
Howto: Block Amazon and any site using Amazon Web Services - dzuc
https://bigboy.us/other/aws/
======
InvaderFizz
Reminds me of about three years ago, a buddy who does Cybersecurity for a very
large military base was tasked with blocking AWS from their network due to
porn.

He found it quite humorous, warned them of the consequences, got everything in
writing(including his warnings), and executed his orders.

The base commander was not amused and the blocks were removed in about 12
hours. Unfortunately, the responsible party never suffered more than egg on
their face for the stupidity.

They tried to shift blame to my buddy, but he had dotted his i's and crossed
his t's. He did get a nice one-on-one with the Base Commander, where he was
able to lay everything out.

------
yfiapo
Mmmkay. Have fun with that.

The attempt is also incomplete. I suspect this would miss ranges advertised
through AWS's BYOIP
([https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoi...](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html))
option. It would definitely miss ranges advertised through companies' own
datacenters and serviced in the backend by AWS.

~~~
jrowley
33.5 million IP addresses is no small drop in the bucket though!

------
whinehands
This doesn't block any site using AWS, only sites which are fronted by a
server hosted within AWS.

~~~
elevation
I've toyed with the idea of setting up a no-FAANG VPN that implements these
restrictions based on the ip networks advertised by the relevant ASNs. This
would provide more complete coverage, and be useful as a testing tool,
allowing you to verify that your own web properties still function without
assets being loaded from a global active adversary.

~~~
morpheuskafka
It still doesn't actually block everything on those clouds. I can go get my
own ASN, run my own edge server (or use a small CDN company not on your list)
and use whatever I want on the back end for database, queue, backup, storage,
compute, etc. All you'll know my IP is where the edge node is.

~~~
elevation
A VPN would still be effective at suppressing the tracking effects of all the
"like buttons" while also revealing issues such as jquery being loaded off a
CDN that also directly hosts content for 40% of the web.

For users wanting to thwart pervasive CDNs from receiving packets every time
they visit almost any site on the web, it's matters less if a service they
visit is using an amazon resource on the back end; as long as all services
aren't using the same database backend, this puts e.g. AWS back in the
position of only having a little of your consumer/browsing information instead
of nearly all of it.

------
Lendal
There is a large community of people here in the US who block every company
that does bad things.

Yes I'm talking about the Amish. But even in Amish society, there is politics
and people who do Bad Things. Fortunately there are plenty of uninhabited
mountaintops left that one can go and live on to maintain a clean conscience.
But if we do that, then aren't we turning our backs on the world by not
helping it? So now we'd need to come back to civilization and live amongst the
unwashed masses once more.

There's no way to live a perfectly good and blameless life.

------
maxwellito
I find the initiative interesting, at least to realise how much of our daily
browsing is hosted on AWS. I will give a go for sure!

------
lowlevel
Wouldn't it be easier to just turn off wifi and unplug the ethernet cable?

~~~
knowuh
_ding ding ding_ ⬆

------
floatboth
> Counter-intuitively, AWS makes it very easy to do this! They publish and
> continuously update a list of IP ranges

It's not like any legitimate company could keep their IP address ranges
private (other than by using seemingly unrelated shell companies) :)

~~~
LinuxBender
I have found their list to be out-dated. I have to use bgp lookup sites to
fill in the blanks. There are many ranges and small blocks they leave out that
are not hosted in their datacenter directly.

------
ryanmercer
Wouldn't blocking stuff using AWS block like, a significant chunk of the
internet?

~~~
Topgamer7
Yes

~~~
LinuxBender
As an experiment, you could always put their ranges into your IDP / IDP /
firewalls and just get summary data for how many packets / flows / bytes are
transferred to/from AWS. (Rather than outright blocking)

------
parliament32
I'd rather do this with Cloudflare. Amazon may be naughty but CF is just evil:
trying to normalize a MITM-as-a-service protection-racket as a business model
is bad for everyone involved.

------
t0mbstone
And to get around this, simply route all your traffic through Cloudflare...

------
supergauntlet
I mean I get the idea and all, but considering half the internet runs on AWS
is this even feasible? Your day-to-day internet use would be crippled.
Wouldn't it be better to spend the effort on writing letters to politicians or
better yet campaigning yourself? (I'm assuming this is being posted because of
the prime day walkouts today)

~~~
glitchc
Indeed, there is nothing inherently wrong with AWS.

On the broader topic, what's wrong with people spending money on things they
want? We live in a free country. If you have money, and want to buy junk with
it, more power to you. It's your money. Do whatever you want with it. As far
as vices are concerned, I would rather someone derived satisfaction from binge
shopping than the alternatives (gambling, alcoholism, drugs, etc. etc.), since
those have far more deleterious effects on society.

~~~
pmoriarty
_" what's wrong with people spending money on things they want?"_

It depends on what they're buying. Many people would consider unethical the
buying of children or child pornography, for instance. Bans on ivory, whaling,
and trading in endangered species have gained ground in recent years.

Some arguments for what's wrong with those are that the former exploit people
who are unable to defend themselves or even realize they're being exploited,
while the latter cost the lives of sentient creatures and reduce biodiversity
by causing extinctions. Now, whether you find any of those arguments
persuasive depends on your own values. Some people see nothing wrong with
exploitation or species extinction. It's really difficult to argue against
them. Either you share certain fundamental values with the rest of us or you
don't.

Philosophers study such ethical issues in nauseating detail, but I've yet to
see how any of their arguments would be persuasive to someone who doesn't
already share their core values.

------
artursapek
I imagine the guys building AWS are treated pretty well, compared to their
warehouse guys.

~~~
cschneid
I wonder about the low level labor in data centers. Swapping disks and
servers. I imagine they have a lot of the same tracked-time-pressure that
retail pickers do? But I've never read about it one way or the other either.

------
tambre
This tutorial's of limited use to 30% of users, who have IPv6.

------
nautilus12
Half the internet would be unusable, lol.

------
RaptorJ
Another of 2-3 stories about the Amazon strike deleted from the front page of
Hacker news, it's hard to not be conspiratorial about this.

------
e-m-p
Do you realize how many companies run on AWS?

------
tanilama
loll, good luck.

------
tracer4201
Oh boy, another one of the daily anti-FAANG posts. Amazon is evil and should
be boycotted - usually coming from people who shop at WalMart and invest in
companies like BP (i.e. my in-laws).

Good luck blocking AWS - and whatever percentage of the internet running on
it.

~~~
pathseeker
>usually coming from people who shop at WalMart and invest in companies like
BP

What weird mental gymnastics are you trying to pull here? You know someone who
hates Amazon and invests in Walmart/BP? So what? That doesn't mean there isn't
a legitimate reason to hate Amazon.

"ugh, another one of the daily anti-violent crimes posts. Rape is evil and
should be boycotted - usually coming from people who jaywalk and overcook
their steaks."

~~~
sli
They know someone who hates Amazon but shops at Wal-Mart and invests in BP,
and is projecting all of that only everyone who has a negative view of Amazon.

------
benologist
We could start by shunning AWS content when their $200k+ salaried employees
are posting their latest announcements on HN while their unsalaried, not-
employed coworkers in the warehouses are sprinting to and from a piss break
trying not to be fired.

~~~
tempsolution
Any of the warehouse workers has or had the chance to obtain the skills of an
AWS employee... Or are you advocating communism?

~~~
SamBam
I'm not entirely sure what you're arguing. Are you saying it's ok to treat
nonskilled workers badly because they have the opportunity to gain skills?

