[AusNOG] AWS CloudFront Issues

Robert Hudson hudrob at gmail.com
Mon Feb 10 07:42:28 AEDT 2025 

Absolutely.

Doesn't make it easier though when certain providers spread the problem
around by re-using compromised IPs.

On Sun, 9 Feb 2025 at 23:43, Jennifer Sims <jenn at jenn.id.au> wrote:

> Sadly these days, bad actors will target any machine they can get into,
> it's not unique to AWS, Cloudfront, Akamai etc etc etc.
>
> On Sun, Feb 9, 2025 at 9:20 PM Mitch Kelly <mitchkelly24 at gmail.com> wrote:
>
>> Sadly also having issues with CloudFront. Issues started to show their
>> head Tuesday last week and have been getting worse. With many sites not
>> working at all.
>>
>> On Sun, 9 Feb 2025, 2:24 pm Robert Hudson, <hudrob at gmail.com> wrote:
>>
>>> Agree entirely.
>>>
>>> It's gotten worse (sadly) rather than better - sibling domains
>>> (including one that the DNS is public, but only resolves to RFC1918 IPs)
>>> that didn't share the IPs in question are now being reported as hosting
>>> malicious or phishing content.
>>>
>>> On Sat, 8 Feb 2025 at 13:09, Andras Toth <diosbejgli at gmail.com> wrote:
>>>
>>>> This is why IP based reputation and filtering just doesn't work in
>>>> today's world of public clouds with shared tenancy. This problem isn't
>>>> unique to AWS nor CloudFront.
>>>>
>>>> Andras
>>>>
>>>> On 8 Feb 2025, at 12:57, Robert Hudson <hudrob at gmail.com> wrote:
>>>>
>>>> 
>>>> Thanks for the heads-up Jennifer.  This is the primary reason I raised
>>>> the issue with the AusNOG community - to see if we're alone in seeing this,
>>>> and to get information on this out there for discussion (and to hopefully
>>>> help some others who were seeing similar things and a bit stuck).
>>>>
>>>> The splash damage from this is horrendous - we've had legitimate
>>>> domains (and sub-domains) that offer legitimate services to corporate
>>>> customers now flagged as phishing because once the eye of sauron saw us, it
>>>> took a good hard look at everything we do, and a bunch of legitmate sites
>>>> are now being flagged as "potentially" phishing after a single report (when
>>>> some of these sites have run for years now).
>>>>
>>>> We'll have to change how we do a few things - but the pain the simple
>>>> deployment of a few IPs with a bad reputation has caused will ripple
>>>> through our business for months now.
>>>>
>>>> On Sat, 8 Feb 2025 at 10:05, Jennifer Sims <jenn at jenn.id.au> wrote:
>>>>
>>>>> As a side note, I've had 7 emails from AWS SES hosted domains trying
>>>>> to phish for information. Looks like there has been a spate of insecure
>>>>> systems again on the web being used by bad actors. It wouldn't shock me
>>>>> given the bucket issues also reported on as well that some dodgy phishing
>>>>> sites are being hidden behind cloud front.
>>>>>
>>>>> As I found a heap behind Akamai.
>>>>>
>>>>> Sent from my iPhone
>>>>>
>>>>> On 8 Feb 2025, at 08:48, Robert Hudson <hudrob at gmail.com> wrote:
>>>>>
>>>>> 
>>>>> As a follow-up.
>>>>>
>>>>> Yes, we raised a ticket with AWS for this.
>>>>>
>>>>> The compounding issue was that the IPs were then associated with a
>>>>> number of domains/sub-domains, some of which are not only presented via
>>>>> CloudFront, and it took some time to get agreement on this point.
>>>>>
>>>>> The IPs were removed, and security services are slowly backing down
>>>>> (we started with 7 services as tracked by VirusTotal marking us as
>>>>> malicious, it crept up to 12, its now down to 11).
>>>>>
>>>>> Hopefully we're on the path to redemption. But it's a slow journey.
>>>>>
>>>>> I suspect the longer term solution to prevent this occurring again is
>>>>> to move to static IP assignments where we use CloudFront - not exactly
>>>>> cheap, but cheaper than what's happened here.
>>>>>
>>>>> On Fri, 7 Feb 2025, 2:29 pm Robert Hudson, <hudrob at gmail.com> wrote:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> Is anyone else seeing AWS CloudFront "fronted" domains being marked
>>>>>> as malicious or hosting phishing?
>>>>>>
>>>>>> We have one domain being marked as such right now after four new IP
>>>>>> addresses which were previously hosting malware and phishing attempts were
>>>>>> apparently added by AWS to a pool used by CloudFront.
>>>>>>
>>>>>> It's causing quite the drama for us, was just wondering if it's a bit
>>>>>> more widespread...
>>>>>>
>>>>> _______________________________________________
>>>>> AusNOG mailing list
>>>>> AusNOG at lists.ausnog.net
>>>>> https://lists.ausnog.net/mailman/listinfo/ausnog
>>>>>
>>>>> _______________________________________________
>>>> AusNOG mailing list
>>>> AusNOG at lists.ausnog.net
>>>> https://lists.ausnog.net/mailman/listinfo/ausnog
>>>>
>>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> https://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> https://lists.ausnog.net/mailman/listinfo/ausnog
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20250210/b02e06f7/attachment.htm>

More information about the AusNOG mailing list