Block Azure & Google Cloud users without blocking bing & google search engine bot

I tried to block an azure & google cloud user. Someone is setting up free accts with those services, and keeps using them to run direct hacking attacks on my site. There is no breaches, but they are using it to try to avoid getting blocked as blocking AS8075 & AS15169 blocks the google & bing index bots.

I tried to setup a firewall rule, and missed getting it right as the attack came in without cloudflare blocking it.

The firewall rule I setup is
AS8075 and
AS15169 and
known bots off

(ip.geoip.asnum eq 8075 and ip.geoip.asnum eq 15169 and not cf.client.bot)

block

Could some help me setup where I can block azure & google cloud users without blocking google & bing search indexing bot? I really would appreciate the assistance in getting this attack stopped without blocking the indexing of my site.

Based on https://cloud.google.com/compute/docs/faq#find_ip_range (http://www.gstatic.com/ipranges/cloud.json), the AS that announces the prefixes is the same for both Google Cloud and their primary services:

Google Cloud listing
image

Googlebot IP

image

Although, you might notice that the “host” of the IP is different. For Google Cloud, the IP’s host ends in googleusercontent.com, while Googlebot ends in googlebot.com. This method is precisely how Google expects people to verify that content coming from Google’s network is legitimate traffic from Googlebot.

https://support.google.com/webmasters/answer/80553?hl=en

As for how this matters in a Firewall rule, CF does verify Googlebot using the method Google recommends, and will appropriately set “verified bot” to false since it’s a fake Googlebot.


So, to go about making sure fake Bingbot and fake Googlebot are blocked, you should modify it to be:

(ip.geoip.asnum in {8075 15169} and not cf.client.bot)

Your firewall rule above would only trigger if the ASN were both numbers at the same time, which wouldn’t ever trigger.

If you have the Pro plan or above with the WAF and the “Cloudflare Specials” ruleset enabled, the managed rule 100035 is already set up to block fake Googlebot.

This topic was automatically closed after 30 days. New replies are no longer allowed.