06-16-2016 04:52 PM
Hi guys,
Context: For the past 24 hours we've had constant reports of a Brute force attack on our servers originating from the Akamai CDN's.
I'm unsure whether this is simply a false positive, or if there something to actually worry about.
I've submitted a ticket to ccare@akamai.com with the same information - hoping for a response.
Below is a direct log from our firewalls, but obviously - I've removed some the more 'sensitive' information.
PS, there are a total of 2 originating address causing us issues, these are: 104.95.121.227 and 104.74.58.4
domain: 1
receive_time: 2016/06/17 09:14:50
serial: 001606021465
seqno: 741569
actionflags: 0x0
type: THREAT
subtype: vulnerability
config_ver: 1
time_generated: 2016/06/17 09:14:50
src: 104.74.58.4
dst: x.x.x.x
natsrc: 104.74.58.4
natdst: x.x.x.x
rule: Allow - General Internet
srcuser:
srcloc: US
app: soap
vsys: vsys1
inbound_if: ethernet1/1
outbound_if: ethernet1/3
time_received: 2016/06/17 09:14:50
sessionid: 9902
repeatcnt: 15
sport: 80
dport: 63873
natsport: 80
natdport: 18570
flags: 0x404000
proto: tcp
action: reset-both
cpadding: 0
dg_hier_level_1: 0
dg_hier_level_2: 0
dg_hier_level_3: 0
dg_hier_level_4: 0
vsys_name:
vsys_id: 1
threatid: HTTP Request Brute Force Attack(40059)
reportid: 0
category: not-resolved
contenttype:
severity: high
direction: server-to-client
url_idx: 1
padding: 0
pcap_id: 0
filedigest:
user_agent:
filetype:
misc:
cloud:
xff:
referer:
sender:
subject:
recipient:
file_url:
