topic Re: Akamai and auto-shun/blocking in IDS/IPS in Network Security

Akamai and auto-shun/blocking in IDS/IPS

DSmirnov — Sun, 10 Mar 2019 11:00:59 GMT

Hello,

can anyone share how you deal in IDS/IPS with applications that are based on Akamai content delivery services?

There is a concern that if â€œAkamizedâ€ web-server is targeted in web-based attack - it will be recognized as initiated from one of Akamai Edge servers and that server will be blocked by IDS/IPS - that will affect all users using this particular Edge server.

Thank you in advance

Re: Akamai and auto-shun/blocking in IDS/IPS

mhellman — Wed, 27 Feb 2008 22:20:41 GMT

Can you explain why a connection from an Akamai edge server would be the source of an attack (or something perceived by IPS as being one)? Are they doing more than just hosting data?

Re: Akamai and auto-shun/blocking in IDS/IPS

DSmirnov — Tue, 04 Mar 2008 07:35:33 GMT

If I understand correct EdgeServer will forward the request to source server if content is not cached (with source IP of EdgeServer itself).

Probably all requests are going to be proxied that way during the typical vulnerability scan and Edge server blocked as a result.

Re: Akamai and auto-shun/blocking in IDS/IPS

mhellman — Tue, 04 Mar 2008 15:22:37 GMT

Thanks for giving me the opportunity to look into this. I didn't make much progress though. As near as I could tell it appears that the edge servers could function as reverse caching proxies. I found references that indicated "uncached" objects will be fetched (not necessarily using HTTP, but that's an option) from the origin server. But there were no specifics.

I would be really suprised if *every* request that could not be fulfilled was proxied to the origin server. But I digress...you're saying that you use the edgeserver service right and that some exploit attempts are being proxied to your source server?

Re: Akamai and auto-shun/blocking in IDS/IPS

DSmirnov — Thu, 06 Mar 2008 18:34:01 GMT

Yep, this is that we observe at the moment. Requests for non-existent content (typically 90% of web-vulnerability scans) are proxied to origin server.

I guess it can be mitigated for IPS mode with connection blocks but there is no solution for IDS in promiscuous mode (except filters to disable blocking for Akamized sites).

Re: Akamai and auto-shun/blocking in IDS/IPS

mhellman — Thu, 06 Mar 2008 18:51:59 GMT

ouch. That certainly would be show stopper for me using the service. I agree that the only way in IDS would be to create an event filter, probably using a variable for every edge server.