and it's affecting our customers' access to various ===>> websites.<<===
There must be a reason why the web site chooses the WAF list to block out the victim? If so why not the victim to contact the website to request them to talk to the waf list provider to remove victim ip block?
Edy
From: NANOG <nanog-bounces+email=edylie.net@nanog.org> On Behalf Of Owen DeLong via NANOG
Sent: Wednesday, 21 February 2024 7:04 am
To: joel@joelesler.net
Cc: NANOG <nanog@nanog.org>
Subject: Re: AWS WAF list
Unfortunately, the victim doesn’t chose the WAF list, the web site that is causing the victim grief chooses the WAF list.
Owen
On Feb 20, 2024, at 14:15, joel@joelesler.net wrote:
There are other WAF lists available on AWS besides their native one. Ones that have support.
On Feb 20, 2024, at 16:18, George Herbert <george.herbert@gmail.com> wrote:
This is terrible advice, but you might need another netblock for the eyeballs. Possibly a small one with enterprise NAT, but something outside the AWS list ranges...
-George
On Mon, Feb 19, 2024 at 7:35 PM Justin H. <justindh.ml@gmail.com> wrote:
That matches my experience with these types of problems in the past.
Especially when the end-users don't have a process for white-listing.
We actually got a response from one WAF user to "connect to another
network to log in, then you should be able to use the site, because it's
just the login page that's protected".
I am working with someone off-list, so I have hope this can be resolved
without account gymnastics. :)
Justin H.
Owen DeLong wrote:
> The whole situation with these WAF as a service setups is a nightmare for the affected (afflicted) parties.
>
> I saw this problem from both sides when I was at Akamai. It’s not great from the service provider side, but it’s an absolute shit show for anyone on the wrong side of a block. There’s no accountability or process for redress of errors whatsoever. The impacted party isn’t a customer of the WAF publisher, so they cant get any traction there. The WAF subscriber blindly applies the WAF and it’s virtually impossible to track down anyone there who even knows that they subscribe to such a thing, let alone get them to take useful action.
>
> Best of luck. The only thing I saw that worked while I was at Akamai was a few entities subscribed to the WAF service and then complained about getting blocked from their own web sites. Since they were then Akamai WAF customers, they could get Akamai to take action.
>
> Crazy.
>
> Owen
>
>
>> On Feb 16, 2024, at 09:19, Justin H. <justindh.ml@gmail.com> wrote:
>>
>> Justin H. wrote:
>>> Hello,
>>>
>>> We found out recently that we are on the HostingProviderIPList (found here https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-ip-rep.html) at AWS and it's affecting our customers' access to various websites. We are a datacenter, and a hosting provider, but we have plenty of enterprise customers with eyeballs.
>>>
>>> We're finding it difficult to find a technical contact that we can reach since we're not an AWS customer. Does anyone have a contact or advice on a solution?
>> Sadly we're not getting any traction from standard AWS support, and end users of the WAF list like Reddit and Eventbrite are refusing to whitelist anyone. Does anyone have any AWS contacts that might be able to assist? Our enterprise customers are becoming more and more impacted.
>>
>> Justin H.
--
-george william herbert
george.herbert@gmail.com