Yes, but I’d like to know any potential side effects. Am I going to block other services from Cloudflare? I may end up giving it a try and seeing what happens but I was hoping to get an official response about this. Maybe even a solution to block their VPN another way or a specific WAF rule.
Adding 10 CF ASN’s to the firewall just doesn’t feel right.
Official support has given me a bad canned response that doesn’t address my problem.
" 1. You’re getting attacks from Cloudflare’s IPs because they are being spoofed. Cloudflare does not send traffic over anything other than http:// (ports 80 and 443), so getting attacked by UDP requests means you are likely seeing a DNS amplification attack."
Which is wrong since they now actually have a VPN. They need to update that canned response.
I feel like CF support has gone downhill the past couple years. I used to get real human support. Now I get canned responses and told to use their Community site. Meh.
I understand the frustration a canned reply can carry. Can you share the ticket #?
Anyways back to the topic, it seems like WARP is slowly focusing on becoming a more privacy-friendly VPN, It wouldn’t surprise me that in the near future, website owners using CF won’t be able to see the IP behind visitors using WARP.
My advice remains the same, deal with WARP the same way you’d deal with any other VPN, using a VPN detector/IP information service.
ASN blocking is how I deal with them and it’s highly effective. I get a 2 for 1 deal because when I block ASN’s I also block the sources of attacking datacenters. I currently have 450 ASN’s blocked as well as some countries like RU, CN, KR and I block the entire continent of South America.
My website experiences frequent attacks. These blocks greatly reduce their effectiveness and frequency. However, the CF Warp IPs are getting through.
I am not going to use another service for blocking just VPNs when I’ve had an effective solution for years. CF is my solution and they have created a problem, I do expect them to provide a work-around to the situation they’ve created for me. At the very least a dialog beyond a canned response.
My solution is to do a tag like cf.client.warp for the traffic and that way it can get blocked.
Also want to note why doesn’t CF yet have a built in VPN detector as part of their own service? That would seem like a real valuable addition to their service. They already have a way to block tor traffic.