Captcha bypass? Bug?

Hello! I noticed some strange thing that looks like a bug. To be able to visit my site users must complete captcha challenge first (and I’m sure my firewall settings correct) and it works fine but today my site was under attack and attackers somehow bypass captcha challenge. I attach a screenshot (here is logs for only 1 IP from many thousands) where we can see that cloudflare blocks these requests because the attacker has to complete captcha but… these requests somehow reach my server! I checked nginx logs and I can see the same requests from the same IP at the same time? How is it possible? How do they bypass captcha callenge? I also have to notice that it’s 100% requests through the cloudflare because my iptables rules allow requests only from cloudflare.

Thats a peculiarity of the firewall event log. It still shows requests as challenged, even if had long passed the challenge. In this case it might be the first request was manually solved and all subsequent requests used that very same challenge session.

Thank you for the reply but there were about 2000 unique IPs, and I think it’s impossible to solve captcha for all of them…

Your screenshot only showed one IP address. So you have 2000 IP addresses on you Cloudflare event log and they all reached your server? Keep in mind, they even show up if they dont reach your server.

Here is how it looks like without filtering. The previous screenshot was just for demostration of the problem. And here is the example of server logs. So if we take any random IP from logs, almost for all of them we can see a lot of challenges in cloudflare logs and a lot of requests in server logs.

That’s Digital Ocean same happended to me, In my case I simply blocked DigitalOcean ASN since DigitalOcean doesn’t offer internet connection to end user and also they don´t host any known bot or something

Information for IP address: 178.128.18.102
Announced Yes
First IP 178.128.0.0
Last IP 178.128.208.203
AS Number 14061
AS Country code US
AS Description DIGITALOCEAN-ASN - DigitalOcean, LLC

So don´t block Isolated IP block the DigitalOcean ASN if you block singapur for example the it will come from another country but from the same ASN of DigitalOcean

1 Like

Yes, I block such ASNs after attacks like that (but it’s not the only ASN that was used for that attack). I just don’t understand how they bypass captcha…

This topic was automatically closed after 30 days. New replies are no longer allowed.