Imperva / Apple Private Relay issues
We have been receiving a steady stream of calls from customers complaining they cannot reach our websites when they have Apple's Private Relay enabled. For those in the dark, Private Relay sends (only) Safari connections through an assortment of CDNs to anonymize the client's IP address. What we are seeing is that, more often than not, connections to our public servers that route through Imperva's DDoS service do not go through. When we look on the uplink interfaces on our firewalls, there is nothing from those addresses. But connections to other hosts in the same cage, but which bypass Imperva, connect fine. We've opened a ticket, but thus far Imperva's support team has been unhelpful. What I'm wondering is if anyone else is seeing similar behaviour with their Imperva-protected hosts. A quick way to test is to turn on Private Relay on an iPhone (System Preferences -> iCloud -> iCloud -> Private Relay) and then try connecting to a web service hosted behind Imperva's DDoS service. For our servers, not all the connections fail, but a large percentage do, and it's definitely tied to the proxy address you get assigned (verified using whatismyip.com). We are seeing failures on connections relayed through both Cloudflare and Akamai. Apple could be using other CDNs as well, but those are the two we have specifically identified as having unusable addresses. --lyndon
I've tested accessing one of our sites that uses Imperva WAF w/ DDOS protection enabled from an iPhone w/ Apple Private Relay turned on. I experienced no issues but only have that single test to go on. -----Original Message----- From: NANOG <nanog-bounces+rschoneman=blumenthalarts.org@nanog.org> On Behalf Of Lyndon Nerenberg (VE7TFX/VE6BBM) Sent: Thursday, September 15, 2022 3:09 PM To: nanog@nanog.org Subject: Imperva / Apple Private Relay issues We have been receiving a steady stream of calls from customers complaining they cannot reach our websites when they have Apple's Private Relay enabled. For those in the dark, Private Relay sends (only) Safari connections through an assortment of CDNs to anonymize the client's IP address. What we are seeing is that, more often than not, connections to our public servers that route through Imperva's DDoS service do not go through. When we look on the uplink interfaces on our firewalls, there is nothing from those addresses. But connections to other hosts in the same cage, but which bypass Imperva, connect fine. We've opened a ticket, but thus far Imperva's support team has been unhelpful. What I'm wondering is if anyone else is seeing similar behaviour with their Imperva-protected hosts. A quick way to test is to turn on Private Relay on an iPhone (System Preferences -> iCloud -> iCloud -> Private Relay) and then try connecting to a web service hosted behind Imperva's DDoS service. For our servers, not all the connections fail, but a large percentage do, and it's definitely tied to the proxy address you get assigned (verified using whatismyip.com). We are seeing failures on connections relayed through both Cloudflare and Akamai. Apple could be using other CDNs as well, but those are the two we have specifically identified as having unusable addresses. --lyndon
Robert Schoneman writes:
I've tested accessing one of our sites that uses Imperva WAF w/ DDOS protec= tion enabled from an iPhone w/ Apple Private Relay turned on. I experienced= no issues but only have that single test to go on. =20
A couple of people from Cloudflare and Apple contacted me directly. They did some poking around internally but didn't really find anything. And the problem seemed to clear itself up over the weekend. At this point I'm chalking it up to some transient routing issues upstream of Imperva that sorted themselves out. Thanks to everyone who replied off-list and offered to help! --lyndon
PPS... the firewall here or congestion services kicked in here limiting your connection rate. 3k, 4k, 5k responses coming from a single route of origin. You've been cut off! By whom IDK. Contact imperva ?
On Sep 15, 2022, at 14:09, Lyndon Nerenberg (VE7TFX/VE6BBM) <lyndon@orthanc.ca> wrote:
What we are seeing is that, more often than not, connections to our public servers that route through Imperva's DDoS service do not go through.
-- J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.
participants (3)
-
J. Hellenthal
-
Lyndon Nerenberg (VE7TFX/VE6BBM)
-
Robert Schoneman