NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Re : PingFlooding from AkamaiGHosts



Hello.

Experiencing the same event here and then, I included its description and the informations I could gather in a file that I maintain, about false alerts on my firewall. Here's its quick and dirty translation in English (please forgive the eventual inaccuracies, I'm a newbie sysadmin ;-) )
I hope it'll help.

*******************************************

Akamai

Log Signature:
Service		: 1233, 1259, 2519, 2522
Source		: a213-56-194-86.deploy.akamaitechnologies.com
Destination	: a LAN machine
Proto		: tcp
S_Port 		: http 

Other signs:
Time intervals between each attempt : 20", 20", 40", 1'30", then 2" (14 attempts, total duration 14', then stops)

Possible cause:
Akamai (www.akamai.com) has deployed a network of content servers (product Freeflow, www.akamai.com/html/en/sv/freeflow_streaming.html), especially among ISP; the objective is to lower the response time during a web consultation

tracert:

Trace l'itinéraire vers a213-56-194-62.deploy.akamaitechnologies.com [213.56.194.62] avec un maximum de 30 tronçons :
1   <10 ms   <10 ms   <10 ms  192.168.1.1
2    46 ms    63 ms    62 ms  24.GIG-9-0.GENG1.Gennevilliers.raei.francetelecom.net [194.2.1.226]
3    47 ms    62 ms    63 ms  a213-56-194-62.deploy.akamaitechnologies.com [213.56.194.62] 

What's that site running ? (http://uptime.netcraft.com/up/graph)
The site 213.56.194.62 is running AkamaiGHost on Linux

Notes:
a reasonable assumption is that the source could vary, according to the following pattern: IPadress.deploy.akamaitechnologies.com
other possible source : *.globalcenter.com 
unclear: why is an Akamai server the initiator of the connexion, instead of the pc used to browse the web? 

References 
FireWall-1 mailing list archives (msgs.securepoint.com/fw1/)
FireWall Wizards mailing list archives (www.nfr.com/pipermail/firewall-wizards/1999-October/006689.html) 
article de 01Informatique du 5/7/2000 (www.01net.com/rdn?oid=113566) 
article du JDNet (solutions.journaldunet.com/0103/010329akamai.shtml) 
Mynetwatchman incident report (www.mynetwatchman.com/mynetwatchman/ListAllOpenIncidents.asp?ProviderId=1786&ReportType=P&AttackerIp=0&ReportPage=Provider) 

-----------------
Olivier DEBRE
[email protected]




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.