AWS WAF list

Sun Feb 18 16:51:34 UTC 2024

The whole situation with these WAF as a service setups is a nightmare for the affected (afflicted) parties. 

I saw this problem from both sides when I was at Akamai. It’s not great from the service provider side, but it’s an absolute shit show for anyone on the wrong side of a block. There’s no accountability or process for redress of errors whatsoever. The impacted party isn’t a customer of the WAF publisher, so they cant get any traction there. The WAF subscriber blindly applies the WAF and it’s virtually impossible to track down anyone there who even knows that they subscribe to such a thing, let alone get them to take useful action. 

Best of luck.  The only thing I saw that worked while I was at Akamai was a few entities subscribed to the WAF service and then complained about getting blocked from their own web sites. Since they were then Akamai WAF customers, they could get Akamai to take action. 

Crazy.

Owen

> On Feb 16, 2024, at 09:19, Justin H. <justindh.ml at gmail.com> wrote:
> 
> Justin H. wrote:
>> Hello,
>> 
>> We found out recently that we are on the HostingProviderIPList (found here https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-ip-rep.html) at AWS and it's affecting our customers' access to various websites.  We are a datacenter, and a hosting provider, but we have plenty of enterprise customers with eyeballs.
>> 
>> We're finding it difficult to find a technical contact that we can reach since we're not an AWS customer.  Does anyone have a contact or advice on a solution?
> Sadly we're not getting any traction from standard AWS support, and end users of the WAF list like Reddit and Eventbrite are refusing to whitelist anyone.  Does anyone have any AWS contacts that might be able to assist?  Our enterprise customers are becoming more and more impacted.
> 
> Justin H.