Access Rules - Javascript Challenge Bypassed


#1

Hi,

I have access rules for various countries set for “javascript challenge” but i’m still get some bot hits from those countries.

For example, I have challenge for Nigeria and continue to receive bot hits from this ip: 197.210.226.252 which comes from Nigeria.

When i look at the headers for this connection i see: Cf-Connecting-Ip: 82.145.223.12 which comes from Norway.

Can someone please explain what is happening here, as the bot ip is saying it’s from Nigeria, but it seems to be accessing my site via a Cloudflare pop in Norway thereby bypassing the country challenge.

A similar thing is happening with a bot identified as coming from Zambia, but is bypassing the country challenge as it enters via a Cloudflare pop in USA.

Also, in case this helps Cloudflare to improve their security, if they don’t know about it already, i found this (https://gist.github.com/antoligy/f4f084b87946f84a89b4) which is someone providing details on how to bypass the javascript challenge.

Thank you


Cloudflare and htaccess Country Block Still Misses Some Traffic from Blocked Country
#2

How are you determining the bot IP? What is the value for CF-IPCountry?


#3

@cscharff

I am using a plugin called “Access Watch” (https://wordpress.org/plugins/access-watch/)

This is the information it provides:


#4

WAF rules fire on the connecting IP address, additional entires in the x-forwarded-for header can’t be deemed reliable as they can be forged.


#5

ok, so why is an ip from Nigeria bypassing the challenge by connecting to a CF pop in Norway? Are you saying the Nigerian ip isn’t actually from Nigeria?

I’m wondering if you can explain why the Nigerian ip isn’t being blocked? I should also note that i can block the Nigerian ip by adding it in my htaccess, which is why i’m confused why CF isn’t blocking it.


#6

The user is connecting to Cloudflare using the IP address specified in the CF-Connecting-IP. That’s the IP address which is used for WAF rule processing and it’s not the Nigerian IP earlier in the in the x-forwarded-for. It’s actually hitting our Amsterdam POP based on the airport code in your CF-Ray ID. If the traffic is truly from Nigeria it is hitting a proxy prior to Cloudflare with the IP address specified in the CF-Connecting-IP filed.

The other address can be forged, so can’t be deemed to be reliable. That IP address flagged as Nigeria appears to be from Nigeria based on a reverse lookup, it just doesn’t mean that it actually originated there. There’s no way to know.

Think of the inverse. Let’s say you whitelisted that same IP address and then I connected to the server with a forged x-forwarded-for value in the chain which matched, but wasn’t the IP address I’m connecting from. Would you want your server to allow the traffic?


#7

You make it sound like it’s very easy for bots to bypass country challenges. Is there anything i can do to protect myself against such ip manipulations?


#8

The x-forward-for header has no security associated with it beyond the last proxy to touch it that you trust, which in this case is Cloudflare who inserted the address of the machine which connected to it and also inserted the same information in the cf-Connecting-IP address field. There is no way for Cloudflare or you to verify any previous addresses inserted by applications or untrusted proxies.

This isn’t a problem unique to Cloudflare it is an issue inherent in the nature of the Internet and associated protocols in use. You can see the same warning regarding the trustworthiness of other entries in the header from other sources such as this: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html

It is not possible to know in this instance if the value is being inserted by a machine running on the address IP address in question or if it is perhaps a VPN or other proxy the user is using to connect to the internet, or someone could even be using a public IP address space in a private network.

Since the only thing Cloudflare knows for certain is the IP address that connected to it (and through our tooling the country we map that to) the country block is based on that IP address (which in this case would be GB). If you were to challenge GB that request would be subject to the country challenge.


#9

This topic was automatically closed after 14 days. New replies are no longer allowed.