Re: Amazon AWS cloudfront WAF block

[Alex Buie via NANOG <nanog () lists nanog org>]

FWIW we regularly face this at $DAYJOB as a mid-sized nationwide business
ISP and have all but given up. Ticketmaster, Hulu, Disney, and others which
seem to use Neustar or IPQS simply seem uninterested in our mutual
customers being able to do business with them. Ticketmaster suggested we
ask our customers switch to their cellular hotspot to purchase tickets
since “Verizon and AT&T run a tested and secure network”. Implying I don’t
but being unable to tell me why that is their assessment. Are you freakin’
kidding me?

IPQS especially seem to be the most extortive of the group, as they would
not even entertain a conversation until we paid money to subscribe to their
product and then after we paid basically told us to F off because we are a
VPN in their eyes.

Every single /32 IP in our customer eyeball network corresponds to a static
assignment to one company/client/corporate entity, almost always a single
physical business location but we do have some customers who have
multi-building setups with tunnels or dark fiber. For all intents and
purposes, these LOOK like single-office business grade connections. But
because SD-WAN technology is used to deliver the circuits, they refuse to
reclassify our IP space as anything other than a hazardous VPN. I sure hope
they don’t find out that every eyeball network in America is using SD-WAN
technology in 2025, but I digress.


Maybe it’s time for a SMB ISP union? I kind of love the thought of all of
us smaller AS teaming up to fight for what’s fair in internet governance.
By strength in numbers of eyeballs served we have a lot of combined weight
to effect commerce and customer service experiences for these brands that
have snubbed some of our brethren via our routing and performance
policies.

Probably off the wall. This entire email should be construed as my personal
opinion and not the public position of my employer.

*Alex*

On Thu, May 29, 2025 at 9:18 PM Tom Beecher via NANOG <nanog () lists nanog org>
wrote:

> >  I cannot fathom how citing some cases and section 230 will help the
> > original poster get a hold of someone at Amazon and/or resolve their
> issue.
>
>
> It won't, no. But not much else will either.
>
> AWS default WAF lists are notoriously bad. They often include things they
> shouldn't. If you are an AWS customer they'll tell you to make your own
> edits to fix these problems. If you aren't (as in the OP's case ), they
> won't even really talk to you, as the OP experienced.
>
> It's of course exceptionally frustrating when you're in the OP's shoes with
> this stuff, but this is the unfortunate reality when people chose to use
> ass products like this.
>
> On Thu, May 29, 2025 at 3:52 PM Mu via NANOG <nanog () lists nanog org>
> wrote:
>
> > On Thursday, May 29th, 2025 at 3:35 PM, John Levine via NANOG <
> > nanog () lists nanog org> wrote:
> >
> > > It appears that William Herrin via NANOG nanog () lists nanog org said:
> > >
> > > > On Thu, May 29, 2025 at 10:57 AM Andrew Kirch trelane () trelane net
> > wrote:
> > > > > (A)any action voluntarily taken in good faith to restrict access to
> > > > > or availability of material that the provider or user considers to
> be
> > > > > obscene, lewd, lascivious, filthy, excessively violent, harassing,
> > > > > or otherwise objectionable, whether or not such material is
> > > > > constitutionally protected
> > > >
> > > > Hi Andrew,
> > > >
> > > > The key phrase here is "taken in good faith." After I've notified you
> > > > of an error, your action stops being good faith.
> > >
> > >
> > > Uh, no. I have no duty to believe what you claim.
> > >
> > > Having looked at a lot of case law I can tell you that the only case
> > where a
> > > court did not find good faith was a strange one where one anti-malware
> > service
> > > listed another (for what looked like good reasons) and a court assumed
> > that
> > > since they were direct competitors it wasn't good faith. Other than
> > that, if I
> > > think your traffic is objectionable, I can reject it.
> > >
> > > See
> https://blog.ericgoldman.org/archives/2024/06/this-case-keeps-wrecking-internet-law-enigma-v-malwarebytes.htm
> > > In practice, threatening to sue Amazon is a dumb thing to do because
> > they have
> > > far more lawyers and experience and money than you do. This is
> obviously
> > a
> > > screwup and figuring out who to ask nicely is far more likely to work
> > than
> > > sending threats you can't actually carry out.
> > >
> > > R's,
> > > John
> > >
> > > PS: Wasn't the original question from someone in South Africa? I have
> no
> > idea
> > > what their law is like, or if Amazon even has enough presence there to
> > sue.
> > > _______________________________________________
> > > NANOG mailing list
> https://lists.nanog.org/archives/list/nanog () lists nanog org/message/QGOVMLWJ36MZ3V5PZAZK3DH3PQKBRN5W/
> > Respectfully, is anyone here an actual lawyer giving legal advice?
> >
> > If not, can we maybe just suggest that everyone consults with their own
> > lawyers about what actions they do or do not want to take?
> >
> > Obviously the original comment about sending a legal letter was made out
> > of frustration because reaching an actual human at some of these
> megacorps
> > is often like pulling teeth. I don't blame them for being frustrated.
> With
> > that said, I cannot fathom how citing some cases and section 230 will
> help
> > the original poster get a hold of someone at Amazon and/or resolve their
> > issue.
> >
> > -mu
> > _______________________________________________
> > NANOG mailing list
> https://lists.nanog.org/archives/list/nanog () lists nanog org/message/WQOPS73CIQFM725J4N3BW44T6KCQPQ72/
> _______________________________________________
> NANOG mailing list
>
> https://lists.nanog.org/archives/list/nanog () lists nanog org/message/SD7KRQCPJYEQWDT7BJSAN2UE7FDEA3QQ/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/465SNE2ACFO7VZTAH54XUSIML5QBSTRP/