[AusNOG] AWS sites inaccessciible

Wed Jun 15 12:16:43 EST 2016

On 15 Jun 2016 11:59, "Tin, James" <jtin at akamai.com> wrote:
>
> Mark I absolutely agree. I advocate it to all my customers and our
professional services teams.
>
> However it’s up to our customers to use those capabilities.
>
>
>
> Some customers have some very informative error pages and even submit
trouble ticket hyperlinks that can be sent to a helpdesk.
>

Hmm, so do Akamai have a better default page that Qantas have actively
replaced? If so, I'd be inclined to make it hard enough to replace such
that the customer realises they need to consider the consequences of not
providing the equivalent.

Regards,
Mark.

>
>
> James.
>
>
>
> From: Mark Smith <markzzzsmith at gmail.com>
> Date: Wednesday, June 15, 2016 at 10:16 AM
> To: James Tin <jtin at akamai.com>
> Cc: Chris Jones <chrisj at aprole.com>, Mal Everett <
Mal.Everett at elmtree.com.au>, "ausnog at ausnog.net" <ausnog at ausnog.net>
>
> Subject: Re: [AusNOG] AWS sites inaccessciible
>
>
>
> On 14 June 2016 at 21:50, Tin, James <jtin at akamai.com> wrote:
>>
>> Ding, Ding, Ding, we have a winner.
>>
>>
>>
>> Chris is absolutely right here.
>>
>>
>>
>>
>>
>>
>>
>> I am the principal enterprise security architect at Akamai and sometimes
>>
>> glance thru this mailing list.
>>
>>
>>
>>
>>
>>
>>
>> Mal,
>>
>>
>>
>> These sites are delivered on Akamai and the reason why you are being
blocked
>>
>> is due to your current and or previous activity across sites delivered
from
>>
>> the Akamai platform. Otherwise known as Client Reputation. The website
>>
>> owners have implemented a block policy to block clients with a poor track
>>
>> record from accessing their site.
>>
>>
>>
>>
>>
>>
>>
>> There are currently 4 categories of bad actors Akamai detects with Client
>>
>> Reputation.
>>
>>
>>
>> 1)       Web Attackers – Performed application layer attacks
>>
>>
>>
>> 2)       Scrapers – Non human traffic
>>
>>
>>
>> 3)       DoS Attackers – Participated in DDoS attacks
>>
>>
>>
>> 4)       Web Scanners – used automated penetration testing or
vulnerability
>>
>> testing tools.
>>
>>
>>
>>
>>
>>
>>
>> On the 06/06/2016 at 01:45:00 PM, your network sent 7982 requests in an
>>
>> attempt to brute force ASP login pages across 1 different applications.
Your
>>
>> network has been categorized as a Web Attacker based on this history.
>>
>>
>>
>>
>>
>>
>>
>> So I would recommend that you perform penetration testing from a
different
>>
>> location from where you browse the internet. Or if you’re not familiar
with
>>
>> any penetration testing activity, then it is a sign of a compromised
host in
>>
>> your infrastructure.
>>
>>
>>
>>
>>
>>
>>
>> If your network is cleaned up or stop doing this activity, over the next
>>
>> week or so and your client reputation score will automatically decay to
zero
>>
>> based on current decay for your network.
>>
>>
>>
>>
>>
>>
>>
>> If you have any questions, please see here
>>
>> https://community.akamai.com/community/cloud-security/blog/2016/4/19
>>
>>
>>
>> You are welcome to ask any questions there.
>>
>>
>>
>>
>
>
>
> It would be better to include some or all of the above in the access
>
> denied error message so that people aren't wondering what the problem
>
> is.
>
>
>
> (I don't think there is any excuse for terse error messages or just
>
> error codes anymore - it's 2016, we have plenty of CPU, RAM and
>
> bandwidth so we can afford to help make troubleshooting easier and
>
> quicker. The developer seconds saved by being terse can multiply into
>
> 100s of hours of lost time to the developer's end-users, in particular
>
> for Internet scale services like Akamai et. al.)
>
>
>
> Regards,
>
> Mark.
>
>
>>
>>
>>
>> James.
>>
>>
>>
>>
>>
>>
>>
>> From: Chris Jones <chrisj at aprole.com>
>>
>> Date: Tuesday, June 14, 2016 at 11:57 AM
>>
>> To: Mal Everett <Mal.Everett at elmtree.com.au>
>>
>> Cc: "ausnog at ausnog.net" <ausnog at ausnog.net>
>>
>> Subject: Re: [AusNOG] AWS sites inaccessciible
>>
>>
>>
>>
>>
>>
>>
>> That looks suspiciously like an Akamai error message, and DNS certainly
>>
>> points that way.  I’d have a chat to the Akamai team, if its happening
to a
>>
>> bunch of different (unrelated) sites.
>>
>>
>>
>>
>>
>>
>>
>> Chris
>>
>>
>>
>>
>>
>>
>>
>> On 14 Jun 2016, at 11:52 AM, Mal Everett <Mal.Everett at elmtree.com.au>
wrote:
>>
>>
>>
>>
>>
>>
>>
>> Hi all,
>>
>>
>>
>>
>>
>>
>>
>> I have got a range of IPs that seemingly are "forbidden" (via a packet
>>
>> capture) by AWS when trying to access websites like qantas.com.au and
>>
>> danmuprhys.com.au
>>
>>
>>
>>
>>
>>
>>
>> Just scratching my head and wondering - "who do you call" ?
>>
>>
>>
>> As an example in a browser we get
>>
>>
>>
>>
>>
>>
>>
>> Access Denied
>>
>>
>>
>>
>>
>>
>>
>> You don't have permission to access "http://www.qantas.com.au/" on this
>>
>> server.
>>
>>
>>
>> Reference #18.e7c33b8.1465867681.e63677d
>>
>>
>>
>>
>>
>>
>>
>> Cheers
>>
>>
>>
>> Mal
>>
>>
>>
>> DISCLAIMER:
>>
>>
>>
>> This e-mail message may contain information which is
>>
>> confidential to the message originator. If you have received this e-
>>
>> mail by mistake, please advise us immediately by return e-mail
>>
>> and delete this e-mail, including any attachments, from your
>>
>> system. You may not disclose, copy or distribute any part of this e-
>>
>> mail. Also, please note that the opinions expressed in this e-mail
>>
>> are those of the author, and are not necessarily those of the
>>
>> originators employer. Any concerns about the content of this email
>>
>> should be immediately directed to Directors at elmtree.com.au.
>>
>> This message and any attachments have been scanned for
>>
>> viruses prior to leaving the originators network.
>>
>>
>>
>> _______________________________________________
>>
>> AusNOG mailing list
>>
>> AusNOG at lists.ausnog.net
>>
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>> AusNOG mailing list
>>
>> AusNOG at lists.ausnog.net
>>
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160615/7653548f/attachment.html>