- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-16-2016 04:52 PM
Hi guys,
Context: For the past 24 hours we've had constant reports of a Brute force attack on our servers originating from the Akamai CDN's.
I'm unsure whether this is simply a false positive, or if there something to actually worry about.
I've submitted a ticket to ccare@akamai.com with the same information - hoping for a response.
Below is a direct log from our firewalls, but obviously - I've removed some the more 'sensitive' information.
PS, there are a total of 2 originating address causing us issues, these are: 104.95.121.227 and 104.74.58.4
domain: 1
receive_time: 2016/06/17 09:14:50
serial: 001606021465
seqno: 741569
actionflags: 0x0
type: THREAT
subtype: vulnerability
config_ver: 1
time_generated: 2016/06/17 09:14:50
src: 104.74.58.4
dst: x.x.x.x
natsrc: 104.74.58.4
natdst: x.x.x.x
rule: Allow - General Internet
srcuser:
srcloc: US
app: soap
vsys: vsys1
inbound_if: ethernet1/1
outbound_if: ethernet1/3
time_received: 2016/06/17 09:14:50
sessionid: 9902
repeatcnt: 15
sport: 80
dport: 63873
natsport: 80
natdport: 18570
flags: 0x404000
proto: tcp
action: reset-both
cpadding: 0
dg_hier_level_1: 0
dg_hier_level_2: 0
dg_hier_level_3: 0
dg_hier_level_4: 0
vsys_name:
vsys_id: 1
threatid: HTTP Request Brute Force Attack(40059)
reportid: 0
category: not-resolved
contenttype:
severity: high
direction: server-to-client
url_idx: 1
padding: 0
pcap_id: 0
filedigest:
user_agent:
filetype:
misc:
cloud:
xff:
referer:
sender:
subject:
recipient:
file_url:
06-16-2016 08:02 PM
A couple of my customers are also facing exactly same issue.
Application 'soap' is same, and IP address is also AKAMAI.
I'm currently suggest them to tune threshold of signature id 40059.
The default threshold is 10 hits per 6 seconds.
06-17-2016 09:14 AM
I would think that Palo Alto will address the issue and tune the threshold or whitelist Akamai in the threat signature. What annoys me is you can't tell me they didn't see this issue in internal testing.
06-20-2016 05:15 PM
Negative, still experiencing this issue on my end.
06-21-2016 04:51 AM
Hi,
The upcoming content version (590) should handle this.
Cheers,
-Kim.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!