[AusNOG] AWS sites inaccessciible

Tin, James jtin at akamai.com
Wed Jun 15 11:59:42 EST 2016 

Mark I absolutely agree. I advocate it to all my customers and our professional services teams.
However it’s up to our customers to use those capabilities.

Some customers have some very informative error pages and even submit trouble ticket hyperlinks that can be sent to a helpdesk.

James.

From: Mark Smith <markzzzsmith at gmail.com>
Date: Wednesday, June 15, 2016 at 10:16 AM
To: James Tin <jtin at akamai.com>
Cc: Chris Jones <chrisj at aprole.com>, Mal Everett <Mal.Everett at elmtree.com.au>, "ausnog at ausnog.net" <ausnog at ausnog.net>
Subject: Re: [AusNOG] AWS sites inaccessciible

On 14 June 2016 at 21:50, Tin, James <jtin at akamai.com<mailto:jtin at akamai.com>> wrote:
Ding, Ding, Ding, we have a winner.

Chris is absolutely right here.



I am the principal enterprise security architect at Akamai and sometimes
glance thru this mailing list.



Mal,

These sites are delivered on Akamai and the reason why you are being blocked
is due to your current and or previous activity across sites delivered from
the Akamai platform. Otherwise known as Client Reputation. The website
owners have implemented a block policy to block clients with a poor track
record from accessing their site.



There are currently 4 categories of bad actors Akamai detects with Client
Reputation.

1)       Web Attackers – Performed application layer attacks

2)       Scrapers – Non human traffic

3)       DoS Attackers – Participated in DDoS attacks

4)       Web Scanners – used automated penetration testing or vulnerability
testing tools.



On the 06/06/2016 at 01:45:00 PM, your network sent 7982 requests in an
attempt to brute force ASP login pages across 1 different applications. Your
network has been categorized as a Web Attacker based on this history.



So I would recommend that you perform penetration testing from a different
location from where you browse the internet. Or if you’re not familiar with
any penetration testing activity, then it is a sign of a compromised host in
your infrastructure.



If your network is cleaned up or stop doing this activity, over the next
week or so and your client reputation score will automatically decay to zero
based on current decay for your network.



If you have any questions, please see here
https://community.akamai.com/community/cloud-security/blog/2016/4/19

You are welcome to ask any questions there.



It would be better to include some or all of the above in the access
denied error message so that people aren't wondering what the problem
is.

(I don't think there is any excuse for terse error messages or just
error codes anymore - it's 2016, we have plenty of CPU, RAM and
bandwidth so we can afford to help make troubleshooting easier and
quicker. The developer seconds saved by being terse can multiply into
100s of hours of lost time to the developer's end-users, in particular
for Internet scale services like Akamai et. al.)

Regards,
Mark.


James.



From: Chris Jones <chrisj at aprole.com<mailto:chrisj at aprole.com>>
Date: Tuesday, June 14, 2016 at 11:57 AM
To: Mal Everett <Mal.Everett at elmtree.com.au<mailto:Mal.Everett at elmtree.com.au>>
Cc: "ausnog at ausnog.net<mailto:ausnog at ausnog.net>" <ausnog at ausnog.net<mailto:ausnog at ausnog.net>>
Subject: Re: [AusNOG] AWS sites inaccessciible



That looks suspiciously like an Akamai error message, and DNS certainly
points that way.  I’d have a chat to the Akamai team, if its happening to a
bunch of different (unrelated) sites.



Chris



On 14 Jun 2016, at 11:52 AM, Mal Everett <Mal.Everett at elmtree.com.au<mailto:Mal.Everett at elmtree.com.au>> wrote:



Hi all,



I have got a range of IPs that seemingly are "forbidden" (via a packet
capture) by AWS when trying to access websites like qantas.com.au and
danmuprhys.com.au



Just scratching my head and wondering - "who do you call" ?

As an example in a browser we get



Access Denied



You don't have permission to access "http://www.qantas.com.au/" on this
server.

Reference #18.e7c33b8.1465867681.e63677d



Cheers

Mal

DISCLAIMER:

This e-mail message may contain information which is
confidential to the message originator. If you have received this e-
mail by mistake, please advise us immediately by return e-mail
and delete this e-mail, including any attachments, from your
system. You may not disclose, copy or distribute any part of this e-
mail. Also, please note that the opinions expressed in this e-mail
are those of the author, and are not necessarily those of the
originators employer. Any concerns about the content of this email
should be immediately directed to Directors at elmtree.com.au<mailto:Directors at elmtree.com.au>.
This message and any attachments have been scanned for
viruses prior to leaving the originators network.

_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog




_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160615/0649ce7e/attachment.html>

More information about the AusNOG mailing list