Blocking CF Warp

For my site I block datacenters and VPNs by ASN using the WAF (Business Account). But now that Cloudflare has a VPN (CF Warp) I am unsure how to block it.

I asked CF support days ago, no response. Unfortunately CF Warp uses the same ASN as the rest of CF. Unsure what side-effects I would have from adding their ASN to a WAF rule.

I have not found any IP listing for Warp either. HE BGP shows that CF actually has 10 ASN’s.

btw, not asking for criticism for the policy of my site to block VPNs. I have my reasons.

I believe you can still use the ASN of Cloudflare in WAF. There is no way to block only warp.

Yes, but I’d like to know any potential side effects. Am I going to block other services from Cloudflare? I may end up giving it a try and seeing what happens but I was hoping to get an official response about this. Maybe even a solution to block their VPN another way or a specific WAF rule.

Adding 10 CF ASN’s to the firewall just doesn’t feel right.

Yes, this is going to block anything from Cloudflare, workers or other services. It is an extreme option and could break things. I would wait for supports response to see if they know.

You generally wouldn’t want to block purely based on ASN if it’s CF, setup a separate rule for CF ASN and combine it with at least dynamic firewall field for Known Bots cf.client.bot https://developers.cloudflare.com/ruleset-engine/rules-language/fields/#dynamic-fields

cf.client.bot
When true , this field indicates the request originated from a known good bot or crawler. Provides the same information as cf.bot_management.verified_bot .

example only block ASN if not a known bot

ip.geoip.asnum eq 13335 and not cf.client.bot

haven’t tried it myself but in theory, it would still allow Cloudflare’s own service/crawlers to hit if any do need to as I’d imagine CF would have those in known bots database?

1 Like

So, I believe WARP does use a dedicated IP range (WARP vs WARP+ is different too AFAIK). Are those ranges known? Nope, at least I wasn’t able to find them.

The best bet here would be relying on a VPN detection service, those aren’t perfect but overall have better coverage than built in alternatives.

2 Likes

Official support has given me a bad canned response that doesn’t address my problem.

" 1. You’re getting attacks from Cloudflare’s IPs because they are being spoofed. Cloudflare does not send traffic over anything other than http:// (ports 80 and 443), so getting attacked by UDP requests means you are likely seeing a DNS amplification attack."

Which is wrong since they now actually have a VPN. They need to update that canned response.

I feel like CF support has gone downhill the past couple years. I used to get real human support. Now I get canned responses and told to use their Community site. Meh.

I understand the frustration a canned reply can carry. Can you share the ticket #?

Anyways back to the topic, it seems like WARP is slowly focusing on becoming a more privacy-friendly VPN, It wouldn’t surprise me that in the near future, website owners using CF won’t be able to see the IP behind visitors using WARP.

My advice remains the same, deal with WARP the same way you’d deal with any other VPN, using a VPN detector/IP information service.

ASN blocking is how I deal with them and it’s highly effective. I get a 2 for 1 deal because when I block ASN’s I also block the sources of attacking datacenters. I currently have 450 ASN’s blocked as well as some countries like RU, CN, KR and I block the entire continent of South America.

My website experiences frequent attacks. These blocks greatly reduce their effectiveness and frequency. However, the CF Warp IPs are getting through.

I am not going to use another service for blocking just VPNs when I’ve had an effective solution for years. CF is my solution and they have created a problem, I do expect them to provide a work-around to the situation they’ve created for me. At the very least a dialog beyond a canned response.

My solution is to do a tag like cf.client.warp for the traffic and that way it can get blocked.

Also want to note why doesn’t CF yet have a built in VPN detector as part of their own service? That would seem like a real valuable addition to their service. They already have a way to block tor traffic.

My ticket #2508714 btw.


https://developers.cloudflare.com/firewall/cf-firewall-rules/rules-lists
It’s there, it’s part of the enterprise package.

1 Like

Dang, Enterprise is just out of my budget. But it’s good to know it’s there.

Well, I think you could do some research and find the IP ranges used for WARP.

You can see all IPs Cloudflare has here: https://bgp.he.net/AS13335#_prefixes
You can see all IPs Cloudflare uses for its CDN: https://www.cloudflare.com/ips-v4

So far I’ve seen they use the 8.x.x.x segments for WARP+ with Zero Trust and the 104.28.x.x for WARP+ (notice how 8.x.x.x and 104.28.x.x are not included here: https://www.cloudflare.com/ips-v4).

Anyway, what’s the point? :smiley:

1 Like

@Albertus CF has 10 ASN’s. I have yet to find something that shows me consistently which IPs used by CF are for Warp.

The list you provided is simply the IP’s they use to forward HTTP/S traffic for clients that need to be server firewall whitelisted or added to headers in Apache/Nginx for your logs.

I’m seeing a lot of various IPs used from around the world using CF Warp. An official list or method to block it would be beneficial to the community imho.

And what’s the point? To stop attacks, scammers and bad traffic.