[AusNOG] AWS CloudFront Issues

Mitch Kelly mitchkelly24 at gmail.com
Sun Feb 9 21:19:54 AEDT 2025 

Sadly also having issues with CloudFront. Issues started to show their head
Tuesday last week and have been getting worse. With many sites not working
at all.

On Sun, 9 Feb 2025, 2:24 pm Robert Hudson, <hudrob at gmail.com> wrote:

> Agree entirely.
>
> It's gotten worse (sadly) rather than better - sibling domains (including
> one that the DNS is public, but only resolves to RFC1918 IPs) that didn't
> share the IPs in question are now being reported as hosting malicious or
> phishing content.
>
> On Sat, 8 Feb 2025 at 13:09, Andras Toth <diosbejgli at gmail.com> wrote:
>
>> This is why IP based reputation and filtering just doesn't work in
>> today's world of public clouds with shared tenancy. This problem isn't
>> unique to AWS nor CloudFront.
>>
>> Andras
>>
>> On 8 Feb 2025, at 12:57, Robert Hudson <hudrob at gmail.com> wrote:
>>
>> 
>> Thanks for the heads-up Jennifer.  This is the primary reason I raised
>> the issue with the AusNOG community - to see if we're alone in seeing this,
>> and to get information on this out there for discussion (and to hopefully
>> help some others who were seeing similar things and a bit stuck).
>>
>> The splash damage from this is horrendous - we've had legitimate domains
>> (and sub-domains) that offer legitimate services to corporate customers now
>> flagged as phishing because once the eye of sauron saw us, it took a good
>> hard look at everything we do, and a bunch of legitmate sites are now being
>> flagged as "potentially" phishing after a single report (when some of these
>> sites have run for years now).
>>
>> We'll have to change how we do a few things - but the pain the simple
>> deployment of a few IPs with a bad reputation has caused will ripple
>> through our business for months now.
>>
>> On Sat, 8 Feb 2025 at 10:05, Jennifer Sims <jenn at jenn.id.au> wrote:
>>
>>> As a side note, I've had 7 emails from AWS SES hosted domains trying to
>>> phish for information. Looks like there has been a spate of insecure
>>> systems again on the web being used by bad actors. It wouldn't shock me
>>> given the bucket issues also reported on as well that some dodgy phishing
>>> sites are being hidden behind cloud front.
>>>
>>> As I found a heap behind Akamai.
>>>
>>> Sent from my iPhone
>>>
>>> On 8 Feb 2025, at 08:48, Robert Hudson <hudrob at gmail.com> wrote:
>>>
>>> 
>>> As a follow-up.
>>>
>>> Yes, we raised a ticket with AWS for this.
>>>
>>> The compounding issue was that the IPs were then associated with a
>>> number of domains/sub-domains, some of which are not only presented via
>>> CloudFront, and it took some time to get agreement on this point.
>>>
>>> The IPs were removed, and security services are slowly backing down (we
>>> started with 7 services as tracked by VirusTotal marking us as malicious,
>>> it crept up to 12, its now down to 11).
>>>
>>> Hopefully we're on the path to redemption. But it's a slow journey.
>>>
>>> I suspect the longer term solution to prevent this occurring again is to
>>> move to static IP assignments where we use CloudFront - not exactly cheap,
>>> but cheaper than what's happened here.
>>>
>>> On Fri, 7 Feb 2025, 2:29 pm Robert Hudson, <hudrob at gmail.com> wrote:
>>>
>>>> Hi all,
>>>>
>>>> Is anyone else seeing AWS CloudFront "fronted" domains being marked as
>>>> malicious or hosting phishing?
>>>>
>>>> We have one domain being marked as such right now after four new IP
>>>> addresses which were previously hosting malware and phishing attempts were
>>>> apparently added by AWS to a pool used by CloudFront.
>>>>
>>>> It's causing quite the drama for us, was just wondering if it's a bit
>>>> more widespread...
>>>>
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> https://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> https://lists.ausnog.net/mailman/listinfo/ausnog
>>
>> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20250209/fcc28cb3/attachment.htm>

More information about the AusNOG mailing list