It was pointed out on IRC that this is intentional, per https://salsa.debian.org/dsa-team/mirror/dsa-puppet/blob/master/modules/roles/manifests/snapshot_web.pp IMO blocking random (and large) chunks of EC2 is not a good idea, as the collateral impact is potentially huge. I'd like to suggest a more targeted way of throttling individual clients that doesn't have such broad impact. The iptables connlimit module comes to mind, but there are undoubtedly other options.
Attachment:
signature.asc
Description: PGP signature