Exempt IP Address from WAF - "accidental DoS"

A client of mine recently was prototyping a new feature on his server that uses my API service. As it was just a prototype, it was calling my API 1000+ times per second from the same IP to try and fetch the data in a “quick and dirty” way. It now seems that his server has since been blacklisted (in a manner of speaking) since then as the Cloudflare network (rightfully) thought it was some form of DoS attack on my service - which it was not. My RESTful API is now useless to that client as the server is presented with a JavaScript challenge it cannot complete on each request.

Is there any way this client’s IP can be whitelisted or to have the DDoS filter “forget” that this happened? Rest assured the client has been notified and won’t be trying anything again, but their production instance is now non-functional because of this. Definitely not Cloudflare’s fault (in fact I’d be worried if you didn’t block it), but I can’t seem to find away to remove the JavaScript challenge. The client tried changing their IP address but Cloudflare is too cleaver.

I did open a support ticket via email (#2290098) but got an automatic reply saying that my plan doesn’t include email support - even though I’ve received support via email in the past.

Firewall Events page is your best friend.

https://dash.cloudflare.com/?to=/:account/:zone/firewall

See which Cloudflare security service is blocking the IP address, then only create a new firewall rule to “Bypass” the security service from checking.

3 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.