Re: Akamai/HollisterCo

[Owen DeLong <owen () delong com>]

Here’s the deal…

I’ve pieced this together entirely from data available outside of Akamai. It does not involve any knowledge I gained at 
Akamai unless I’ve also been able to identify that information through an independent public source.

Akamai’s system here is designed to make their customers happy without much regard for their customer’s customers.

Customers have control over their web application firewall and what it blocks.

Akamai doesn’t (exactly) directly control it.

However, customers can subscribe to reputation information and make automated decisions about blocking in their WAF 
based on that reputation information.

Akamai takes customer confidentiality very seriously. Mostly this is a good thing, but it creates a real catch 22 for 
web users caught in this circumstance. If it’s any consolation, I ran into this several times while I was working at 
Akamai and didn’t have any better ability to get resolution than what is being reported here.

Akamai NOC can’t tell you what’s happening because that would violate their customer’s confidentiality. It’s often very 
difficult for you to reach anyone with a clue at the company in question, and, even if you manage to do so, they’ll say 
“but Akamai runs that for us, you should call them.<click>”

I’ve given up on this ever getting better.

Owen



> On Dec 18, 2019, at 2:11 PM, Dmitriy Vaynshteyn [infiniwiz] <dmitriy.vaynshteyn () infiniwiz com> wrote:
>
> Problem is that I used their client rep lookup tool at https://www.akamai.com/us/en/clientrep-lookup/ and it showed 
> that the IP was clean.
>
>
> Dmitriy Vaynshteyn
> Senior Systems Engineer
> 1835 Hicks Rd. Rolling Meadows, IL 60008
> tel:  847.994.1111 | 
> direct:  847.850.7894 | 
> fax:  847.850.7902
> http://www.infiniwiz.com 
> Happy with our service? Tell others by leaving a review or making a referral.
> ​
>
> -----Original Message-----
> From: NANOG <nanog-bounces+notifications=infiniwiz.com () nanog org> On Behalf Of Jared Mauch
> Sent: Wednesday, December 18, 2019 3:56 PM
> To: Mike Hammett <nanog () ics-il net>
> Cc: nanog () nanog org
> Subject: Re: Akamai/HollisterCo
>
> I’ve had a hard time internally getting people to answer questions around this or how to properly escalate what 
> appears to be blocking related issues.  I’m honestly at wits end with them.
>
> I’ll give you these links:
>
> https://community.akamai.com/customers/s/article/Why-is-Akamai-Blocking-Me-Part-3-Partners-Performing-Web-Scraping-Activity?language=en_US
> https://www.akamai.com/us/en/clientrep-lookup/
>
> The reality is when you end up behind a NAT pool or shared IP set, this is entirely possible someone (or thing) is 
> doing malicious activity.  I’ve asked the teams to improve the errors presented to users in this case, so perhaps it 
> will get better.
>
> If you have a specific reference ID you get back, you can send it to me in e-mail (text, no images please) and I’ll 
> look it up to see what can be found.
>
> But this also falls into the category - we are performing the action based on our customer request/configuration.
>
> - Jared
>
> > On Dec 18, 2019, at 4:29 PM, Mike Hammett <nanog () ics-il net> wrote:
> >
> > That is a common issue eyeball ISPs have with CDNs and security companies.
> >
> > The obvious technical contact is the CDN or security company, but they always redirect you to their client because 
> > they're "just doing what their client asked". Yes, please, reach out to Hollister's customer service department with 
> > a request to fix their web site (or tell you why they won't). See how far that gets you. Meanwhile, go buy some of 
> > their tacky apparel.
> >
> > On the "just doing what their client asked", what *IS* it that the client asked? Surely Hollister didn't develop 
> > some personal spite for Dmitriy's client and bock their IP address. No, more likely is that some algorithm (rightly 
> > or wrongly) lumped Dmitriy's client's IP in a list of bad actors for some reason and Hollister has chosen to block 
> > that category of bad actor. Hollister would be equally clueless as to what is actually happening.
> >
> > What the CDNs and security companies should respond with is something to the effect of, "We see 123.456.789.123 
> > doing XYZ bad activity and it needs to stop before being allowed in." Ya know...  the same way nearly every SPAM RBL 
> > works. You can then kill two birds with one stone: Dmitriy's client can now buy bad shirts and Dmitriy's client 
> > fixes whatever exploits are happening from their network.
> >
> >
> >
> > -----
> > Mike Hammett
> > Intelligent Computing Solutions
> > http://www.ics-il.com
> >
> > Midwest-IX
> > http://www.midwest-ix.com
> >
> > See More from Dmitriy Vaynshteyn [infiniwiz]
> >
> > ​
> >
> > See More from Dmitriy Vaynshteyn [infiniwiz]
> >
> > or making a referral.
> > ​