Cloudflare is actually allowing bad bots to connect


#1

I am on the free plan and as on the free plan, I don’t have the WAF. But, I set up my nginx origin webserver to block a list of bad bots, threats and bad IP. Then, my origin webserver connect to Cloudflare only exclusively. But, Of course, my webserver only see that it is serving Cloudflare request only from cloudflare IP only.

My website is new, no human visitors at all yet and only one page Wordpress default Hello as home page. Then, I left the project for a month.

Then…

Cloudflare is serving these spammy bots!!! I check on CF analytics, request number is freakingly high within a 24 hours (like 20k+). I got a bill of bandwith egress is about 1GB last month from my hosting. Sure, 1GB is only couple cents. But the point is cloudflare is serving these bots, chewing bandwith egress on a simple 1 page wordpress default homepage.

Imagine if it is a full working website with images and many pages. I will be doomed.

So currently, I use CF firewall to allow only my personal IP to connect to the site so that it showed the event log that it tried to block and yes, it’s blocking bots (mostly from US) and some Europe and Brazil IP trying to hack wp-login.

TLDR: I set up my origin webserver to block threats, connect to Cloudflare IP exclusively, Cloudflare is serving the threats…

So, is this a tactic to force free users to purchase at least PRO??


#2

One main takeaway: use Cache-Control headers and let Cloudflare serve cached content.

There is no strange tactic here, simply that Cloudflare isn’t blocking the bots because your security settings allow them. Turn up the security level in the dashboard. Note that most can be also Google’s, Bing’s and so on.

Also: in the server read the correct IP, not Cloudflare’s, so that you can act on that instead.

https://support.cloudflare.com/hc/en-us/sections/200805497-Restoring-Visitor-IPs


#3

Thanks, I have cache control on my webserver, just didn’t turn it on when I left the project last month.

The key answer to this issue is to set origin webserver to see real ip.


#4

I just understand what is going on. Basically, cloudflare masked/doesn’t return the following:

  1. http_referer (to block bad referrer)
  2. http_user_agent (to block bad bot)
  3. query_string (to block SQL injection, file injection, common exploits, spam)

This is rendering origin server security policy useless.

Except if WAF is purchased which include the above features. Then, cloudflare edge points will have these features when serving. Correct me if I am wrong

So, @matteo this is not about original IP.


#5

I don’t really understand what you are saying. Are you saying that Cloudflare will strip those parts of the request from what is sent to your server? If that is the question is absolutely no. Otherwise please re-elaborate the question.