Bot traffic managed to bypass Cloudflare Interactive Challenge (Captcha)

Hi people.

I got lots of bot traffic from India to my website two months ago until now.

I created a rule to set a Managed challenge for India only, then an Interactive challenge, but the bots escaped them and accessed the website.

When they access the website, they drain the server resources. So, I blocked India from accessing the website.

Are there any other solutions to block only bot traffic?

The image shows the IP requests for the past 24 hours.

Your IPs aren’t all coming from India: - AS14061 - DIGITALOCEAN-ASN - DigitalOcean, LLC, Singapore - Same - Same - AS14061 DigitalOcean Germany
You could start by blocking the ASN 14061 as its a VPN/Proxy, and, if you don’t care about Singapore or German traffic then block them as a country as DigitalOcean seems to be the source of about half the attacks on our sites so we block it
Check each IP to see where it is, find the common ASN’s - more than likely the proxy & VPNs like Akamai, OVH, Ionos, tor endpoints, Clouvider, godaddy, etc., etc…, then block as appropriate, or turn it around - where do you want traffic from? Then block everything else

1 Like

Thank you paul32

I’m trying not to block any country. I blocked about 40 IPs using the .htaccess file, but when I block some, others show up.

I checked the IP addresses, they are as you described. But on Google Analytics, they are all from India.

If you are using Cloudflare then block them in Cloudflare before they hit your site rather than using .htaccess


Okay, Paul32.

Any idea how to block only bot traffic from accessing my site? considering that the normal Captcha doesn’t prevent all bots from accessing the website.

I blocked ~1600 ASN with type hosting (including general hostings like Hetzner, OVH, .etc, and different clouds) where bots are generally originated from. So, it took me about 7 days to collect all this ASN numbers. I set 3 WAF rules on a free CF tariff and got about 3-15k requests per domain per 24 hours blocked.

First, have a read here: Community Tutorials

Then - identify who you want to block, there is no magic button for “block all bad bots” as they appear all the time and evolve

Identify the ASNs / IPs / User agents / countries / etc. for the bots that are hitting you - they will probably be from the many VPN/Proxy providers; digitalocean, ionos, microsoft, akamai, ovh, etc., etc., there are thousands of them - you have to put the work in if you want to secure your sites

In the last couple of hours we have had hits from bots and script kiddies in:

AS63949 -AKAMAI-LINODE-AP Akamai Connected Cloud
AS16509 -AMAZON-02
AS24955 -UBN-AS
AS211252 -AS_DELIS
AS4837 -CHINA169-BACKBONE CHINA UNICOM China169 Backbone
AS265172 -E. C. E. Telecomunicacoes LTDA
AS16276 -OVH
AS27738 -Ecuadortelecom S.A.
None of which we would see as sources of potential customers, so we perm block them

It is much easier to decide who you want as visitors / customers and block everyone else

Some ASNs will only ever be sources of bad traffic, same with some countries

We, and our clients, block entire countries, and continents, and only make our sites accessible to people we want as customers, does it cost us business? No, as we wouldnt deal with or sell into any of the countries we have blocked

As ivangorshkov also says above - collect the data and then start blocking

Check these posts:

You can also enter the game of blocking ASNs/ip ranges or adding rate limiting rules but mitigating bots properly is tedious and expensive.

if a bot detects that its IP has been flagged, they will rotate through a new set of addresses or use proxies that aren indistinguishable from normal users.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.