PA identifying traffic from AKAMAI as BruteForce.

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

PA identifying traffic from AKAMAI as BruteForce.

Hi guys,

 

Context: For the past 24 hours we've had constant reports of a Brute force attack on our servers originating from the Akamai CDN's.

 

I'm unsure whether this is simply a false positive, or if there something to actually worry about.

 

I've submitted a ticket to ccare@akamai.com with the same information - hoping for a response. 

 

Below is a direct log from our firewalls, but obviously - I've removed some the more 'sensitive' information. 

 

PS, there are a total of 2 originating address causing us issues, these are: 104.95.121.227 and  104.74.58.4

 

domain: 1
receive_time: 2016/06/17 09:14:50
serial: 001606021465
seqno: 741569
actionflags: 0x0
type: THREAT
subtype: vulnerability
config_ver: 1
time_generated: 2016/06/17 09:14:50
src: 104.74.58.4 
dst: x.x.x.x
natsrc: 104.74.58.4
natdst: x.x.x.x
rule: Allow - General Internet
srcuser:

srcloc: US

app: soap
vsys: vsys1

inbound_if: ethernet1/1
outbound_if: ethernet1/3

time_received: 2016/06/17 09:14:50
sessionid: 9902
repeatcnt: 15
sport: 80
dport: 63873
natsport: 80
natdport: 18570
flags: 0x404000
proto: tcp
action: reset-both
cpadding: 0
dg_hier_level_1: 0
dg_hier_level_2: 0
dg_hier_level_3: 0
dg_hier_level_4: 0
vsys_name:

vsys_id: 1
threatid: HTTP Request Brute Force Attack(40059) 
reportid: 0
category: not-resolved
contenttype:
severity: high
direction: server-to-client
url_idx: 1
padding: 0
pcap_id: 0
filedigest:
user_agent:
filetype:
misc:
cloud:
xff:
referer:
sender:
subject:
recipient:
file_url:

 

 

 

 

 

 

 

Highlighted
L4 Transporter

A couple of my customers are also facing exactly same issue.

Application 'soap' is same, and IP address is also AKAMAI.

 

I'm currently suggest them to tune threshold of signature id 40059.

The default threshold is 10 hits per 6 seconds.

 

 

 

Highlighted
L3 Networker

this is getting real annoying, so many alerts due to this. is this something PAN can fix for us or we have to wait on Akamai

Highlighted
Cyber Elite

I would think that Palo Alto will address the issue and tune the threshold or whitelist Akamai in the threat signature. What annoys me is you can't tell me they didn't see this issue in internal testing. 

Highlighted
L1 Bithead

Has anyone received an update regarding these?

We're getting way too many messages, and I'm assuming this is a false positive. 

Highlighted
L1 Bithead

Is this resolved yet?  

Highlighted
L1 Bithead

Negative, still experiencing this issue on my end. 

Highlighted
L3 Networker

Me too.

Kotresha
ACE
Highlighted
Community Team Member

Hi,

 

The upcoming content version (590) should handle this.

 

Cheers,

-Kim.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!