CloudFlare doesn't protect my website from vulnerability scanners

andrewdymov · May 28, 2025, 12:32am

What is the name of the domain?

flaut.travel

What is the error number?

No error number

What is the error message?

No error message

What is the issue you’re encountering

Cloudflare doesn’t protect my website and just passes all those shady bots to my website

What steps have you taken to resolve the issue?

I began receiving notifications of my K8s cluster being overloaded recently. I’ve looked into it and it seems that a lot of bots from Alibaba Cloud (Singapore) are blasting my website with requests. Millions of requests per day and terabytes of traffic. As soon as I turned on “Mitigated challenge” for users from Singapore, my K8s cluster stopped being blasted almost immediately and downscaled the pods. No more downtime. So I started looking into Cloudflare logs and I see that there are A LOT of IP addresses from AS45102.

Apparently, other services are capable of identifying those bots as vulnerability scanners and bandwidth drainers with no regard to 429. But not Cloudflare, for some reason. Here are some examples of those IP addresses.

https://www.abuseipdb.com/check/47.82.60.207
https://www.abuseipdb.com/check/47.79.121.0
https://www.abuseipdb.com/check/47.82.60.245

Cloudflare just keeps passing those bots down to my servers allowing them to drain my bandwidth and scan for vulnerabilities.

Why? From what I can see, WAF is included in Free plan, yet I have to investigate this myself and manually apply rules and block certain bad crawlers. This has already happened three times. First I had to do this to block bots from China, then Hong-Kong and now Singapore.

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full (strict)

GeorgeAppiah · May 28, 2025, 5:10am

Cloudflare gives you various security tools, but doesn’t block traffic willy-nilly for every customer on their platform. You need to enable and configure these tools to solve your website’s particular problems… which, it seems, you’ve finally done.

Yep, WAF is included in every plan… and those rules you applied used the WAF to block the bad crawlers.

The important thing to understand is that Cloudflare is not an an activate-and-forget solution. Neither is security, generally.

Cloudflare provides a lot of tools for security and site acceleration. But users are expected to bring a basic know-how and properly configure the appropriate tools to fit their site’s unique needs. What’s more, you also need to keep an eye on key metrics and change things as necessary.

Good luck!

system · May 30, 2025, 5:10am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
My site was attacked for 5 days and Cloudflare didn't help Application Security	2	15	July 7, 2025
Attack still continues with Cloudflare Application Security	4	22	July 16, 2025
Website being scanned / attack SSL / TLS ssl , waf	6	60	May 1, 2025
Cloudflare DDoS-Protection not working for me SSL / TLS	7	4647	January 4, 2020
Ongoing Massive DDoS Attacks Bypassing Cloudflare Protections DOS / DDOS waf	3	60	July 1, 2025