Corporate office gets Captcha page on numerous websites

dash-dns
#1

Starting this morning, all our users in one of our offices who visit a CloudFlare enabled websites receive a Captcha warning page. I’ve read the threads about what to do when you get the Captcha, but the solutions offered (check virus scanners, iot devices, reset your router or ask your ISP for a new IP address) are not feasible in a corporate environment.
All workstations in this office (over 350) have up to date virus and malware scanners installed and I cannot find the public IP address on any online blacklist (including the ProjectHoneypot IP lookup). Can anyone tell me where I can find why our public IP is blocked and what I should do to ensure is unblocked/whitelisted again?
Thanks!
Martijn

#2

You can start at https://www.projecthoneypot.org/search_ip.php

#3

Hi, projecthoneypot says there is currently no data on our IP.

#4

You already know more than enough about the problem. At least one node on your network is sending malicious traffic (i.e. participating in a DDoS attack) or it may be a false positive (traffic wrongly diagnosed as malicious). Either way you cannot ask for whitelisting your IP (you know it will make the whole defense useless, nobody install botnet intentionally).

If a malware is fresh enough virus scanners cannot detect it. When someone code a malware first thing before release, is to make sure no scanner can detect it (thanks to virustotal).

You need to monitor your network rigorously and detect suspicious traffic and investigate them before they reach outside world and trigger IP scoring systems.

1 Like
#5

I wish to report that our office is getting the same issue that @martijn.balink is describing starting this morning as well. @Xaq is there some place where we can check our IP score on the “IP score systems”?

1 Like
#6

With an average bandwidth usage of over 200 mbit per second that’s the proverbial needle in a haystack. Some details of the action that triggered the blacklisting would be required before we can start troubleshooting: time and date, protocol, URL or IP requested etc. Where can I find these?

#7

Well it is not fair. One node acts bad and all nodes get punished. If you have monitoring over your network, analyzing traffic you can see for example 192.168.1.78 is sending too many requests and acts like a bot.

Another work around (less technical) is partitioning your network over multiple IPs and watch which sector makes an IP blacklisted. Then partition that sector… until you find infected node.

That info beside helping you helps malware distributors to change the behavior in such a way not triggering those systems. I doubt these systems share such info.

2 Likes
#8

Search for ip reputation. For example on http://www.ip-score.com you can see if you are blacklisted over multiple lists.

image

#9

Blacklist report comes back clean, except for one blacklist (apews) that has the entire B-class network of our ISP blacklisted since 2010, which of course is a ridiculous entry.
Let’s assume we find the perpetrator from either monitoring or segmenting, is the ban lifted automatically then and if yes, how quickly is that done?

#10

Based on a recent incidence after removing the bad node from network, IP treated normal after 2 weeks. That is my own experience and may not apply to others.

#11

@Xaq So I checked the black lists (a very long list) and got all Clear. So from your response to @martijn.balink it sounds like I might have a bot on the network as well… although we only have 6 devices on this network, and I don’t see any suspicious activity on the packet sniffer - network is barely peaking 50kb/s as I told everyone to lay off their devices. Wish there was a more clear way of deducing how Cloudflare decided that the IP is bad. This is similar to playing russian roulette with the network packets.

2 Likes
#12

My personal IP address is blacklisted for the same reason (also from 2010, “CASE: C-1010
Dynamic IP space, generic DNS/rDNS, no PTR
Direct connections to MX not permitted, you
need to use your ISP servers or smarthost”)

My office also has to fill captchas since this morning. We’re interested if you’re able to make any progress.

#13

Hi,

Our office has the same issue since this morning, our IP is clear on

Currently we’re investigating, but without success, sharing any indication is welcome.

1 Like
#14

Although we do see some applications in the monitoring that do not comply with our policy we do not see any reasons to suspect we have some form of bot on our network.
Since Cloudflare refuses to give any insight in their reasons for blacklisting we’re still pretty much in the dark.

#15

You could try contacting support and providing information about your IP / subnet and the error you’re seeing. Can’t guarantee we will provide the exact details, but they may be able to lend some insight. https://support.cloudflare.com/hc/en-us/requests/new

2 Likes
#16

Same here. Corporate Office, ip not blacklisted, see captcha on all CloudFlare protected sites and unable to access box.com !

1 Like
#17

Thanks for the tip; I have created a ticket, I’ll keep you posted on progress.

#18

Same issue here, this morning all websites protected by CloudFlare I visit, shows a captcha challenge. The public IP address of my corporate office is not blacklisted.

#19

There was a condition today which may have impacted some customers, our internal team has reviewed and reset some scores in our internal systems based on that incident. This issue is likely now resolved.

2 Likes
Black listed by Cloudflare
#20

I received an email from Cloudflare support stating the following:
We are aware of customers experiencing an increase in captcha challenges on their websites. After some investigation our engineering team have found that a domain on Cloudflare was used as part of a software library update and the resulting spike in traffic caused our DDoS protection systems to mark IP addresses as having a bad threat score.
I still don’t see how legit software updates running through Cloudflare can cause a bad threatscore on a public IP, but at least the issue has been resolved.
Thanks everyone for thinking with me! :+1:

1 Like