AnsweredAssumed Answered

Pandora Streaming Traffic intermittently 'redirected' as Malicous

Question asked by Daniel Morin on Apr 26, 2018
Latest reply on Apr 26, 2018 by Dameon Welch Abernathy

We just recently received complaints that in the last 2 weeks streaming Pandora audio on our guest network intermittently freezes.   Restarting the Pandora session fixes the problem

 

Our guest WiFi network has a separate VLAN and internet connection than all of our other traffic.

We have a rule in our Application policy to block access to malicious sites originating from our guest VLANs, based on the Checkpoint pre-defined application category.

What we found in our logs was that intermittently Pandora traffic is 'redirected', being associated with the Phishing category.  Most of such entries are flagging URL similar to http://cont-4.p-cdn.us/images/public/amz/8/4/2/7/800027248_500W_500H.jpg as phishing, where cont-4.p-cdn.us resolves to 208.85.44.21, which has PTR of mediaserver-cont-dc6-1-v4.pandora.com so it is one of Pandora's IPs.

 

Checkpoint Support has had us add a rule above the Guest - Block Malicious Sites to specifically allow traffic classified as Pandora, but still we see redirects I just described.  We haven't received any further complaints though since having added the rule Support had suggested but these redirect entries associated with Pandora IPs I still see in the Block rule troubles me.

Looking further at the logs, I'm seeing log entries associated with the Block rule within 2 hours after having added the Allow Pandora rule where the log entry shows the category as Pandora, usrcheck message claiming access to b.scorecardresearch.com is blocked by our security policy.   Since b.scorecardresearch.com resolves to 96.16.98.73, why was it associated with Pandora traffic destined to mediaserver-ch1-t3-2-v4.pandora.com (208.85.44.28)?

 

Is anyone else seeing Pandora traffic affected as potentially malicious Phishing traffic?

Outcomes