Got a false positive! AWS WAF HostingProviderIPList may block system linking.

masayoshi644

Masayoshi Haruta

Posted on October 9, 2022

Got a false positive! AWS WAF HostingProviderIPList may block system linking.

I ran into a false positive the other day, so I'd share it; There is a rule AWSManagedRulesAnonymousIpList in AWS WAF v2, use of the HostingProviderIPList in it may need a little care in a particular situation.

What the problem

First, let me explain what the rules are.

RuleName Detail
AWSManagedRulesAnonymousIpList Inspects for a list of IP addresses of sources known to anonymize client information, like TOR nodes, temporary proxies, and other masking services.
HostingProviderIPList Inspects for a list of IP addresses from hosting and cloud providers, which are less likely to source end-user traffic. The IP list does not include AWS IP addresses.

It is a very useful rule set that usually blocks suspicious accesses. However, the other day I decided to integrate the web service with my customer's external system, and when testing, we encountered a problem where communication could not be established and the service was blocked. As a result, we have set the rule set to "Count" and are now observing whether we should really turn off the rule set.

Workaround

I used Terraform to build the WAF, so this will be an explanation using Terraform. The change is quite simple, just add excluded_rule to the rule in the aws_wafv2_web_acl

fixing diff

I hope it will be of some help to anyone who is encountering the same problem.

Appendix

By the way, if you want to build a WAF using Terraform, please refer to my previous article!

Thank you for reading!

💖 💪 🙅 🚩
masayoshi644
Masayoshi Haruta

Posted on October 9, 2022

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related