Challenge all VPN traffic?

Is there a way to detect and challenge all VPN traffic? I am getting quite a bit from this VPN IP with a 99% threat/fraud score:
https://www.ipqualityscore.com/free-ip-lookup-proxy-vpn-test/lookup/88.99.27.172

Cloudflare doesn’t provide this feature. If you subscribe to a VPN list yourself, you can have your server handle the blocking.

1 Like

@sandro might know a way to challenge VPN traffic. Or maybe he does it by threat score.

@sdayman, VPN will be tricky. These will appear as genuine user connections (as they are) and there wont be much of data in that part of the request to make a challenge decision.

So it would mostly come down to the IP address (range, AS, etc.). In this context the threat score could be relevant as well, but AFAIK there is no information out there if Cloudflare assigns a minimum score to addresses owned by VPN providers.

Well, whatever “magic” you have configured at Sitemeer keeps blocking me. Now from my naked ISP connection. It used to just block me when I went through my personal VPN.

:smile: Most likely an AS based block.

Then it might overdo it.

1 Like

Would challenge by ASN be the way to go? Or will that challenge non-vpn folks as well?

If the VPN uses the same network as a regular ISP it could affect non-VPN users as well.

It really comes down to which networks you are going to challenge. VPNs are typically located in classic datacentre networks (e.g. Digital Ocean) and are not so much related to classic ISPs, but if you are not careful in choosing what you challenge there certainly is the risk that you challenge either too much or too little.

1 Like

The specific IP address on your original post belongs to AS24940, from Hetzner, a German hosting company.

I challenge a bunch of hosting provider ASNs, as I believe real users won’t visit my sites through them. Hackers will, after properly compromising websites these ASNs host.

I have also been testing for the past few weeks an “everybody is blocked, except…” rule as my main Firewall Rule, where I will challenge any visitor that is NOT

  • a known bot;
  • from a list of countries where the sites’ target audience is located;
  • requesting a special URL, such as ads.txt, robots.txt, sitemap.xml etc;
  • from a list of ASNs/IPs I want to whitelist for several reasons, such as page speed monitors, certain online services, and bots not included in CF’s list.

Since I created this rule, my Firewall Events log has been a lot busier, and my origin server logs quite idle as far as bad behavior goes.

So instead of playing mouse and cat with hackers, I just let them see captchas all the time. I monitor the Firewall Events log now to find patterns of well-behaving visitors to whitelist, instead of looking for patterns of bad behavior to challenge/block.

2 Likes

We are using the IP2Proxy database to detect the VPN in our server using the client IP address provided by CloudFlare. It does the job well compare to using remote API which slowing down our site due to latency.

It looks like I’ll have to take a very hands on monitoring approach. A lot of VPN traffic is ok. But some are definitely malicious. The only way to keep on top of this, that I can see, is to keep an eye on my logs and inspect each oddly behaving IP.