Corporate office gets Captcha page on numerous websites

You can start at https://www.projecthoneypot.org/search_ip.php

Hi, projecthoneypot says there is currently no data on our IP.

You already know more than enough about the problem. At least one node on your network is sending malicious traffic (i.e. participating in a DDoS attack) or it may be a false positive (traffic wrongly diagnosed as malicious). Either way you cannot ask for whitelisting your IP (you know it will make the whole defense useless, nobody install botnet intentionally).

If a malware is fresh enough virus scanners cannot detect it. When someone code a malware first thing before release, is to make sure no scanner can detect it (thanks to virustotal).

You need to monitor your network rigorously and detect suspicious traffic and investigate them before they reach outside world and trigger IP scoring systems.

1 Like

I wish to report that our office is getting the same issue that @martijn.balink is describing starting this morning as well. @Xaq is there some place where we can check our IP score on the “IP score systems”?

1 Like

With an average bandwidth usage of over 200 mbit per second that’s the proverbial needle in a haystack. Some details of the action that triggered the blacklisting would be required before we can start troubleshooting: time and date, protocol, URL or IP requested etc. Where can I find these?

Well it is not fair. One node acts bad and all nodes get punished. If you have monitoring over your network, analyzing traffic you can see for example 192.168.1.78 is sending too many requests and acts like a bot.

Another work around (less technical) is partitioning your network over multiple IPs and watch which sector makes an IP blacklisted. Then partition that sector… until you find infected node.

That info beside helping you helps malware distributors to change the behavior in such a way not triggering those systems. I doubt these systems share such info.

2 Likes

Search for ip reputation. For example on http://www.ip-score.com you can see if you are blacklisted over multiple lists.

image

Blacklist report comes back clean, except for one blacklist (apews) that has the entire B-class network of our ISP blacklisted since 2010, which of course is a ridiculous entry.
Let’s assume we find the perpetrator from either monitoring or segmenting, is the ban lifted automatically then and if yes, how quickly is that done?

Based on a recent incidence after removing the bad node from network, IP treated normal after 2 weeks. That is my own experience and may not apply to others.

@Xaq So I checked the black lists (a very long list) and got all Clear. So from your response to @martijn.balink it sounds like I might have a bot on the network as well… although we only have 6 devices on this network, and I don’t see any suspicious activity on the packet sniffer - network is barely peaking 50kb/s as I told everyone to lay off their devices. Wish there was a more clear way of deducing how Cloudflare decided that the IP is bad. This is similar to playing russian roulette with the network packets.

2 Likes

My personal IP address is blacklisted for the same reason (also from 2010, “CASE: C-1010
Dynamic IP space, generic DNS/rDNS, no PTR
Direct connections to MX not permitted, you
need to use your ISP servers or smarthost”)

My office also has to fill captchas since this morning. We’re interested if you’re able to make any progress.

Hi,

Our office has the same issue since this morning, our IP is clear on

Currently we’re investigating, but without success, sharing any indication is welcome.

1 Like

Although we do see some applications in the monitoring that do not comply with our policy we do not see any reasons to suspect we have some form of bot on our network.
Since Cloudflare refuses to give any insight in their reasons for blacklisting we’re still pretty much in the dark.

You could try contacting support and providing information about your IP / subnet and the error you’re seeing. Can’t guarantee we will provide the exact details, but they may be able to lend some insight. https://support.cloudflare.com/hc/en-us/requests/new

2 Likes

Same here. Corporate Office, ip not blacklisted, see captcha on all Cloudflare protected sites and unable to access box.com !

1 Like

Thanks for the tip; I have created a ticket, I’ll keep you posted on progress.

Same issue here, this morning all websites protected by Cloudflare I visit, shows a captcha challenge. The public IP address of my corporate office is not blacklisted.

There was a condition today which may have impacted some customers, our internal team has reviewed and reset some scores in our internal systems based on that incident. This issue is likely now resolved.

2 Likes

I received an email from Cloudflare support stating the following:
We are aware of customers experiencing an increase in captcha challenges on their websites. After some investigation our engineering team have found that a domain on Cloudflare was used as part of a software library update and the resulting spike in traffic caused our DDoS protection systems to mark IP addresses as having a bad threat score.
I still don’t see how legit software updates running through Cloudflare can cause a bad threatscore on a public IP, but at least the issue has been resolved.
Thanks everyone for thinking with me! :+1:

1 Like

This topic was automatically closed after 14 days. New replies are no longer allowed.