Field "Known Bots" (cf.client.bot) not filtering hits correctly

Website, Application, Performance Security
1

What is the name of the domain?

What is the issue you’re encountering

Field “Known Bots” (cf.client.bot) not filtering hits correctly

What steps have you taken to resolve the issue?

Deployed a Custom Rule such as: (not cf.client.bot and ip.geoip.asnum in {8075})

What is the current SSL/TLS setting?

Full (strict)

What are the steps to reproduce the issue?

The Custom Rule filter associated with “cf.client.bot” is incorrectly tagging bad hits that should be blocked.
I am getting malicious hits from ASN 8075 and the filter is failing to apply the logic.
Here’s an example of one of the multiple requests that wen through and it shouldn’t.

Screenshot of the error

malicious-hit.jpg
malicious-hit.jpg2492×924 110 KB

1 Like
2

Just for reference, the offender IPs come from Microsoft ASN - The example IP is: 52.169.233.48 which is clearly and abuse IP: https://www.abuseipdb.com/check/52.169.233.48

3

We started by blocking all of AS8075 from ireland as it was 100% attack attempts then just scaled up to blocking AS8075 as its responsible for about 80%+ of the script kiddie attack attempts on our sites

4

But you can’t just block the entire ASN, because there are legitimate bot visits coming from Microsoft ASN such as BingBot visits or Microsoft Ads visits.

This is challenging because attackers are using an ASN that seems trustworthy (Microsoft) and has good bots, in a deceptive way.

Let’s see if Cloudflare support can bring some light to it.

5

We can and do block the entire ASN - bingbot doesnt follow robots.txt so is blocked

The ASN is THE major source of attacks on our sites so gets blocked

1 Like
6

Similar issues for reference:

7

The first one in your list is an issue I raised and has nothing to do with AS8075, it was an upgrade issue

8

I believe something is not working with Cloudflare Custom Rules.

I have deployed these 2 rules:

(not cf.client.bot and ip.geoip.asnum in {8075}) > BLOCK
(cf.client.bot and http.user_agent eq "") > BLOCK

So basically this should be the logic:

  1. Mutually Exclusive Conditions: The core condition differentiating the two rules is cf.client.bot.

  • Rule A (Original) requires not cf.client.bot (i.e., cf.client.bot must be FALSE).

  • Rule B (New) requires cf.client.bot (i.e., cf.client.bot must be TRUE).

  • A single request can only have cf.client.bot be either TRUE or FALSE, never both. Therefore, a single request can never match both rules.

  1. Request Evaluation:

  • Your Target Request: cf.client.bot is TRUE, http.user_agent is “”.

    • It will fail Rule A (not cf.client.bot is FALSE).

    • It will match Rule B (cf.client.bot is TRUE and http.user_agent is “”).

    • Since it only matches Rule B, it will be blocked by Rule B regardless of whether Rule A or Rule B is checked first.

  • Other Request Type 1: cf.client.bot is FALSE, ip.geoip.asnum is in the list.

    • It will match Rule A.

    • It will fail Rule B.

    • It will be blocked by Rule A, regardless of order.

  • Other Request Type 2: cf.client.bot is TRUE, http.user_agent is not empty (e.g., “Googlebot”).

    • It will fail Rule A.

    • It will fail Rule B.

    • It will not be blocked by either rule, regardless of order.

But still these requests are not being BLOCKED by the Custom Rules:

not-mitigated
not-mitigated2495×981 134 KB

9

The IP address 40.69.216.239 is not a verified bingbot so should, as you say, fail test 1

image
image416×171 4.4 KB

So looks like Cloudflare saying cf.client.bot is TRUE for that IP address as it should be failing BOTH tests

Either that IP is failing the not cf.client.bot test
or its failing the http.user_agent eq “” test

I have a rule that uses the http.user_agent eq “” test so reckon that works - so it looks like the IP is getting cf.client.bot = TRUE when it shouldnt

Or - do you have any other rules or any “allow” IP ranges?

10

I’ve also been having problems trying to block similar traffic.
I have a (http.user_agent eq "") rule but it only appears to block about half of the matching requests.

11

Yes, I am also seeing the exact same behavior. It’s like half of the visits don’t get blocked by the SAME Custom Rule. Here’s a graph that shows this:

stats
stats2590×1424 241 KB

@sjr any clue why this is happening?

1 Like
12

I have fixed the issue by implementing these changes:

  • Disable both fight mode
  • Move Redirect Rule (WWW to non-WWW) from Cloudflare to nginx rule
  • Changed “ip.geoip.asnum” to “ip.src.asnum”

And the explanation is simple. Bot fight mode in the free Cloudflare tier is very bad. If you have proper Custom Rules in the Firewall, these are much more effective than their “Bot fight mode”. Redirect Rules get evaluated before Custom Rules, so Cloudflare was redirecting WWW to non-WWW and not applying the Firewall Custom Rules to those hits. I moved the WWW redirect to my own server instead of Cloudflare. And finally, the “ip.geoip.asnum” for ASN blocking is deprecated. The correct expression is “ip.src.asnum”.

1 Like
13

Thank you so much! Turning off Bot Fight Mode and Block AI Bots made a drastic improvement.

14

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.