Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Why is my IP blocked by some AWS CloudFront services?

0

I am currently experiencing a 403 Forbidden error when accessing certain websites that are hosted behind AWS CloudFront. I was able to access these services normally just a few days ago. However, now I receive the following response when trying to connect:

HTTP/2 403
server: CloudFront
x-cache: Error from cloudfront
x-amz-cf-pop: NRT57-P10
x-amz-cf-id: r0QPHFImxAfpKaSkndVtJFSwr6g22UeLBMzgJRqtONFz3aXdf6nJCQ==

Troubleshooting steps I have tried: 1. Verified that my IP is indeed using ipinfo.io 2. Changed my User-Agent and tested using curl -A "Mozilla/5.0 ..." https://example.com 3. Used a VPN to change my IP, which allowed me to access the service normally 4. Checked the CloudFront edge location in the response (NRT57-P10) 5. Waited 24+ hours in case it was a temporary block, but the issue persists

Questions: • Does AWS CloudFront implement any automated IP blocking mechanisms that could explain this behavior? • If so, how can I determine why my IP was blocked and request removal? • Is there a way to check if my IP has been blacked due to a false positive?

Any insights or suggestions would be greatly appreciated. Thanks!

Topics
Security, Identity, & ComplianceNetworking & Content DeliveryAWS Well-Architected Framework
Tags
Amazon CloudFrontAWS WAFSecurity
Language
English
asked 8 months ago2.7K views
3 Answers
2

Many sites using CloudFront additionally use Web Application Firewall (WAFv2) to filter out unnecessary or likely malicious traffic. There are five AWS-managed IP address lists that are commonly used for this purpose. They're documented here: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-ip-rep.html

I'd think it most likely that your IP address might be on the first three lists, which contain IPs that are either hitting AWS's "honeypots" intended to attract malicious parties blindly scanning the whole internet for potential victims, or which have been observed to be actively engaging in attacks or attempts to disrupt the normal operation of sites.

A false positive is quite unlikely, considering how widely these reputation lists are used, but if your IP address is dynamically allocated, it might recently have been used by a bad actor. If your IP address is dynamically allocated, the easiest solution might be to try to change the IP address to a new one.

EXPERT
answered 8 months ago
EXPERT
reviewed 8 months ago
EXPERT
reviewed 8 months ago
1

Hello.

Have you checked the troubleshooting documentation below?
If you check CloudFront's access log, etc., you may be able to find out why it is being blocked.
https://repost.aws/knowledge-center/cloudfront-troubleshoot-403-errors

EXPERT
answered 8 months ago
  • Lance
    8 months ago

    Thank you for your response. However, I am not managing a CloudFront distribution myself. Instead, I am experiencing a 403 Forbidden error when trying to access third-party services hosted behind CloudFront, such as docker-public.packages.atlassian.com .

    Since I do not have access to their CloudFront configuration or logs, and was able to access these services before, but now I am consistently getting a 403 Forbidden error with x-cache: Error from cloudfront.

    Thanks for your help!

0

I can give some more detail on this although kudo's to Leo K for their response above :-)

Q: Does AWS CloudFront implement any automated IP blocking mechanisms that could explain this behavior?

A: No, however the owner of the CloudFront distribution may have chosen to enable CloudFront geo-blocking or deploy an AWS WAF 'WebACL' with the AWSManagedIPReputationList managed rulegroup included, or potentially the CloudFront origin has returned the HTTP 403 response code, itself.

Q: If so, how can I determine why my IP was blocked and request removal?

A: You can raise a billing or technical support case and request dates/times of malicious activities so that you can investigate which client behind the IP caused the issue and remedy the situation, however we rarely, if ever, remove an IP on request. The IP addresses will be removed from the list when we no longer observe malicious traffic from them for a minimum 24 hours of inactivity. The required inactivity period is extended, depending on number of attacks the IP participated in.

Q: Is there a way to check if my IP has been blacked due to a false positive?

A: It won't be a false positive - the list is curated automatically and the algorithm is proven, however you may be unknowingly sharing an egress IP with a malicious or infected client (or your client could itself could an infected device). End-clients whose requests are being blocked can try the following to unblock e.g:

  • toggle between Wifi and cellular
  • log on/off VPN
  • remove proxy configuration
AWS
EXPERT
answered 8 months ago
EXPERT
reviewed 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content