Mod Security & Amazon Cloud Front Problems

Misuse of CloudFront by hackers can get your CDN blocked by your server, this can be a problem. Unfortunately for security reasons you do not want to allow CloudFront to by pass mod security, as this can be exploited by Mod Security:

216.137.42.131 # lfd: (mod_security) mod_security (id:210410) triggered by 216.137.42.131 (US/United States/server-216-137-42-131.dfw3.r.cloudfront.net): 5 in the last 3600 secs – Thu Mar 12 22:13:57 2015
205.251.218.78 # lfd: (mod_security) mod_security (id:950103) triggered by 205.251.218.78 (US/United States/server-205-251-218-78.arn1.r.cloudfront.net): 5 in the last 3600 secs – Sun Mar 15 23:38:33 2015
54.240.145.159 # lfd: (mod_security) mod_security (id:220030) triggered by 54.240.145.159 (US/United States/server-54-240-145-159.fra6.r.cloudfront.net): 5 in the last 3600 secs – Mon Mar 16 07:07:34 2015

We are considering to make an effort to build something to allow Mod Security to block X-IP-ADDRESS header instead of the actual IP which belongs to the CDN, meanwhile the best thing you can do is to make sure while mod security blocks risky requests, it doesn’t become black listed.
Here is the full list of IP address ranges used by Amazon Cloud Front up to this date, add them to your “Firewall Allow IPs” list:

54.182.0.0/16
54.192.0.0/16
54.230.0.0/16
54.239.128.0/18
54.239.192.0/19
54.240.128.0/18
204.246.164.0/22
204.246.168.0/22
204.246.174.0/23
204.246.176.0/20
205.251.192.0/19
205.251.249.0/24
205.251.250.0/23
205.251.252.0/23
205.251.254.0/24
216.137.32.0/19

Amazon Route 53 Changing Health Checking IP Ranges

If you’re using Route 53 health checks, you must ensure that your router and firewall rules allow inbound traffic from the IP addresses used by Route 53’s health checkers, so that Route 53 can access the endpoints that you specify in your health checks.

As we have explained earlier in our forum post [ https://forums.aws.amazon.com/ann.jspa?annID=1838 ], we are adding new IP ranges to the existing ranges.

The following is the list of existing IP ranges currently used by Route53 health checking service:

54.228.16.0/26
54.232.40.64/26
54.241.32.64/26
54.243.31.192/26
54.245.168.0/26
54.248.220.0/26
54.251.31.128/26
54.252.79.128/26

In addition to the list above, the following is the list of new IP ranges from which Route 53 will be conducting health checks:

54.183.255.128/26
54.244.52.192/26
54.250.253.192/26
54.252.254.192/26
54.255.254.192/26
107.23.255.0/26
176.34.159.192/26
177.71.207.128/26

Please ensure that the router / firewall rules for all of your endpoints that you are health checking with Route 53 are configured to allow incoming traffic from both existing and new IP ranges.

Mobile Detected
Tablet Detected
Desktop Detected
Large Screen Detected
Retina Display Detected