nanog mailing list archives

Re: Who is generating an edgesuite.net error message

From: Tom Beecher via NANOG <nanog () lists nanog org>
Date: Sat, 24 May 2025 12:58:57 -0400


I don't know what everybody is trying so hard to protect against, but
the collateral damage has to be huge.



Massive bills caused by aggressive AI crawlers. Different CDNs have
different tools and options to combat this, with varying degrees of
effectiveness, so many people are cranking up the WAF restrictions as well,
and unfortunately that often does cause some additional issues.

On Fri, May 23, 2025 at 11:16 PM Brandon Martin via NANOG <
nanog () lists nanog org> wrote:

On 5/23/25 11:19, Jon Meek via NANOG wrote:

These errors / blocks are due to Akamai customers using tools and data
provided by Akamai to handle things like geo-restriction and (perceived)
DoS attacks. You do have to deal with the Akamai customer for these

issues,

and some of our NAT addresses have been blocked by Macy's in the past,
probably due to a large number of Macy's shoppers being behind a single
IPv4 address...

Here is the Akamai Client Reputation check:
https://www.akamai.com/us/en/clientrep-lookup/
That tool will only check the source IP address from which it is

accessed.

There is no way to check on another address.


This isn't limited to Akamai.  Basically all CDNs have similar web
application firewall (WAF) features, and lots of site admins somewhat
naively turn them up to 11.  I've noticed an increasing number of
Cloudflare client intercepts recently not just on the small SP I run but
even from clients on mainstream ISPs like Spectrum and T-Mobile, and
I've even gotten outright 403'd by several places in my attempt to give
them my money and buy stuff from them and at baffling parts of the
process e.g. after getting a user login page and providing valid
credentials but before the subsequent redirect to resources requiring auth.

I don't know what everybody is trying so hard to protect against, but
the collateral damage has to be huge.  I assume potential sales are lost
somewhat frequently.

Given how often this question comes up, the CDNs should probably be more
clear and up front about what the various WAF settings do and why or why
NOT a user may want to enable various options.  I think doing so could
make everybody happy: end users, site operators, and the CDNs (by way of
making the site operators happier).

--
Brandon Martin
_______________________________________________
NANOG mailing list

https://lists.nanog.org/archives/list/nanog () lists nanog org/message/VYRLYAS5QD23N4BTTO7TRWM4KZ5OKSLO/

_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/SJ5S6OHFXCEVACZLV34IRXUVSKQPA5PA/

Current thread:

Who is generating an edgesuite.net error message Jon Miller via NANOG (May 27)
- Re: Who is generating an edgesuite.net error message Aaron Gould via NANOG (May 27)
- Re: Who is generating an edgesuite.net error message VMemaillist via NANOG (May 27)
- Re: Who is generating an edgesuite.net error message Jason Canady via NANOG (May 27)
  - Re: Who is generating an edgesuite.net error message Niels Bakker via NANOG (May 27)
    - Re: Who is generating an edgesuite.net error message Jason Canady via NANOG (May 27)
    - Re: Who is generating an edgesuite.net error message Jon Meek via NANOG (May 27)
    - Re: Who is generating an edgesuite.net error message Brandon Martin via NANOG (May 27)
    - Re: Who is generating an edgesuite.net error message Tom Beecher via NANOG (May 27)
    - Re: Who is generating an edgesuite.net error message Smith via NANOG (May 30)