Bot fight mode allowing IP that are blocked from the WAF

Hello, I am on a free plan with the Bot Fight mode enabled.

I am getting very heavy attacks recently, and am blocking all IPs through a list.
Checking at the Security event logs, I can see that some of these IP are logged at Managed Challenge.

My question is, are the WAF rules still applied and these IP blocked or do they access the website anyways? Because there is no event log saying they are blocked, I’m a bit concerned.

Thank you

They will only take the first kind of WAF rule that matches them, so if they are hitting e.g. Managed Challenge rule first, they won’t proceed to the blocking rule, in an example like this:.

However, if I change the order of these WAF rules, so that Block comes first, then it will be the blocking that has effect.

I believe the exact same applies for the Bot fight mode, so if your Bot fight mode is deciding to give them a Managed Challenge, it won’t proceed to your Block rule, as an action has already been taken towards them.

If you would like to block certain traffic, using specific conditions, I would suggest creating a WAF rule first, that is blocking what you don’t want, and then the next rule for things you may eventually be OK with, but still would like to challenge, comes afterwards.

The free Bot fight mode does unfortunately not provide that much granularity.

You should see everything that your WAF ruile(s) are blocking under the “Security Events”.

Log matching requests” can to my knowledge only be disabled for the action “Skip”.

1 Like

Hello,
The problem is that a WAF rule cannot be placed before the Bot fight mode. Meaning that my only option with what you’re saying would be to turn off the bot fight mode option (and I don’t want to do that).

Sorry I pressed the Reply button too fast and we can’t edit.
If this is not an available option I mean it makes no sense to offer this bot fight mode, since it would bypass a country blocking and any rule just by attacking a website “looking like a bot” and managing the challenge.

This is a big security hole if it’s really what it is.

I think there are a handful of exceptions to that traffic sequence diagram.

WAF Custom Rules clearly has an option to Skip Super Bot Fight Mode:

Hello @sdayman

Not for blocking action I’m afraid:

Sorry, I misunderstood. What exactly are your current bot settings? And which are you trying to override?

Hello @sdayman
As per my original post, what I want is:

  • Have the Bot Fight Mode enabled
  • Still apply the WAF blocking rules no matter what is the result of the Bot Fight Mode

Current behavior (from what I can read in the logs):

  • A blocked IP gets a Bot Fight challenge
  • Challenge is managed
  • The blocked IP can access the origin

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.