Bot fight mode challenging known bots too

I have set up WAF rule to allow known bots:

cf.client.bot

However, Cloudflare seems to present challenges to known bots too. In screenshot below, for a given IP, we can notice CF allows traffic from the same IP once and then presents a challenge subsequent times. And these are not like dozens of requests. Any idea why Bot Fight Mode would challenge known good bots too?

Without seeing the details of the Bot Fight Mode event, we really can’t say what’s going on.

Sure, here are the jsons for two sample events - one “Allow” and the other “Challenge”.

{
  "action": "allow",
  "clientASNDescription": "HETZNER-AS",
  "clientAsn": "24940",
  "clientCountryName": "DE",
  "clientIP": "168.119.133.80",
  "clientRequestHTTPHost": "blog.squaredeal.tax",
  "clientRequestHTTPMethodName": "GET",
  "clientRequestHTTPProtocol": "HTTP/2",
  "clientRequestPath": "/favicon.ico",
  "clientRequestQuery": "",
  "datetime": "2022-08-17T14:06:08Z",
  "rayName": "73c2f7f6ae429c06",
  "ruleId": "b193654fa63647b98835fbc2aff43058",
  "rulesetId": "",
  "source": "firewallrules",
  "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/89.0.4389.82 Safari/537.36 Prerender (+https://github.com/prerender/prerender)",
  "matchIndex": 0,
  "metadata": [
    {
      "key": "filter",
      "value": "9b82fae9484c4f618db0a33e9ddf6556"
    },
    {
      "key": "type",
      "value": "customer"
    }
  ],
  "sampleInterval": 1
}
{
  "action": "jschallenge",
  "clientASNDescription": "HETZNER-AS",
  "clientAsn": "24940",
  "clientCountryName": "DE",
  "clientIP": "168.119.133.80",
  "clientRequestHTTPHost": "blog.squaredeal.tax",
  "clientRequestHTTPMethodName": "GET",
  "clientRequestHTTPProtocol": "HTTP/2",
  "clientRequestPath": "/harris-county-property-tax-protests/",
  "clientRequestQuery": "",
  "datetime": "2022-08-17T14:06:08Z",
  "rayName": "73c2f7f62d9d9c06",
  "ruleId": "bot_fight_mode",
  "rulesetId": "",
  "source": "botFight",
  "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/89.0.4389.82 Safari/537.36 Prerender (+https://github.com/prerender/prerender)",
  "matchIndex": 0,
  "metadata": [],
  "sampleInterval": 1
}```

Hmmm, it sure looks legitimate. I do see Prerender on the list:

https://radar.cloudflare.com/verified-bots

And reverse lookup shows it’s coming from prerender.

Which bot fight mode are you using? Free Plan, or is it a Paid Plan’s Super Bot Fight Mode?

At this point, it appears to be a false positive. It could be a new IP address that Cloudflare has not yet internalized:

https://support.cloudflare.com/hc/en-us/articles/360035387431#h_zzzgV0HSwPUhOEs5UY9sD

I am on Free plan. I also tried IP address whitelist. But, same result. I have turned off BFM for now.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.