I have a client with a /24 that has somehow been blocked by folks using the Akamai WAF. This is the response we received back from Akamai when we contacted them.
On checking the machine logs for ups.com <http://ups.com/>, we found that there is WAF (web application firewall) configured by ups.com <http://ups.com/>, this has to be fixed from the site owners end.
This is happening with multiple sites, southwest.com is another. I find it odd multiple sites are doing this at the same time. If just one I would believe it was a manual configuration. It seems like something has triggered it. Can someone shed some light on how the WAF works? Justin Wilson j2sw@mtin.net www.mtin.net www.midwest-ix.com
Hi,
On 18 May 2018, at 16:22, Justin Wilson <lists@mtin.net> wrote:
I have a client with a /24 that has somehow been blocked by folks using the Akamai WAF. This is the response we received back from Akamai when we contacted them.
On checking the machine logs for ups.com <http://ups.com/>, we found that there is WAF (web application firewall) configured by ups.com <http://ups.com/>, this has to be fixed from the site owners end.
This is happening with multiple sites, southwest.com is another. I find it odd multiple sites are doing this at the same time. If just one I would believe it was a manual configuration. It seems like something has triggered it. Can someone shed some light on how the WAF works?
As far as I know they have some kind of scoring in place for end users IPs so if there is a malicious IP inside the /24 (from Akamai’s WAF point of view) then the scoring can affect other WAFed services as well. BR, ic
Seems like they need a mechanism for stuff like this and not just pushing it off to their clients whose first line support systems aren't geared towards dealing with this kind of stuff. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Michel 'ic' Luczak" <lists@benappy.com> To: "Justin Wilson" <lists@mtin.net> Cc: "NANOG" <nanog@nanog.org> Sent: Friday, May 18, 2018 9:43:26 AM Subject: Re: Akamai WAF Hi,
On 18 May 2018, at 16:22, Justin Wilson <lists@mtin.net> wrote:
I have a client with a /24 that has somehow been blocked by folks using the Akamai WAF. This is the response we received back from Akamai when we contacted them.
On checking the machine logs for ups.com <http://ups.com/>, we found that there is WAF (web application firewall) configured by ups.com <http://ups.com/>, this has to be fixed from the site owners end.
This is happening with multiple sites, southwest.com is another. I find it odd multiple sites are doing this at the same time. If just one I would believe it was a manual configuration. It seems like something has triggered it. Can someone shed some light on how the WAF works?
As far as I know they have some kind of scoring in place for end users IPs so if there is a malicious IP inside the /24 (from Akamai’s WAF point of view) then the scoring can affect other WAFed services as well. BR, ic
Greetings, On 05/18/2018 08:23 PM, Mike Hammett wrote:
Seems like they need a mechanism for stuff like this and not just pushing it off to their clients whose first line support systems aren't geared towards dealing with this kind of stuff.
I agree that 1st level in 2018, for the most part, is not geared for this kind of thing. the UCE abuse lists as well as various filters on the network ought to have a way to block something more specific than a /24. regards, J
participants (4)
-
Jeff
-
Justin Wilson
-
Michel 'ic' Luczak
-
Mike Hammett