Kellman Meghu, chief security architect at DeepCove Security, says the activity seen by the SANS Institute’s honeypots isn’t new. But, he added, it only becomes an issue when there is improper access control, or the controls fail.
“Origin web servers should be deployed with access controls, be it security groups or firewall rules, to only ever allow communication with the CDN service,” he said in an email. “Just deploying your web application as accessible to the world, and then overlaying a CDN to act as the front end seems like a terrible waste of money and effort. In today’s world of infrastructure-as-code, this can and should be easy to manage and mitigate as far as risk goes.”
Aditya Sood, VP of security engineering and AI strategy at Aryaka, said in an email that a surge in requests that include CDN-related headers “is clear experimentation from threat actors, and the impersonation isn’t just random noise, its reconnaissance. Attacks are probing to uncover the weak origin validation in organizations who are trusting the mere presence of a CDN-specific header instead of enforcing proper controls like IP allowlists, private network peering, or cryptographically validated tokens. When you see multiple CDN fingerprints being spoofed at roughly the same time, it usually means new tooling or automated scanners are being deployed in the wild.”
