Updated bulletin: Product Bulletin #1064A
Subject: ThreatDV - Reputation Handling of Content Delivery Networks (CDN) and Cloud Service Providers (CSP)
Date of Announcement: December 1, 2016
Trend Micro™ TippingPoint would like to make our customers aware of an ongoing effort to improve the metadata and policy enforcement for our ThreatDV Reputation product. For the last several months, there has been a spike in malicious content served up on IP addresses hosted by Cloud Service Providers (CSP) and Content Delivery Networks (CDN). As there has not been a historically high volume of malicious content in this area, the current ThreatDV Reputation solution does not have metadata tagging the IP addresses as CSP or CDN.
Customers may experience disruption to certain content providers when enforcing policy on such IP addresses, which are often scored as highly malicious in our Reputation product. The reason for this is that a single IP address in a CSP such as Amazon Web Services may serve as a proxy IP for hundreds or even thousands of additional IPs in the cloud service provider network. This can cause confusion as blocking the IP will block the malicious content being delivered, but will also block additional content that may or may not be malicious by nature, and could result in a disruption of business operations. Trend Micro TippingPoint has taken the steps to temporarily allow certain CDN entries from feed providers, and there is an ongoing engineering effort to map the IP space for common CSPs and CDNs in order to provide meta data for each IP in the Reputation database, effectively allowing for policy enforcement at the CDN or CSP level.
While this engineering effort is undergoing, there are several options available to customers. Nearly all of the CDN/CSP entries are in a feed from a mobile threat provider. As the Mobile category for Reputation constitutes well under 1% of the total Reputation feed, it is relatively low impact from a security perspective to disable the category if website availability and CSP or CDN access is of utmost importance for business operations. As a secondary option, customers can allow single or multiple entries that are impactful to CSP or CDN access. We are working diligently to provide a solution for tagging CDN and CSP and ultimately allowing for the enforcement of policy at our customer's discretion.
If you have concerns or further questions regarding this issue, contact the Trend Micro TippingPoint Technical Assistance Center (TAC).
Trend Micro™ TippingPoint
For updated contact information, please click here.