Imperva / Apple Private Relay issues

Lyndon Nerenberg (VE7TFX/VE6BBM) lyndon at orthanc.ca
Thu Sep 15 19:09:22 UTC 2022


We have been receiving a steady stream of calls from customers
complaining they cannot reach our websites when they have Apple's
Private Relay enabled.

For those in the dark, Private Relay sends (only) Safari connections
through an assortment of CDNs to anonymize the client's IP address.

What we are seeing is that, more often than not, connections to our
public servers that route through Imperva's DDoS service do not go
through.  When we look on the uplink interfaces on our firewalls,
there is nothing from those addresses.  But connections to other
hosts in the same cage, but which bypass Imperva, connect fine.

We've opened a ticket, but thus far Imperva's support team has been
unhelpful.  What I'm wondering is if anyone else is seeing similar
behaviour with their Imperva-protected hosts.  A quick way to test
is to turn on Private Relay on an iPhone (System Preferences ->
iCloud -> iCloud -> Private Relay) and then try connecting to a web
service hosted behind Imperva's DDoS service.  For our servers, not
all the connections fail, but a large percentage do, and it's
definitely tied to the proxy address you get assigned (verified
using whatismyip.com).  We are seeing failures on connections relayed
through both Cloudflare and Akamai.  Apple could be using other
CDNs as well, but those are the two we have specifically identified
as having unusable addresses.

--lyndon


More information about the NANOG mailing list