AWS Web Application Firewall blocks ISP ranges?

Tom Beecher beecher at beecher.cc
Thu Mar 21 18:08:16 UTC 2024 

Lots of people are encountering this, yes.

You can try opening a case yourself, and hope it gets to someone with a
clue. If you don't have a support contract with them, your chances are
almost 0. If you do, your chances are slightly higher, but not by much.
most likely they will just tell you to 'contact the owner of the thing
you're trying to access and have them customize their WAF rules'.

AWS is doing some REALLY dumb things. For example, if your ASN announces a
single prefix that a 3rd party provider classifies as 'hosting provider' ,
AWS will flag EVERY prefix from that ASN as 'hosting provider', which are
all blocked in the default managed WAF rules. They also won't tell you in
any circumstance (even if you're a customer who is paying for support)  who
that 3rd party provider IS.

Expect a lot of hassle to get this fixed, if you ever can.

On Thu, Mar 21, 2024 at 1:26 PM Jonathan Kalbfeld via NANOG <nanog at nanog.org>
wrote:

> Hi All,
>
> I just became aware that AWS has a list of hosting IP providers and that
> list is blocked by their WAF? (!?!?).  None of my VM or colo customers
> can reach anything in AWS, such as Docker, Twilio, etc.  I confirmed
> through source routing that when I access it using one of my peering
> partners as a source IP it is reachable, but using one of my net blocks, it
> is not reachable and times out.  Checked all of my routing tables and those
> AWS blocks are definitely visible.  Also confirmed from looking glass that
> my IP ranges are showing up.
>
> Has anyone else encountered that? If so, is there a way to get removed
> from that list? I have a very curated list of clients and I know all of
> them personally and none of them have been abusing AWS, so I was wondering
> if it was some kind of blanket ban?
>
> If you're internal to AWS, my ASN is 54380, IP ranges affected are
> 199.33.244.0/24, 199.79.202.0/24, 199.188.96.0/22, 45.59.144.0/22 and
> 206.197.110.0/24
>
> Feel free to reach out off-list.
>
> Thanks,
>
> Jonathan Kalbfeld
>
> Jonathan Kalbfeld
>
> office: +1 310 317 7933 <%28310%29%20317-7933>
> fax:    +1 310 317 7901 <%28310%29%20317-7901>
> home:   +1 310 317 7909 <%28310%29%20317-7909>
> mobile: +1 310 227 1662 <%28310%29%20227-1662>
>
> ThoughtWave Technologies, Inc.
> Studio City, CA 91604
> https://thoughtwave.com
>
> View our network at
> https://bgp.he.net/AS54380
>
> +1 844 42-LINUX
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20240321/99eceda8/attachment.html>

More information about the NANOG mailing list