[nsp-sec] amazon blocking

[Dave Burke]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks Phillip,

It appears the list I sent last night, was littered with False positives
like this.

The goldbox is ajax'd and causes high request rates to our frontend
VIPs. This triggered the IPs being blocked.

We're working back through the list now to try & remove the null routes
of ligitimate customers.

Apologies.

dave


Phillip G Deneault wrote:
> Sorry for the lateness of my reply.  I've inspected this system and can
> find no trace of intrusion.  I also reviewed all flows to and from this
> computer along with the HTTP requests.  It appears the user was looking
> at a lightning deal promotion but the total number of GET and POST
> requests(which are for every page, image, whatever) total only 1421 over
> the last 48 hours and seems to be spread around with other browsing
> traffic appropriate for a local user.
> 
> I humbly submit that my IP and possibly other IPs might have been caught
> in the dragnet.  If you would like evidence either for your own
> investigation, or to help resolve this matter, please let me know.
> 
> Just a taste for those watching at home:
> 
> 1213045366.95||130.215.17.87||POST||
> www.amazon.com/gp/goldbox/display/lightning-deals/ajax/json/get-promotion-by-deal-id.html
> ||HTTP/1.1||Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14)
> Gecko/20080404 Firefox/2.0.0.14||
> 
> Thanks,
> Phil
> 
> Dave Burke wrote:
>> ----------- nsp-security Confidential --------
>>
>> Hi,
>>
>> Here is the updated list of what we are currently null routing on our
>> border network - this is the same list across all retail sites.
>>
>> dave
> 
>> 10326   | 130.215.17.87    | WPI - Worcester Polytechnic Institute
> 
> --
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Phil Deneault              "We work in the dark. We do what we can.
> deneault at wpi.edu                              We give what we have.
> Network Security Officer                  Our doubt is our passion,
> Network Operations                     and our passion is our task.
> Worcester Polytechnic Institute    The rest is the madness of art."
> http://www.wpi.edu/~deneault/                         - Henry James
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFITn+S6xddYR6j4jARArjRAJwMEOIOyeP3HAUAXnNH6OgrmGMJDwCfQPN8
uv+lByCGGIKZoCMiIjumkQg=
=Wp7s
-----END PGP SIGNATURE-----