> > I don't know what everybody is trying so hard to protect against, but > the collateral damage has to be huge.
Massive bills caused by aggressive AI crawlers. Different CDNs have different tools and options to combat this, with varying degrees of effectiveness, so many people are cranking up the WAF restrictions as well, and unfortunately that often does cause some additional issues. On Fri, May 23, 2025 at 11:16 PM Brandon Martin via NANOG < [email protected]> wrote: > On 5/23/25 11:19, Jon Meek via NANOG wrote: > > These errors / blocks are due to Akamai customers using tools and data > > provided by Akamai to handle things like geo-restriction and (perceived) > > DoS attacks. You do have to deal with the Akamai customer for these > issues, > > and some of our NAT addresses have been blocked by Macy's in the past, > > probably due to a large number of Macy's shoppers being behind a single > > IPv4 address... > > > > Here is the Akamai Client Reputation check: > > https://www.akamai.com/us/en/clientrep-lookup/ > > That tool will only check the source IP address from which it is > accessed. > > There is no way to check on another address. > > This isn't limited to Akamai. Basically all CDNs have similar web > application firewall (WAF) features, and lots of site admins somewhat > naively turn them up to 11. I've noticed an increasing number of > Cloudflare client intercepts recently not just on the small SP I run but > even from clients on mainstream ISPs like Spectrum and T-Mobile, and > I've even gotten outright 403'd by several places in my attempt to give > them my money and buy stuff from them and at baffling parts of the > process e.g. after getting a user login page and providing valid > credentials but before the subsequent redirect to resources requiring auth. > > I don't know what everybody is trying so hard to protect against, but > the collateral damage has to be huge. I assume potential sales are lost > somewhat frequently. > > Given how often this question comes up, the CDNs should probably be more > clear and up front about what the various WAF settings do and why or why > NOT a user may want to enable various options. I think doing so could > make everybody happy: end users, site operators, and the CDNs (by way of > making the site operators happier). > > -- > Brandon Martin > _______________________________________________ > NANOG mailing list > > https://lists.nanog.org/archives/list/[email protected]/message/VYRLYAS5QD23N4BTTO7TRWM4KZ5OKSLO/ > _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/SJ5S6OHFXCEVACZLV34IRXUVSKQPA5PA/
