[AusNOG] AWS sites inaccessciible

Tin, James jtin at akamai.com
Tue Jun 14 21:50:19 EST 2016 

Ding, Ding, Ding, we have a winner.
Chris is absolutely right here.

I am the principal enterprise security architect at Akamai and sometimes glance thru this mailing list.

Mal,
These sites are delivered on Akamai and the reason why you are being blocked is due to your current and or previous activity across sites delivered from the Akamai platform. Otherwise known as Client Reputation. The website owners have implemented a block policy to block clients with a poor track record from accessing their site.

There are currently 4 categories of bad actors Akamai detects with Client Reputation.

1)       Web Attackers – Performed application layer attacks

2)       Scrapers – Non human traffic

3)       DoS Attackers – Participated in DDoS attacks

4)       Web Scanners – used automated penetration testing or vulnerability testing tools.

On the 06/06/2016 at 01:45:00 PM, your network sent 7982 requests in an attempt to brute force ASP login pages across 1 different applications. Your network has been categorized as a Web Attacker based on this history.

So I would recommend that you perform penetration testing from a different location from where you browse the internet. Or if you’re not familiar with any penetration testing activity, then it is a sign of a compromised host in your infrastructure.

If your network is cleaned up or stop doing this activity, over the next week or so and your client reputation score will automatically decay to zero based on current decay for your network.

If you have any questions, please see here https://community.akamai.com/community/cloud-security/blog/2016/4/19
You are welcome to ask any questions there.

James.

From: Chris Jones <chrisj at aprole.com>
Date: Tuesday, June 14, 2016 at 11:57 AM
To: Mal Everett <Mal.Everett at elmtree.com.au>
Cc: "ausnog at ausnog.net" <ausnog at ausnog.net>
Subject: Re: [AusNOG] AWS sites inaccessciible

That looks suspiciously like an Akamai error message, and DNS certainly points that way.  I’d have a chat to the Akamai team, if its happening to a bunch of different (unrelated) sites.

Chris

On 14 Jun 2016, at 11:52 AM, Mal Everett <Mal.Everett at elmtree.com.au<mailto:Mal.Everett at elmtree.com.au>> wrote:

Hi all,

I have got a range of IPs that seemingly are "forbidden" (via a packet capture) by AWS when trying to access websites like qantas.com.au<https://urldefense.proofpoint.com/v2/url?u=http-3A__qantas.com.au_&d=DQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=wJDREqbOvAj7uAMLV05riA&m=LYSvP67gfcBBjhbLX6Wy_nau7Si9SvHtSO4r1fDDz8c&s=xB9Z1n8va1J35pAlAehdGfB-v3zWwpFkJkW2zgi0wsA&e=> and danmuprhys.com.au<https://urldefense.proofpoint.com/v2/url?u=http-3A__danmuprhys.com.au_&d=DQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=wJDREqbOvAj7uAMLV05riA&m=LYSvP67gfcBBjhbLX6Wy_nau7Si9SvHtSO4r1fDDz8c&s=ohmNQ2Q-wVUCgD3BQj2WibrhwlBGjxjWQZtybr1QImI&e=>

Just scratching my head and wondering - "who do you call" ?
​
As an example in a browser we get

Access Denied

You don't have permission to access "http://www.qantas.com.au/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.qantas.com.au_&d=DQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=wJDREqbOvAj7uAMLV05riA&m=LYSvP67gfcBBjhbLX6Wy_nau7Si9SvHtSO4r1fDDz8c&s=4HQMj3ui76fanevQ67ruFC_1UTjbnhrMla2L2kcsHas&e=>" on this server.
Reference #18.e7c33b8.1465867681.e63677d

Cheers
Mal
DISCLAIMER:

This e-mail message may contain information which is
confidential to the message originator. If you have received this e-
mail by mistake, please advise us immediately by return e-mail
and delete this e-mail, including any attachments, from your
system. You may not disclose, copy or distribute any part of this e-
mail. Also, please note that the opinions expressed in this e-mail
are those of the author, and are not necessarily those of the
originators employer. Any concerns about the content of this email
should be immediately directed to Directors at elmtree.com.au<mailto:Directors at elmtree.com.au>.
This message and any attachments have been scanned for
viruses prior to leaving the originators network.
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.ausnog.net_mailman_listinfo_ausnog&d=DQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=wJDREqbOvAj7uAMLV05riA&m=LYSvP67gfcBBjhbLX6Wy_nau7Si9SvHtSO4r1fDDz8c&s=Wv1GeH1LA0BPGfL_JL2Rq0EI0h7s8ONcAu8rO6ijkpo&e=>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160614/1a32b7f1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Client_Reputation_Score.png
Type: image/png
Size: 281746 bytes
Desc: Client_Reputation_Score.png
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160614/1a32b7f1/attachment-0001.png>

More information about the AusNOG mailing list