Cloudflare consider using reCaptcha V3 inVisible reCaptcha

I have an attacker who is keeps calling same links from different cities from many countries at the same time simulating call from mobile browser and unfortunately when I turn on the “I’am under attack” it does not do anything, it does not block these attacks. The only thing works is the firewall rule with challenging reChaptcha. So basically I think the JS challenge system does not work as supposed and useless in my case.

I see google has the invisible reCaptcha V2 which does not require user interaction, and newly google have reCaptcha V3 which is also invisible which I’d suggest Cloudflare to start implementing it to customers instead of the JS challenge one.

reCAPTCHA v3

https://developers.google.com/recaptcha/docs/v3

If currently anyone has a solution/suggestion to my issue until Cloudflare implement a practical secure system using reCAPTCHA v3 to block attackers, please let me know how to solve my problem. I am currently creating a firewall rule for the whole countries and using reCaptcha challenge which makes most legitimate users do not visit the website

First, I want to confirm that you have properly firewalled your port 80 and 443 to only allow Cloudflare to connect to your server. If you do not firewall correctly, the attacker can just go around Cloudflare.

Second, Cloudflare is currently working on a “bot management” feature which would likely use a v3-like score (a “global Cloudflare-based threat level based on machine learning”). Currently the Beta is only available to Enterprise but they are working on getting it out of beta and in more hands.

As for a fix possible now, perhaps your firewall rule should only trigger when threat score is greater than 0? Based on the limited information on these bots, they are likely part of a botnet, running the chrome browser included on the mobile device to bypass under attack mode. After enough time of CF learning, they likely will receive a threat score of at least 1.

Past that, i’m not sure of any solutions other than scaling up. Maybe others here can also recommend solutions.

I am currently under DDOS attack and can see, the JS challenge works very poor till nothing at all.

I googled and found a lot of JS-scripts on github and some hacker’s forums, which can bypass the Cloudflare JS-challenge easily.

So, the Botnet software can utilize these techniques and they do that definitely!

That is why I ask me whether the JS challenge can be profitable at all.

It’s a great pity.

Is it possible that an application like this one do the attack even from a normal user not a hacker:

Simple Traffic Bot https://simpletrafficbot.com/

It says it simulates real human in everything:

  • NO proxy need automatically simulate different locations
  • Simulate 418 user agent to simulate different devices
  • Simulate 28 screen Size
  • Simulate 34 screen width and height
  • Simulate 25 web browser languages
  • Simulate 968 different types of referrals
  • Simulate all web browsers (google chrome, mozilla firefox, internet explorer, opera …)
  • Simulate all devices (computers, tablets, smartphones)
  • Simulate all operating system (Windows 10, 8 , 7 , linux , ubuntu , fedora , Macintosh Mac-Os, android , ios)
  • Run multi-tasks at the same time
  • Simulate human’s operation scroll etc…

If it simulates a real user like this it will be nightmare to block it as I am having now, I am unable to stop calling the same links from different cities all over the world 24 hours a day none stopping and even growing and the only thing stops it is the reCapchta.

Does anyone really tried these types of apps and can confirm that from a single computer any normal user can attack any website from different locations undetected.

This topic was automatically closed after 14 days. New replies are no longer allowed.