ASN List Management

The same way we can create “IP Lists” and “Redirect Lists” under Manage Account > Configurations > Lists, it would be great to be able to create “ASN Lists”. Right now I am facing a problem with the max character limit in Firewall rules (WAF). That value is restricted to 4096 bytes. Taking into account each ASN has an average of 6 bytes, only 650-700 ASN can be added per Firewall rule.

Is there a workaround for this?

  • Adding the values via API: same limitation of chars as UI
  • Create multiple Firewall rules: it’s an option, but not efficient
  • Create block rules via “IP Access Rules”: it could work, but as it has more priority than WAF Rules, the “Known Bots” WAF rules won’t work. I need that rule to work.

Let’s say I want to add 2500 ASNs, what would be the best way to do it?

Creating the ASN rules via “IP Access Rules” is a bad idea, because that has more priority than WAF rules, and it will block IPs that are allowed with the “Known Bots” WAF rule.

I’ve brainstormed another idea which is blocking ASNs via Cloudflare Workers. I’ve been researching about this and it gives you a lot of flexibility about what to do with requests.

@jnperamo what do you think is the best idea here?

ASNs have ips assigned, you could use an ASN lookup tool and block their assigned ip blocks through IP Lists.
Each IP List can store up to 10k entries which should be enough to blocklist the ASNs that annoy you.

You can do this; Workers are very powerful and I know that some enterprise customers use them for external bot protection (datadome and perimeterX both have a cloudflare implementation that use workers).

1 Like

IP blocking is not something I’m planning to do. It’s not scalable. ASN blocking is much more efficient.

In terms of Rule prioritisation, if I block ASNs using a CF Worker and I activate the Known Bots filter in the WAF, which one has more priority?

Adding values via API has the same character limitation as UI, meaning 4096 bytes.

So that is not an option.

Ideally Cloudflare can increase that value size.

I see this feature has already been discussed here:

Additional types of custom Lists

Lists are assigned a type during creation and the first type available is the IP List. We plan to add Country and ASN Lists, and are monitoring feedback to see what other types may be useful.

This has been 2 years ago already, but still, this feature has not been implemented.

1 Like