Fastly HTTP Requests from Security Scanner

fastly

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1190-exploit-public-facing-application

Set up the fastly integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when a web application is being scanned. This identifies attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent.

Strategy

Inspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an INFO signal.

Triage and response

  1. Determine if this IP is making authenticated requests to the application.
  2. If the IP is making authenticated requests to the application:
    • Investigate the HTTP logs and determine if the user is attacking your application.

The HTTP headers in the query are from darkqusar’s gist.