For my account, I block at the ASN level in a lot of cases, especially for Hosting companies. I’ve recently added “AS0 -Reserved AS-” as a block rule in Security → WAF → Tools → IP Access Rules.
However, while other ASNs are blocked, it seems that AS0 is allowed to continue (fortunately, being blocked because of the UA they used).
I’m not sure if this is intended… I could see it being that the “real” ASN just hasn’t been updated yet at Cloudflare, which makes it appear to be a false positive — but I don’t know how to test that.
The requests came in for ~10 minutes, all from the same IP. Here’s an example event.
Is this a false positive, or a bug in the firewall?
{
"action": "managed_challenge",
"clientASNDescription": "-Reserved AS-",
"clientAsn": "0",
"clientCountryName": "US",
"clientIP": "85.209.133.7",
"clientRequestHTTPHost": "_redacted_",
"clientRequestHTTPMethodName": "GET",
"clientRequestHTTPProtocol": "HTTP/1.1",
"clientRequestPath": "/",
"clientRequestQuery": "",
"datetime": "2024-05-06T21:46:12Z",
"rayName": "87fc2966ab82426d",
"ref": "",
"ruleId": "2c7e0156945c4705bc16eb95023b9498",
"rulesetId": "bcb4fb48da2341f9a1bc7ef63ee6a363",
"source": "firewallCustom",
"userAgent": "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36",
"matchIndex": 0,
"metadata": [
{
"key": "ruleset_version",
"value": "335"
},
{
"key": "version",
"value": "29"
},
{
"key": "type",
"value": "customer"
},
{
"key": "js_detection",
"value": "MISSING"
}
],
"sampleInterval": 1
}