Akamai WAF
Monah Baki
monahbaki at gmail.com
Thu Oct 18 08:04:09 EDT 2018
Morning Carter
My /etc/resolv.conf has the following local dns server
nameserver 172.16.64.44
nameserver 172.16.84.45
If I turn of name resolution in ratop I get the following (23.x.x.x) is
akamai:
2 07:59:22.790847 23.212.3.119.33852
US 172.16.90.80.https ZZ
s[50]=..................{....../............1.I.. ..c.i.
d[50]=....Y...U..[.u...\>...Q..7Z....[.v.=.....D. !.....
9 07:58:10.105559 23.212.3.111.40000
US 172.16.90.80.https ZZ s[50]=.....=^.....y...
.rC....%|.`k..l...~.Lw.Gv/}.irH._ d[50]=....+knR.?~..`c..............;..
...$..]f.#.......
9 07:58:10.098356 23.212.3.119.61694
US 172.16.90.80.https ZZ
s[50]=.......jk.....J&pfg...f.5..F.L1.\....m.....$..R..k
d[50]=....*.,.Q......6..w....|.8....Ll..'......du...sF..
9 07:58:10.107991 23.212.3.111.40003
US 172.16.90.80.https ZZ
s[50]=.....%..."+K....w].g^....Y.q..;.......j.:~..|Gy}0.
d[50]=....*.M.c..'.O....k.....U....#..PQ.7W.&..y._N..z.?
1 08:00:52.113364 23.48.209.87.37265
US 172.16.90.80.https ZZ
s[50]=..............a.T..5_8..4|.....W....+Q/.8.. ...lz.
d[50]=....Y...U..[.u..M...__w6LW..H.2...nB..{C... ..S..Z
1 08:00:52.113383 23.48.209.87.37264
US 172.16.90.80.https ZZ
s[50]=................Ku.......&B.4.;....S..N.?.* ...lz.
d[50]=....Y...U..[.u........ln..Nf...U....y...Nt| ....\.
1 08:00:52.114270 23.48.209.87.37267
US 172.16.90.80.https ZZ s[50]=...........W..J....."G.......Jh..
.A....~.. ...lz. d[50]=....Y...U..[.u......3K...S."L.*..G.....e7 . ..\...
1 08:00:52.114281 23.48.209.87.37271
US 172.16.90.80.https ZZ
s[50]=.............:}@MY..Q.tg....AIk.....-9$.{.. ...lz.
d[50]=....Y...U..[.u....e.8.".X.....2Z..4.`..p.i. .....@
1 08:00:52.114303 23.48.209.87.37268
US 172.16.90.80.https ZZ
s[50]=..............09`%x<V/.......^qB2..1.....*. ...lz.
d[50]=....Y...U..[.u.B/.*n0i..$.i..yA9.H.>Pg9.l.X .C~..7
Thanks
Monah
On Thu, Oct 18, 2018 at 4:28 AM Carter Bullard <carter at qosient.com> wrote:
> Hey Monah,
> The name is coming from ratop.1 doing a reverse lookup of the address from
> the DNS server you are configured to use. Turn off name resolution to see
> what IP address argus is reporting, then point your system DNS to a server
> that will give you local names.
>
> Carter
> [image: QoSient] <http://qosient.com/>
> Carter Bullard <carter at qosient.com>• CTO
> 150 E 57th Street Suite 12D
> New York, New York 10022-2795
> Phone +1.212.588.9133 • Mobile +1.917.497.9494
>
> On Oct 17, 2018, at 6:47 PM, Monah Baki <monahbaki at gmail.com> wrote:
>
> Hi all,
>
> We are using akamai WAF services to protect our webserver. Currently
> running the latest argus/client on the webserver. When running ratop, the
> SrcAddr shows only the akamai IP (a23-212-3-119.deploy.static.akamaitechn*)
> hitting our webserver.
> Akamai confirmed True-Client-IP is enabled and we should be able to see
> the real IP in the request header. Can I get this info when using ratop?
>
>
> Trans StartTime SrcAddr Sport
> sCo DstAddr Dport dCo srcUdata
> dstUdata
> 14 12:42:39.209029 a23-212-3-119.deploy.static.akamaitechn*.49057
> US www.ntis.gov.https ZZ
> s[50]=............s~V-...Tl....x..`...<.#.4^.+..a ..+...
> d[50]=....Y...U..[.f...=...|.I....:.t..?..:Yc...& O.-G].
> 2 12:45:50.752456 a23-212-53-84.deploy.static.akamaitechn*.61219
> US www.ntis.gov.https ZZ
> s[50]=...........g.....E{.K.:S.4..4.e.F_..^.A."Rx o#Rr&3
> d[50]=....Q...M..[.g>.....*..... ....G.as.V..y..d o#Rr&3
>
>
> Thanks
> Monah
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20181018/9dd73b96/attachment.html>
More information about the argus
mailing list