Blocked because of IPS attack

alexandre1 · September 18, 2018, 7:09pm

I have been constantly receiving the message “Blocked because of IPS attack”.
We performed some tests with the tool creating some page rules and we could verify that the error was not presented with a rule created the “cache level: bypass”.

If this rule is changed to “cache level: cache everything” the error message is displayed.

As you can see in the attachments the header of both requests are from Cloudflare.
We performed some tests by changing the IP of the computer hosts to the direct IP of our server structure and the message is not displayed .
Remembering that this message is displayed for specific users, not all users are given the error in question.

Has anyone had the same problem?

alexandre1 · September 18, 2018, 7:19pm

MarkMeyer · September 18, 2018, 7:27pm

Looks more like a rate limiting on the origin or a firewall in front of it. Yes, I read that this doesn’t happen when CF is inactive)

But deactivating Cloudflare will cause 10 visitors to show their own IPs which are different. With Cloudflare active there are possibly 10 requests from the same IP address or network: Cloudflare which triggered your IPS. You could try to restore the origin IP and check if it helps.

Judge · September 18, 2018, 7:28pm

Reference: https://support.cloudflare.com/hc/en-us/sections/200805497-Restoring-Visitor-IPs

MarkMeyer · September 18, 2018, 7:34pm

Thanks. I am mobile and was still searching for it ^^

alexandre1 · September 20, 2018, 2:57pm

unfortunately mod CF’s inclusion did not work, the message keeps showing up for some users. =/

system · October 20, 2018, 2:57pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.