Context: For the past 24 hours we've had constant reports of a Brute force attack on our servers originating from the Akamai CDN's.
I'm unsure whether this is simply a false positive, or if there something to actually worry about.
I've submitted a ticket to email@example.com with the same information - hoping for a response.
Below is a direct log from our firewalls, but obviously - I've removed some the more 'sensitive' information.
PS, there are a total of 2 originating address causing us issues, these are: 18.104.22.168 and 22.214.171.124
receive_time: 2016/06/17 09:14:50
time_generated: 2016/06/17 09:14:50
rule: Allow - General Internet
time_received: 2016/06/17 09:14:50
threatid: HTTP Request Brute Force Attack(40059)
A couple of my customers are also facing exactly same issue.
Application 'soap' is same, and IP address is also AKAMAI.
I'm currently suggest them to tune threshold of signature id 40059.
The default threshold is 10 hits per 6 seconds.
I would think that Palo Alto will address the issue and tune the threshold or whitelist Akamai in the threat signature. What annoys me is you can't tell me they didn't see this issue in internal testing.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!