[AusNOG] AWS CloudFront Issues

Robert Hudson hudrob at gmail.com
Sat Feb 8 12:56:42 AEDT 2025 

Thanks for the heads-up Jennifer.  This is the primary reason I raised the
issue with the AusNOG community - to see if we're alone in seeing this, and
to get information on this out there for discussion (and to hopefully help
some others who were seeing similar things and a bit stuck).

The splash damage from this is horrendous - we've had legitimate domains
(and sub-domains) that offer legitimate services to corporate customers now
flagged as phishing because once the eye of sauron saw us, it took a good
hard look at everything we do, and a bunch of legitmate sites are now being
flagged as "potentially" phishing after a single report (when some of these
sites have run for years now).

We'll have to change how we do a few things - but the pain the simple
deployment of a few IPs with a bad reputation has caused will ripple
through our business for months now.

On Sat, 8 Feb 2025 at 10:05, Jennifer Sims <jenn at jenn.id.au> wrote:

> As a side note, I've had 7 emails from AWS SES hosted domains trying to
> phish for information. Looks like there has been a spate of insecure
> systems again on the web being used by bad actors. It wouldn't shock me
> given the bucket issues also reported on as well that some dodgy phishing
> sites are being hidden behind cloud front.
>
> As I found a heap behind Akamai.
>
> Sent from my iPhone
>
> On 8 Feb 2025, at 08:48, Robert Hudson <hudrob at gmail.com> wrote:
>
> 
> As a follow-up.
>
> Yes, we raised a ticket with AWS for this.
>
> The compounding issue was that the IPs were then associated with a number
> of domains/sub-domains, some of which are not only presented via
> CloudFront, and it took some time to get agreement on this point.
>
> The IPs were removed, and security services are slowly backing down (we
> started with 7 services as tracked by VirusTotal marking us as malicious,
> it crept up to 12, its now down to 11).
>
> Hopefully we're on the path to redemption. But it's a slow journey.
>
> I suspect the longer term solution to prevent this occurring again is to
> move to static IP assignments where we use CloudFront - not exactly cheap,
> but cheaper than what's happened here.
>
> On Fri, 7 Feb 2025, 2:29 pm Robert Hudson, <hudrob at gmail.com> wrote:
>
>> Hi all,
>>
>> Is anyone else seeing AWS CloudFront "fronted" domains being marked as
>> malicious or hosting phishing?
>>
>> We have one domain being marked as such right now after four new IP
>> addresses which were previously hosting malware and phishing attempts were
>> apparently added by AWS to a pool used by CloudFront.
>>
>> It's causing quite the drama for us, was just wondering if it's a bit
>> more widespread...
>>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20250208/1194a4a2/attachment.htm>

More information about the AusNOG mailing list