"AS" block not effective for some reason


#1

For a while already I have a firewall entry for AS14061. First it was only a JavaScript challenge, then a proper challenge, and now finally a complete block but addresses from that space still seem to manage to circumvent these settings. Most recently 104.248.8.6 managed to go through.

Would anybody have an explanation for that? The IP address seem to be part of that AS and I am sure the request came via Cloudflare (the location information was included).


#2

Other IPs are blocked? ARIN doesn’t provide the AS number for this /16 :thinking: :

image

image


#3

Other blocks do seem to work. I did notice whois did not return the AS code for that range but didnt believe it to be a problem. Maybe I was wrong :slight_smile: - so you’d assume it slips through because of this?


#4

My thoughts. But it seems that ARIN doesn’t provide the AS on all their networks when whois.arin.net is used. (checked a few /8). But i’ve learned a few minutes ago that the AS is still provied when a different whois server is used:

AS | IP | AS Name
14061 | 104.248.0.0 | DIGITALOCEAN-ASN - DigitalOcean, LLC, US

And i guess that there would be more complaints if the missing AS was an issue.


#5

So back to square one :slight_smile:

@cscharff?


#6

@cscharff, could that be the explanation, that Cloudflare cant find the association to the AS and, hence, lets the request pass?


#7

I… don’t know? Seems unlikely? I would recommend opening a ticket with Cloudflare support. They have access to more extensive logging tools than I do/ more experience in debugging that type of issue.