I’ve searched the community, and there seem to be two different ways to block ASN from which we’re receiving bad actor traffic:
Firewall Rules
and
IP Access Rules
What is the difference between setting up these ASN rules, and what are the pros/cons ?
Firewall Rule is the new thing. IP Access Rule is legacy.
You should use a Firewall Rule, as it allows for exceptions, which an IP Access Rule doesn’t.
For example, after blocking a whole ASN, you find out that it also blocks an online service your site depend on. You may then edit your Firewall Rule to block the ASN but exclude the IPs from that specific service.
That’s a good point. Since Firewall rules are limited to 100 (Business Plan), about how many AS Num values can you block in a single Firewall rule (using “or”)?
Each Firewall Rule is limited in size to 4 KB, so it will vary because of the number of digits in the ASN. You should create a list using “is in”, as opposed to linking a bunch of ASNs with OR. That will save you a lot of characters in the final rule.
Thanks again. What is the proper syntax for the expression builder when using the “is in” option? Do you just enter a list of ASN numbers separated by spaces, or ???
In the expression editor, yes, you separate them with a space and they all go inside curly brackets. Here’s an actual FR I use in one of my websites:
(not cf.client.bot and ip.geoip.asnum in {4134 4808 4837 7303 8075 8402 8560 8972 9121 12714 12876 14061 14576 15895 16276 20473 23033 23724 24940 24961 26496 27640 28331 30083 31034 32244 36352 36903 37963 39572 40021 40065 40676 42610 43350 45090 45102 45731 45899 46606 50113 50297 50673 54290 55286 60068 60781 135905 198375 199284 200313 202242 202425 208046 209588 213230 396356 397373 399471} and not http.request.uri.path in {"/" "/robots.txt" "/ads.txt" "/favicon.ico"})
In this rule, I’m excluding the Known Bots, a list of Cloudflare-sanctioned “good bots” such as search indexes, as well as some URLs that I think should be open to all. Also, I use this rule with action Managed Challenge, instead of Block, as you never know when legit visitors will use some service (VPN, proxies etc) or ISP who might use one of those ASNs to reach your sites.
I believe there’s an issue with this statement, as this blocks many more ASNs than intended. For instance, if you list 399471, then any four or five digit ASNs that include any piece of 399471 will also be blocked, like 3994, 9947, 9471, etc. Isn’t that an issue?
No, because that’s not how the in comparison works. You need an exact match or the comparison fails.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.