By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS WAF Has My ISP's IP Addresses on HostingProviderIPList - How to get them removed?

0

I work at an ISP and, obviously, we use our own IP addresses both for our customers and for our own internet access. We use AWS for some things.

We also provide some hosting services for a small number of websites (seriously, a small number) but the majority of our business is residential and business office internet service. Somehow AWS has decided all of our IP addresses are part of a hosting provider and they are being blocked by a lot of applications that use the AWS WAF reputation IP group HostingProviderIPList. We have heard complaints from a number of customers that they cant use certain websites or apps because of this issue. The number of IPs in use for hosting services is probably about 8 - 10% of our total IP space. The rest are all for various internet access services.

I can't find any way to have them removed from the list or to modify our use or administration of the IPs to have them removed automatically. AWS general support has not yet replied to our efforts to contact them. Any ideas?

Topics
Security, Identity, & ComplianceNetworking & Content DeliveryAWS Well-Architected Framework
Tags
AWS WAFNetworking & Content DeliverySecurity
Language
English
FrameHowitzer
asked a year ago1528 views
3 Answers
1
Accepted Answer

Hi, For this case your team should open a ticket regarding the Managed AWS WAF Rules. If you have TAM/SA managing your account then can ask their help as well to get some guidance from the group managing the WAF list and product team how to get the ASN IP address being taken out from the list.

I am not sure if you have some sort of control on the WAF configuration, and potentially to put some allow-listing using custom rule temporary. But the best approach will be via support team to handle the exemption.

AWS
wkkamaru
answered a year ago
  • FrameHowitzer
    a year ago

    I was worried that might be the case, I'll have to see about doing that. I was hoping there would be some kind of standardized method to publish information for ingest that would mark the IPs in question as 'end user' IP addresses or something like that. We have done rDNS work and location data for the IPs but nothing seems aimed at this kind of thing. A lot of cloud providers and service/app providers seem to just do whatever they want in cases like this and seldom have a good option to fix it when it goes wrong.

  • FrameHowitzer
    8 months ago

    I have finally had some success on this issue and after a few weeks working on a ticket with AWS support, they finally acknowledged that they CAN check whether my IP addresses were on the Anonymous or Hosting Service IP lists and confirmed they were not but they could not indicate why they were being blocked. Eventually I had to deal with each individual website/app to get some IPs unblocked. It was frustrating that it took AWS support weeks to admit they could check the lists for my IPs when at first they denied the ability to do so.

0

Hi, Thanks for this info. Unfortunately for anyone without a paid support contract, they cannot raise a ticket with AWS support (as end users), is there an alternative way of raising this do you know?

andyb2000
answered 7 months ago
0

The HostingProviderIPList contains a list of all known hosting providers (except Amazon), which includes both reputable and not-so reputable providers. It's very much a blunt instrument. Inclusion in the list would be ASN-based so if you are advertising residential ranges from the same ASN as your hosting business, this may explain inclusion.

You can request exclusion via a support case however the criteria are not transparent - it's done on a case-by-case basis. If you have no support or your request to exclude is denied then you are best off contacting the owner of the online property who has deployed a WAF WebACL containing the 'HostingProviderIPList' rulegroup, and ask them to exclude your IPs or CIDR ranges range by creating an IPSet 'ipset_excluded_list' and adding a scope-down statement in conjunction with the managed rule-group e.g. "If NOT source-ip originates from 'ipset_excluded_list'".

Please note that both 'HostingProviderIPList' and 'AnonymousIPList' are not sourced from AWS internal threat intelligence, they come rather from a 3rd-party however at this stage we are not identifying that provider.

AWS
AWS-User-knoxy
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content