Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Akamai and auto-shun/blocking in IDS/IPS

Hello,

can anyone share how you deal in IDS/IPS with applications that are based on Akamai content delivery services?

There is a concern that if “Akamized” web-server is targeted in web-based attack - it will be recognized as initiated from one of Akamai Edge servers and that server will be blocked by IDS/IPS - that will affect all users using this particular Edge server.

Thank you in advance

5 REPLIES
Gold

Re: Akamai and auto-shun/blocking in IDS/IPS

Can you explain why a connection from an Akamai edge server would be the source of an attack (or something perceived by IPS as being one)? Are they doing more than just hosting data?

New Member

Re: Akamai and auto-shun/blocking in IDS/IPS

If I understand correct EdgeServer will forward the request to source server if content is not cached (with source IP of EdgeServer itself).

Probably all requests are going to be proxied that way during the typical vulnerability scan and Edge server blocked as a result.

Gold

Re: Akamai and auto-shun/blocking in IDS/IPS

Thanks for giving me the opportunity to look into this. I didn't make much progress though. As near as I could tell it appears that the edge servers could function as reverse caching proxies. I found references that indicated "uncached" objects will be fetched (not necessarily using HTTP, but that's an option) from the origin server. But there were no specifics.

I would be really suprised if *every* request that could not be fulfilled was proxied to the origin server. But I digress...you're saying that you use the edgeserver service right and that some exploit attempts are being proxied to your source server?

New Member

Re: Akamai and auto-shun/blocking in IDS/IPS

Yep, this is that we observe at the moment. Requests for non-existent content (typically 90% of web-vulnerability scans) are proxied to origin server.

I guess it can be mitigated for IPS mode with connection blocks but there is no solution for IDS in promiscuous mode (except filters to disable blocking for Akamized sites).

Gold

Re: Akamai and auto-shun/blocking in IDS/IPS

ouch. That certainly would be show stopper for me using the service. I agree that the only way in IDS would be to create an event filter, probably using a variable for every edge server.

579
Views
0
Helpful
5
Replies