API request was blocked by the Cloudflare firewall

What is the name of the domain?

What is the error number?

106

What is the error message?

A request was blocked by the Cloudflare firewall, indicating the IP address 2401:4f8:200:8232::2 needs to be added to the allowlist to bypass this block.

What is the issue you’re encountering

Connection refused for REST API

What steps have you taken to resolve the issue?

Removing CF proxy enables access. Allow Listing does not using (ip.src eq 104.26.6.23)

What are the steps to reproduce the issue?

GET https://chocolatedetective.co.uk/wp-json/wc/v3/products?consumer_key=c

Allowing IP addresses would need to be done using the actual source IP address of the request.

104.26.6.23 is a Cloudflare IP address, and won’t be the correct one to attempt to allow.

What do you see under “Firewall Events”?

https://dash.cloudflare.com/?to=/:account/:zone/security/events

OK thanks so much @DarkDeviL I greatly appreciate your fast and insightful answer.

I will double check the IP address but I also allowlisted the IPv6 mentioned in the error: 2401:4f8:200:8232::2

Sorry I can’t find firewall events at https://dash.cloudflare.com/?to=/:account/:zone/security/events this link shows a list of accounts and there is no similar mention near the WAF area.

One other question is why most DDOS attacks are coming through despite having Attack mode on.

Now I worked out a simple rate rule of fairly drastic limits is appropriate for a relatively quiet site is enough to head off 20 GETs a second from anywhere

I’m still unsure why CF didn’t identify the nature of the ongoing DDOS and automatically mitigate with automatic rate limiting?

Do you have a screenshot of that error, or something similar?

That specific IPv6 address seems to be unallocated at the moment, as APNIC ( Asia Pacific Network Information Centre) hasn’t allocated it to any organisations at the moment.

If you have multiple accounts and/or zones, it will ask you which account and/or zone you wish to go in to, and once you have selected the correct account and zone, it will take you to the right place.

Actually, yes, consistent naming and such are on my wishlist.

What about SecurityEvents?

I guess that depends on what you call DDOS attacks, as the definition may vary from person to person, and from organisation to organisation.

Attack mode is only suggested during an actual attack wave, and is suggested to be disabled again, as soon as the attack has subsided.

It will provide a challenge to the users, but if the user is able to solve them, it will let them pass through for time specified in Challenge Passage under SecuritySettings.

https://dash.cloudflare.com/?to=/:account/:zone/security/settings

In that location, things that are blocked by Cloudflare, will show up like this:

In this specific case, it is a “Custom rule” that I added myself, to my WAF, to block visitors (e.g. browsers) that do not present the User-Agent header.

Actually, it was added (like many others), as a test rule at one point, at an unused domain.

Currently, Microsoft’s network (likely their Azure Cloud) seems to be hitting that unused domain, with a lot of garbage traffic, at the moment.

That would likely require your rate limiting rules, as well as information about the DDoS attack you seem to be experiencing.

If I’m interpreting “from anywhere” correctly, we’re not talking about one single source, but multiple sources?

IIRC, the rate limiting is operating per PoP (e.g. datacenter / facility), so if you have 5 users flooding your website, and they are reaching 5 different Cloudflare PoPs, that could mean that it will require 5 times the traffic you’ve configured, before the rate limiting kicks in.

This topic was automatically closed after 15 days. New replies are no longer allowed.