Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

PA identifying traffic from AKAMAI as BruteForce.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA identifying traffic from AKAMAI as BruteForce.

L1 Bithead

Hi guys,

 

Context: For the past 24 hours we've had constant reports of a Brute force attack on our servers originating from the Akamai CDN's.

 

I'm unsure whether this is simply a false positive, or if there something to actually worry about.

 

I've submitted a ticket to ccare@akamai.com with the same information - hoping for a response. 

 

Below is a direct log from our firewalls, but obviously - I've removed some the more 'sensitive' information. 

 

PS, there are a total of 2 originating address causing us issues, these are: 104.95.121.227 and  104.74.58.4

 

domain: 1
receive_time: 2016/06/17 09:14:50
serial: 001606021465
seqno: 741569
actionflags: 0x0
type: THREAT
subtype: vulnerability
config_ver: 1
time_generated: 2016/06/17 09:14:50
src: 104.74.58.4 
dst: x.x.x.x
natsrc: 104.74.58.4
natdst: x.x.x.x
rule: Allow - General Internet
srcuser:

srcloc: US

app: soap
vsys: vsys1

inbound_if: ethernet1/1
outbound_if: ethernet1/3

time_received: 2016/06/17 09:14:50
sessionid: 9902
repeatcnt: 15
sport: 80
dport: 63873
natsport: 80
natdport: 18570
flags: 0x404000
proto: tcp
action: reset-both
cpadding: 0
dg_hier_level_1: 0
dg_hier_level_2: 0
dg_hier_level_3: 0
dg_hier_level_4: 0
vsys_name:

vsys_id: 1
threatid: HTTP Request Brute Force Attack(40059) 
reportid: 0
category: not-resolved
contenttype:
severity: high
direction: server-to-client
url_idx: 1
padding: 0
pcap_id: 0
filedigest:
user_agent:
filetype:
misc:
cloud:
xff:
referer:
sender:
subject:
recipient:
file_url:

 

 

 

 

 

 

 

8 REPLIES 8

L5 Sessionator

A couple of my customers are also facing exactly same issue.

Application 'soap' is same, and IP address is also AKAMAI.

 

I'm currently suggest them to tune threshold of signature id 40059.

The default threshold is 10 hits per 6 seconds.

 

 

 

L3 Networker

this is getting real annoying, so many alerts due to this. is this something PAN can fix for us or we have to wait on Akamai

I would think that Palo Alto will address the issue and tune the threshold or whitelist Akamai in the threat signature. What annoys me is you can't tell me they didn't see this issue in internal testing. 

L1 Bithead

Has anyone received an update regarding these?

We're getting way too many messages, and I'm assuming this is a false positive. 

L1 Bithead

Is this resolved yet?  

Negative, still experiencing this issue on my end. 

Me too.

Kotresha
ACE

Community Team Member

Hi,

 

The upcoming content version (590) should handle this.

 

Cheers,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
  • 5748 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!