sigs] Akamai X Forwarding Proxy as Attack Vector

jack mort saiga12ftw at ...2420...
Thu Apr 28 10:34:53 EDT 2011


I am not positive how they are accomplishing this.  It could have something
to do with Akamai web caching service.  I have been told the attackers may
not be doing this intentionally and it could just be a glitch (attacks being
cached by akamai).  I am not sure I believe this is the case because of the
consistency with which certain malicious IPs will mysteriously utilize this
'glitch' repeatedly over the course of weeks.

On Thu, Apr 28, 2011 at 10:09 AM, Martin Holste <mcholste at ...2420...> wrote:

> > Akamai-Origin-Hop: 1
> > Via: 1.1 akamai.net(ghost) (AkamaiGHost)
> > X-Forwarded-For:  123.456.789.101
> >
>
> Akamai runs an open proxy?  Can you show what the attacker would do to
> run their requests through Akamai?  This is indeed cause for concern!
>
> > I believe attackers are using Akamai's proxy in the hopes that any alerts
> > generated will be ignored due to the large amount of false positives
> caused
> > by Akamai's legitimate activity.  There is also a chance that some people
> > have simply whitelisted traffic from Akamai.
> >
>
> Absolutely.  I'm sure many have used a BPF to ignore Akamai traffic
> entirely as it is a huge load on sensors.
>
> > Would it be beneficial to create a snort sig to detect X Forwarded from
> > Akamai as 'Likely Hostile Traffic'?
> >
>
> Maybe, how often do you see this?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20110428/e19e332a/attachment.html>


More information about the Snort-sigs mailing list