Confused about Super Bot Fight

I have Super Bot Fight mode enabled and it block most of the bad bots like this

but to my surprise some of these bot got bypassed and accessed by site. I see those in my access log.

188.138.102.17 - - [29/Sep/2021:19:18:53 +0530] "GET /ruma-sharma-upcoming-model-woo-you-vt64362-7.html HTTP/1.1" 200 42008 "-" "ias-ir/3.1 (+https://www.admantx.com/service-fetcher.html)"
3.223.183.74 - - [29/Sep/2021:20:55:22 +0530] "GET /kimberley-garner-black-dress-the-martinez-hotel-vt65724-3.html HTTP/1.1" 200 41950 "-" "ias-va/3.1 (+https://www.admantx.com/service-fetcher.html)"
3.223.183.74 - - [29/Sep/2021:20:59:33 +0530] "GET /disha-patani-filmfare-glamour-style-awards-2016-vt63686-25.html HTTP/1.1" 200 41963 "-" "ias-va/3.1 (+https://www.admantx.com/service-fetcher.html)"
52.12.17.165 - - [29/Sep/2021:21:02:18 +0530] "GET /jennifer-lopez-photoshoot-for-guess-2020-campaign-vt65763-6.html HTTP/1.1" 200 42403 "-" "ias-or/3.1 (+https://www.admantx.com/service-fetcher.html)"
3.223.183.74 - - [29/Sep/2021:21:02:35 +0530] "GET /julianne-hough-shows-off-amazing-abs-leaving-gym-vt62589-10.html HTTP/1.1" 200 41992 "-" "ias-va/3.1 (+https://www.admantx.com/service-fetcher.html)"
54.156.8.33 - - [29/Sep/2021:21:16:13 +0530] "GET /kylie-jenner-and-kendall-jenner-kuwtk-2015-scenes-vt61607.html HTTP/1.1" 200 41505 "-" "ias-va/3.1 (+https://www.admantx.com/service-fetcher.html)"
52.6.243.18 - - [29/Sep/2021:21:16:33 +0530] "GET /kylie-jenner-and-kendall-jenner-kuwtk-2015-scenes-vt61607-9.html HTTP/1.1" 200 41999 "-" "ias-va/3.1 (+https://www.admantx.com/service-fetcher.html)"
52.30.198.78 - - [29/Sep/2021:21:21:30 +0530] "GET /deepika-padukone-cannes-film-festival-2017-red-carpet-vt63968-5.html HTTP/1.1" 200 42004 "-" "ias-sg/3.1 (+https://www.admantx.com/service-fetcher.html)"
3.223.183.74 - - [29/Sep/2021:21:26:16 +0530] "GET /logical-story-vt25824.html HTTP/1.1" 200 41914 "-" "ias-va/3.1 (+https://www.admantx.com/service-fetcher.html)"
3.223.183.74 - - [29/Sep/2021:21:28:43 +0530] "GET /kylie-jenner-shopping-sorella-boutique-weho-vt64072.html HTTP/1.1" 200 41640 "-" "ias-va/3.1 (+https://www.admantx.com/service-fetcher.html)"
35.155.29.68 - - [29/Sep/2021:21:35:01 +0530] "GET /ariel-winter-working-gym-los-angeles-vt64756-5.html HTTP/1.1" 200 41917 "-" "ias-or/3.1 (+https://www.admantx.com/service-fetcher.html)"

They can not access my site directly. (Firewall only allow cloudflare IP at origin).

My confusion is 3.223.183.74 IP with this “ias-va/3.1 (+https://www.admantx.com/service-fetcher.html)” user agent is getting blocked by cloudflare super bot fight mode. But sometime it get allowed to access my origin server.

WHY & HOW? Does sometime super bot fight mode goes to SLEEP?

Still super bot fight mode getting bypassed (some getting blocked some getting passed).

52.6.243.18 - - [30/Sep/2021:07:29:46 +0530] "GET /jennifer-nicole-lee-workout-miami-vt59642-11.html HTTP/1.1" 200 41890 "-" "ias-va/3.1 (+https://www.admantx.com/service-fetcher.html)"
3.223.183.74 - - [30/Sep/2021:07:30:10 +0530] "GET /jennifer-nicole-lee-workout-miami-vt59642-15.html HTTP/1.1" 200 41889 "-" "ias-va/3.1 (+https://www.admantx.com/service-fetcher.html)"
3.223.183.74 - - [30/Sep/2021:07:30:17 +0530] "GET /jennifer-nicole-lee-workout-miami-vt59642-18.html HTTP/1.1" 200 41886 "-" "ias-va/3.1 (+https://www.admantx.com/service-fetcher.html)"
3.223.183.74 - - [30/Sep/2021:07:31:47 +0530] "GET /jennifer-nicole-lee-workout-miami-vt59642-30.html HTTP/1.1" 200 41891 "-" "ias-va/3.1 (+https://www.admantx.com/service-fetcher.html)"
52.6.243.18 - - [30/Sep/2021:07:32:23 +0530] "GET /jennifer-nicole-lee-workout-miami-vt59642-35.html HTTP/1.1" 200 41857 "-" "ias-va/3.1 (+https://www.admantx.com/service-fetcher.html)"
3.223.183.74 - - [30/Sep/2021:07:32:30 +0530] "GET /mugdha-godse-photo-shoot-for-vt59641-1.html HTTP/1.1" 200 42116 "-" "ias-va/3.1 (+https://www.admantx.com/service-fetcher.html)"
3.223.183.74 - - [30/Sep/2021:07:32:52 +0530] "GET /sonam-kapoor-wears-abu-sandeep-saree-for-media-rounds-vt59526-3.html HTTP/1.1" 200 42015 "-" "ias-va/3.1 (+https://www.admantx.com/service-fetcher.html)"

while super fight mode saying it has blocked these

I don’t think Super Bot Fight Mode is a strict set of parameters. I suspect those might fall in the “Likely Automated” category.

You might want to take a look at your Firewall Events screen and start looking for that IP address to see why it was blocked. You should be able to hover next to that IP address in “Top events by source” to take a closer look at what’s going on.

Any time I start seeing behavior like that, I add that ASN to its own firewall rule. That 3.223 address is Amazon AWS (14618) and the 52.12 is also Amazon AWS, but (16509). If you blocked just those two ASNs, you’ll see a huge drop in bad bots.

Even easier, since admantx is being so obvious, you can block it as a User Agent:
(http.user_agent contains "admantx")

But why it is ON and OFF situation with bot fight mode?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.