Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1288
Views
0
Helpful
5
Replies

Akamai and auto-shun/blocking in IDS/IPS

DSmirnov
Level 1
Level 1

‎02-27-2008 11:51 AM - edited ‎03-10-2019 04:00 AM

Hello,

can anyone share how you deal in IDS/IPS with applications that are based on Akamai content delivery services?

There is a concern that if “Akamized” web-server is targeted in web-based attack - it will be recognized as initiated from one of Akamai Edge servers and that server will be blocked by IDS/IPS - that will affect all users using this particular Edge server.

Thank you in advance

Labels:
0 Helpful
5 Replies 5

mhellman
Level 7
Level 7

‎02-27-2008 02:20 PM

Can you explain why a connection from an Akamai edge server would be the source of an attack (or something perceived by IPS as being one)? Are they doing more than just hosting data?

0 Helpful

DSmirnov
Level 1
Level 1
In response to mhellman

‎03-03-2008 11:35 PM

If I understand correct EdgeServer will forward the request to source server if content is not cached (with source IP of EdgeServer itself).

Probably all requests are going to be proxied that way during the typical vulnerability scan and Edge server blocked as a result.

0 Helpful

mhellman
Level 7
Level 7
In response to DSmirnov

‎03-04-2008 07:22 AM

Thanks for giving me the opportunity to look into this. I didn't make much progress though. As near as I could tell it appears that the edge servers could function as reverse caching proxies. I found references that indicated "uncached" objects will be fetched (not necessarily using HTTP, but that's an option) from the origin server. But there were no specifics.

I would be really suprised if *every* request that could not be fulfilled was proxied to the origin server. But I digress...you're saying that you use the edgeserver service right and that some exploit attempts are being proxied to your source server?

0 Helpful

DSmirnov
Level 1
Level 1
In response to mhellman

‎03-06-2008 10:34 AM

Yep, this is that we observe at the moment. Requests for non-existent content (typically 90% of web-vulnerability scans) are proxied to origin server.

I guess it can be mitigated for IPS mode with connection blocks but there is no solution for IDS in promiscuous mode (except filters to disable blocking for Akamized sites).

0 Helpful

mhellman
Level 7
Level 7
In response to DSmirnov

‎03-06-2008 10:51 AM

ouch. That certainly would be show stopper for me using the service. I agree that the only way in IDS would be to create an event filter, probably using a variable for every edge server.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card