Cloudflare Lists API + Firewall. IP's not being blocked?

Hello all,

I recently started using the Cloudflare Lists API to add DDOS IP addresses that hammer my webserver.
I have no issues with using the API, and the high hit IP’s are being correctly added to the list.

My issue is that when I use this list in combination with a “block” rule within the firewall, the IP doesn’t seem to get blocked, or at least the connection is not terminated and the IP continues to hammer the server.

The rule I’m using is shown below:

As far as I know, this should work fine in blocking any new IP that gets added to the list.

It only “works” after I manually add the IP address to the rule, as shown below:

Is there some sort of limitation with an IP being added to the list, and the firewall rules updating?

P.S - I saw that the IP address in question was added to the list an hour before I noticed it was still hitting my webserver, so I don’t think the issue is just that I didn’t wait long enough to see any results.

I hope this is clear to at least a few of you, any help or ideas would be really appreciated!

Thank you!

Essentially:

  • My origin webserver is adding an IP to my Cloudflare list via the API.
  • The list is used in a “block” rule within my Cloudflare firewall.
  • The IP address is still hitting my server, even an hour after it has been added to the Cloudflare list.

Thanks

Hi @PeterPennywacker,

How does the firewalling scheme looks like on your server?
Do you filter 80/443 ports to be only opened from Cloudflare IPs (https://cloudflare.com/ips)?

With what you are describing, it looks like that the attacker is bypassing Cloudflare and attacking directly your server, hence why I’m asking - because your Cloudflare firewall rule looks ok to me

Cheers

Hi, thanks for the reply.

Yes, my origin server is configured to only accept connections from verified Cloudflare IP addresses on port 443 using TCP. All other traffic is dropped.

Also, considering that when I manually add the offending IP to the block list, it blocks the traffic just fine, I don’t think Cloudflare is being bypassed. This is why I thought there might have been an issue with my list setup.

I tried to reproduce the issue and I have the same problem, even with an “in” operator for individual IPs.
It seems like some kind of limitation/issue of the rules engine, I would recommend you to open a ticket with Cloudflare support.

Thanks @Nyyrikki
I’m not sure I can open a ticket, as I’m on the free plan and last time I tried to contact the team I never got a reply

Pretty sure you can open a ticket under the Free plan, you just don’t have priority compared to the other plans and I guess with actual worldwide issues, there is higher demand than normal. Or maybe someone from Cloudflare team will see this topic.

Thanks for the reply, I’ll give it another go.

If anyone else has any wisdom on this issue, that would be much appreciated