Basically every computer in our company is getting notifications from websites using Cloudflare and asking to check the Captcha confirmation if the website is secure. We’re an organization with 200+ computers and most of then shares the same output/origin IP and in the last 15 days we’re noticing that the Cloudflare captcha confirmation are showing up for basically every website. It was also affecting some webservices that relly on some external frameworks, then the application deploy was not working. After changing the NAT output IP from the server the deploy worked as expected.
We have a /29 block IP’s from our ISP but I don’t know if we’re getting flagged from their whole IP block. Right now we can’t apply this solution to everyone.
Sometimes our mail server get blocklisted because the hole /24 block from our ISP get listed. Then after explaining and asking for delisting everything come back to normal.
What steps have you taken to resolve the issue?
identifying that the main IP our organization uses as being flagged from Cloudflare as a suspicious connection (I guess?);
changing the NAT output IP the computers are using the problem was solved
Right now we can’t apply this solution to everyone. So I would like to ask if you guys have some suggestions or if there’s some place we can check ou IP satus, report the /29 block aside the ISP or send confirmation that we’re not a sketchy click farmer or something else.
Basicamente, todos os computadores em nossa empresa estão recebendo notificações de sites usando Cloudflare e pedindo para verificar a confirmação do Captcha se o site é seguro. Somos uma organização com mais de 200 computadores e a maioria deles compartilha o mesmo IP de saída/origem e nos últimos 15 dias percebemos que a confirmação do captcha Cloudflare está aparecendo para basicamente todos os sites. Também estava afetando alguns webservices que dependem de alguns frameworks externos, então o deploy da aplicação não estava funcionando. Depois de alterar o IP de saída NAT do servidor, a implantação funcionou conforme o esperado.
Temos um IP do bloco /29 do nosso ISP, mas não sei se estamos sendo sinalizados por todo o bloco /24. No momento, não podemos aplicar esta solução a todos.
Às vezes, nosso servidor de e-mail é colocado na lista negra porque o bloco /24 do nosso ISP é listado. Então, depois de explicar e pedir a exclusão, tudo voltou ao normal.
Quais medidas você tomou para resolver o problema?
identificando que o IP principal que nossa organização usa como sendo sinalizado pelo Cloudflare como uma conexão suspeita (eu acho?);
alterando o IP de saída NAT que os computadores estão usando o problema foi resolvido
No momento, não podemos aplicar esta solução a todos. Então, gostaria de perguntar se vocês têm algumas sugestões ou se há algum lugar onde possamos verificar o status do IP, relatar o bloco /29 ao lado do ISP ou enviar confirmação de que não somos um criador de cliques superficial ou algo mais.
For now the problem seems to be gone but it persisted for a longe 20 days I guess. It was affecting some services we offer here and the users navigation on the internet.
If someone have some clue for what’s causing this behavior I’ll be glad to hear.
it could be a plugin on the browswers or perhaps there has been security events relating to your IP address which has caused you to hit a bad reputation. Please review your network and confirm that you have no infected devices. Once that has been confirmed, the IP reputation will naturally improve. When you stopped being challenged, do you know if your IP address had changed?
If for any reason the IP reputation score increases again, the likelihood is that you still have something which is infected on your infrastructure.
Often this is caused by:
Computer/IoT device infected with malware or some kind of virus.
Scripts or bots (e.g., scrapers) carrying out automated tasks across sites.
This Community Tip has other suggestions to review. Our IP reputation is sourced from multiple places including Project Honey Pot.
We don’t use any plugin or extension abroad the company, if so just 10% of the company computers have some kind of.
We don’t have any report of computers/devices infected from our AV solution.
Our outgoing source ip is something like the Network1 uses the source ip .12, Network2 uses .13, Network3 uses .14 and the remaining devices (like 2/4 of all) uses the .15.
We’re suspecting that one of our web applications that are sourced from a third party partner uses some kind of plugin or framework that rely’s in a web request to services using Cloudflare.
Do you know if there’s something we can do to validate this suspicion? The challenge was indeed affecting the deploy of one web app as I mentioned above. As soon as I change the source IP the deploy was done without errors and this is the most used Web App we have but from external users.
