Prior to Nov 6th these were not appearing, nothing has changed on the network/security configuration. Has anything changed with Genesys Cloud to start causing this? We are having to look into whitelisting this CVE/threat, but I don't see any mention of cloudfront or the IPs we are seeing in the documentation, ie: "IP addresses for the firewall allowlist"
Just for example here is some of the traffic that was dropped.
We are in US East region, and this actually happens before login. The app or website simply go to a blank white screen and never load or prompt for credentials when this traffic is dropped/blocked.
We have temporarily allowed it for the time being and can now log in. Based on the CVE description it sounds like the app/service might be trying to find the local IP address some how, but it only started on Nov 6th. Our provider's firewall was monitoring for this threat prior to that, and according to Fortinet their threat definitions haven't been updated since 2021.
I was skeptical these requests were due to WebRTC, but upon hearing they are pre-login I'm reasonably certain they are not. I suggest gathering console logs to see what the specific requests are and going from there.
@crw1987 please open a case with Genesys Cloud Care to continue this investigation. Because this is a public forum, there is no means to securely transmit potentially sensitive data such as a browser's network logs.