Tighten Down Those TLS Settings, and Enhance Your Error Handling Microsoft and Akamai
I was doing some rule tracing, and noticed these requests for akamaized.net (img-prod-cms-rt-microsoft-com.akamaized.net)—hordes of them. They were really making rule tracing difficult to read there were so many. So, I started digging.
The User-Agent string is for Microsoft Edge (yes, an exact match)—but I’m not running Microsoft edge. I tried blocking it (just for me), and nothing complained.
I started doing Internet searches for the host name. About the tenth link down, someone had written a script to pull these things—to get the “imageFileData”. So, I pulled one down to an appliance with curl, and it was clearly binary. I pulled it from the appliance to my laptop, and it turns out to be a jpeg, a pretty image of thatch umbrellas on a beach:
This looked very much like the kind of image we see on our Windows 10 login screens. But, why is it pulling so many???
So, I thought I’d grab another, this time using my browser through the proxy… Bam, Failed SSL Handshake for “Unsafe Legacy Renegotiation”.
So, I put an exception in allowing unsafe legacy renegotiation (they're just images, right?), and now it’s quieted down. Go figure.
Hey Microsoft and Akamai, TLS settings, RFC 5746, it's a thing (hostname posted on Qualys SSL Labs). And, just spewing hordes of requests into the same error over and over again is the definition of insanity. It almost made me crazy. (And, I almost had it flagged as beaconing.)