Akamai and auto-shun/blocking in IDS/IPS

Unanswered Question
Feb 27th, 2008
User Badges:

Hello,


can anyone share how you deal in IDS/IPS with applications that are based on Akamai content delivery services?


There is a concern that if “Akamized” web-server is targeted in web-based attack - it will be recognized as initiated from one of Akamai Edge servers and that server will be blocked by IDS/IPS - that will affect all users using this particular Edge server.


Thank you in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mhellman Wed, 02/27/2008 - 14:20
User Badges:
  • Blue, 1500 points or more

Can you explain why a connection from an Akamai edge server would be the source of an attack (or something perceived by IPS as being one)? Are they doing more than just hosting data?

DSmirnov Mon, 03/03/2008 - 23:35
User Badges:

If I understand correct EdgeServer will forward the request to source server if content is not cached (with source IP of EdgeServer itself).

Probably all requests are going to be proxied that way during the typical vulnerability scan and Edge server blocked as a result.



mhellman Tue, 03/04/2008 - 07:22
User Badges:
  • Blue, 1500 points or more

Thanks for giving me the opportunity to look into this. I didn't make much progress though. As near as I could tell it appears that the edge servers could function as reverse caching proxies. I found references that indicated "uncached" objects will be fetched (not necessarily using HTTP, but that's an option) from the origin server. But there were no specifics.


I would be really suprised if *every* request that could not be fulfilled was proxied to the origin server. But I digress...you're saying that you use the edgeserver service right and that some exploit attempts are being proxied to your source server?

DSmirnov Thu, 03/06/2008 - 10:34
User Badges:

Yep, this is that we observe at the moment. Requests for non-existent content (typically 90% of web-vulnerability scans) are proxied to origin server.

I guess it can be mitigated for IPS mode with connection blocks but there is no solution for IDS in promiscuous mode (except filters to disable blocking for Akamized sites).



mhellman Thu, 03/06/2008 - 10:51
User Badges:
  • Blue, 1500 points or more

ouch. That certainly would be show stopper for me using the service. I agree that the only way in IDS would be to create an event filter, probably using a variable for every edge server.

Actions

This Discussion