On 5/23/25 11:19, Jon Meek via NANOG wrote:
These errors / blocks are due to Akamai customers using tools and data provided by Akamai to handle things like geo-restriction and (perceived) DoS attacks. You do have to deal with the Akamai customer for these issues, and some of our NAT addresses have been blocked by Macy's in the past, probably due to a large number of Macy's shoppers being behind a single IPv4 address...
Here is the Akamai Client Reputation check: https://www.akamai.com/us/en/clientrep-lookup/ That tool will only check the source IP address from which it is accessed. There is no way to check on another address.
This isn't limited to Akamai. Basically all CDNs have similar web application firewall (WAF) features, and lots of site admins somewhat naively turn them up to 11. I've noticed an increasing number of Cloudflare client intercepts recently not just on the small SP I run but even from clients on mainstream ISPs like Spectrum and T-Mobile, and I've even gotten outright 403'd by several places in my attempt to give them my money and buy stuff from them and at baffling parts of the process e.g. after getting a user login page and providing valid credentials but before the subsequent redirect to resources requiring auth. I don't know what everybody is trying so hard to protect against, but the collateral damage has to be huge. I assume potential sales are lost somewhat frequently. Given how often this question comes up, the CDNs should probably be more clear and up front about what the various WAF settings do and why or why NOT a user may want to enable various options. I think doing so could make everybody happy: end users, site operators, and the CDNs (by way of making the site operators happier). -- Brandon Martin