Answer these questions to help the Community help you with Security questions.
What is the domain name? Cannot share for private reasons. It’s a banking middleware API and would not be appropriate to share in community forum.
*Have you searched for an answer? Yes. Also contacted CF support, but since we have a pro plan only… answers sometimes take 2-30 days. Asking for second opinion here.
Please share your search results url:
*When you tested your domain, what were the results? Looking at traffic logs, IP addresses belonging to users performing a type of Bank Fraud are using the API.
*Describe the issue you are having: Cloudflare Global Security Setting of “Medium” is not stopping IP addresses that have a threat score of over 50, up to 100. We have a custom rule. Say, “Block all but USA”. This was just intended to make sure only those on a USA geo were able to access the API. We know this can be circumvented via proxy and VPN (which 100% of these fraud IPs with high scores are on).
What error message or number are you receiving? None.
What steps have you taken to resolve the issue? We are considering using custom rules to block a specific range of threat scores. The main concern here is… Why is the Global Security setting of Medium not working? Is this issue because the 1 Custom Rule of Block All but USA supersedes the Global Security Setting of Medium? If so, we need to go ahead and create a second custom rule to get that up and running. Or if the Global Security Setting of Medium is not working due to a Cloudflare Issue.
Was the site working with SSL prior to adding it to Cloudflare? Not Applicable.
What are the steps to reproduce the error: Not Applicable.
Have you tried from another browser and/or incognito mode? Not Applicable.
Please attach a screenshot of the error:
All Security Level does is challenge users with a specific IP Reputation. It won’t block them. If they pass the challenge, they can go right on through.
Custom Rules can Skip Security Level, but one blocking the USA wouldn’t effect Security Level.
It sounds like to me you just forward threat_score to your origin? If that’s all you’re looking at, they could have simply just passed the challenge. Threat score doesn’t necessarily mean they are bad, they could for example just be using a VPN also used by bad actors.
Thank you, interesting insight Chaika. I do want to add more for context. This is not a website. It’s application middleware, an API. It handles Paths/Posts/Gets, etc. An app running on a phone calls it and it handles those calls and performs actions. The app on the phone that endusers/customers/fraudsters use is completely incapably of producing a challenge. In our dev environment we created a custom WAF rule for threat scores above zero just to see what would happen as a control. We tested the rule with Managed Challenge, JS Challenge, Log, Interactive challenge and they all produced the same programmed result of “bank server down” because the Mobile Phone app is incapable of showing any kind of challenge layer on top to the user… So the app just treats the connection as no response.
Good news is, that’s exactly how we would expect it to behave. The plan was to create a custom WAF rule blocking all threat score IP’s above 50 until we all noticed the Main Site Settings is set to “Medium” which according to Cloudflare, is 50 and above. Lots of us questioning why that’s not working compared to the example I explained above. Perhaps the CF Managed rule needs to be changed from “Default” to “Block” in order for it to be working as desired. This is something I will test in DEV with the team in the morning! It’s just odd that there is no definition of “Default”.
For some context… from our dev Cloudflare site, I have attached a large compiled screenshot. 2 Separate parts to it Top/Bottom. Top is the Global Security Setting and CF managed ruleset… all set to original “Defaults”. I have read so much on this and cannot find any definition of “Default”. Bottom part is showing the 1 Custom Rule we have… it only blocks folks who aren’t in USA. *I did acknowledge in the original post that we know these folks are on proxy and VPNs.