https://live.paloaltonetworks.com/t5/general-topics/pa-identifying-traffic-from-akamai-as-bruteforce/m-p/90078#M43555 <P>Negative, still experiencing this issue on my end.&nbsp;</P> Tue, 21 Jun 2016 00:15:49 GMT MIGAS 2016-06-21T00:15:49Z https://live.paloaltonetworks.com/t5/general-topics/pa-identifying-traffic-from-akamai-as-bruteforce/m-p/88281#M43489 <P>Hi guys,</P> <P>&nbsp;</P> <P>Context: For the past 24 hours we've had constant reports of a Brute force attack on our servers originating from the Akamai CDN's.</P> <P>&nbsp;</P> <P>I'm unsure whether this is simply a false positive, or if there something to&nbsp;actually worry about.</P> <P>&nbsp;</P> <P>I've submitted a ticket to ccare@akamai.com with the same information - hoping for a response.&nbsp;</P> <P>&nbsp;</P> <P>Below is a direct log from our firewalls, but obviously - I've removed some the more 'sensitive' information.&nbsp;</P> <P>&nbsp;</P> <P>PS, there are a total of 2 originating address causing us issues, these are:&nbsp;104.95.121.227 and &nbsp;104.74.58.4</P> <P>&nbsp;</P> <P>domain: 1<BR />receive_time: 2016/06/17 09:14:50<BR />serial: 001606021465<BR />seqno: 741569<BR />actionflags: 0x0<BR />type: THREAT<BR />subtype: vulnerability<BR />config_ver: 1<BR />time_generated: 2016/06/17 09:14:50<BR /><FONT color="#FF0000">src: 104.74.58.4&nbsp;</FONT><BR />dst: x.x.x.x <BR />natsrc: 104.74.58.4<BR />natdst: x.x.x.x<BR />rule: Allow - General Internet<BR />srcuser:</P> <P>srcloc: US</P> <P>app: soap<BR />vsys: vsys1</P> <P>inbound_if: ethernet1/1<BR />outbound_if: ethernet1/3</P> <P>time_received: 2016/06/17 09:14:50<BR />sessionid: 9902<BR />repeatcnt: 15<BR />sport: 80<BR />dport: 63873<BR />natsport: 80<BR />natdport: 18570<BR />flags: 0x404000<BR />proto: tcp<BR />action: reset-both<BR />cpadding: 0<BR />dg_hier_level_1: 0<BR />dg_hier_level_2: 0<BR />dg_hier_level_3: 0<BR />dg_hier_level_4: 0<BR />vsys_name:</P> <P>vsys_id: 1<BR /><FONT color="#FF0000"><STRONG>threatid: HTTP Request Brute Force Attack(40059)&nbsp;</STRONG></FONT><BR />reportid: 0<BR />category: not-resolved<BR />contenttype:<BR />severity: high<BR />direction: server-to-client<BR />url_idx: 1<BR />padding: 0<BR />pcap_id: 0<BR />filedigest:<BR />user_agent:<BR />filetype:<BR />misc:<BR />cloud:<BR />xff:<BR />referer:<BR />sender:<BR />subject:<BR />recipient:<BR />file_url:</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 16 Jun 2016 23:52:01 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-identifying-traffic-from-akamai-as-bruteforce/m-p/88281#M43489 MIGAS 2016-06-16T23:52:01Z https://live.paloaltonetworks.com/t5/general-topics/pa-identifying-traffic-from-akamai-as-bruteforce/m-p/88361#M43491 <P>A couple of my customers are also facing exactly same issue.</P> <P>Application 'soap' is same, and IP address is also AKAMAI.</P> <P>&nbsp;</P> <P>I'm currently suggest them to tune threshold of signature id 40059.</P> <P>The default&nbsp;threshold is 10 hits per 6 seconds.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 17 Jun 2016 03:02:54 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-identifying-traffic-from-akamai-as-bruteforce/m-p/88361#M43491 emr_1 2016-06-17T03:02:54Z https://live.paloaltonetworks.com/t5/general-topics/pa-identifying-traffic-from-akamai-as-bruteforce/m-p/88712#M43505 <P>this is getting real annoying, so many alerts due to this. is this something PAN can fix for us or we have to wait on Akamai</P> Fri, 17 Jun 2016 16:08:52 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-identifying-traffic-from-akamai-as-bruteforce/m-p/88712#M43505 googol 2016-06-17T16:08:52Z https://live.paloaltonetworks.com/t5/general-topics/pa-identifying-traffic-from-akamai-as-bruteforce/m-p/88715#M43508 <P>I would think that Palo Alto will address the issue and tune the threshold or whitelist Akamai in the threat signature. What annoys me is you can't tell me they didn't see this issue in internal testing.&nbsp;</P> Fri, 17 Jun 2016 16:14:24 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-identifying-traffic-from-akamai-as-bruteforce/m-p/88715#M43508 BPry 2016-06-17T16:14:24Z https://live.paloaltonetworks.com/t5/general-topics/pa-identifying-traffic-from-akamai-as-bruteforce/m-p/89331#M43535 <P>Has anyone received an update regarding these?<BR /><BR />We're getting way too many messages, and I'm assuming this is a false positive.&nbsp;</P> Mon, 20 Jun 2016 02:54:51 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-identifying-traffic-from-akamai-as-bruteforce/m-p/89331#M43535 MIGAS 2016-06-20T02:54:51Z https://live.paloaltonetworks.com/t5/general-topics/pa-identifying-traffic-from-akamai-as-bruteforce/m-p/89983#M43553 <P>Is this resolved yet? &nbsp;</P> Mon, 20 Jun 2016 21:36:00 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-identifying-traffic-from-akamai-as-bruteforce/m-p/89983#M43553 ajrockn 2016-06-20T21:36:00Z https://live.paloaltonetworks.com/t5/general-topics/pa-identifying-traffic-from-akamai-as-bruteforce/m-p/90078#M43555 <P>Negative, still experiencing this issue on my end.&nbsp;</P> Tue, 21 Jun 2016 00:15:49 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-identifying-traffic-from-akamai-as-bruteforce/m-p/90078#M43555 MIGAS 2016-06-21T00:15:49Z https://live.paloaltonetworks.com/t5/general-topics/pa-identifying-traffic-from-akamai-as-bruteforce/m-p/90360#M43565 <P>Me too.</P> Tue, 21 Jun 2016 10:30:35 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-identifying-traffic-from-akamai-as-bruteforce/m-p/90360#M43565 KotreshaMC 2016-06-21T10:30:35Z https://live.paloaltonetworks.com/t5/general-topics/pa-identifying-traffic-from-akamai-as-bruteforce/m-p/90394#M43567 <P>Hi,</P> <P>&nbsp;</P> <P>The upcoming content version (590) should handle&nbsp;this.</P> <P>&nbsp;</P> <P>Cheers,</P> <P>-Kim.</P> Tue, 21 Jun 2016 11:51:49 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-identifying-traffic-from-akamai-as-bruteforce/m-p/90394#M43567 kiwi 2016-06-21T11:51:49Z