Firewall not working as expected - registration bot

I have a persistent issues with a registration bot.In my registration code.

From Request.ServerVariables I am getting either HTTP_X_FORWARDED_FOR or REMOTE_ADDR, from which I get an IP address.
Currently I do not know which one produces the IP address I keep seeing in the registration queue.

I have added this IP address in my block firewall rule. Yet, a registration still happens with that IP address.

I am thinking I am not getting the right IP address this way, or the firewall rule is not working.

Please advise.

Can you post a screenshot of that Firewall rule? It’s ok if you black out the IP address.


If that’s the actual IP address of the unwanted visitor, that should do it. Have you tried adding your own IP address to see if it works?

I can only think of two reasons it’s not working:

  1. They’re bypassing Cloudflare, but you’re seeing a HTTP_X_FORWARDED_FOR header which probably comes from Cloudflare. Do you see a cf-connecting-ip in there anywhere?
  2. It’s not the right IP address. You could try for the actual connection logs and see if you can track down the IP address that way.

I have logged the header to see what is going on, here is a sample:

Header: HTTP_CONNECTION:close HTTP_PRAGMA:no-cache HTTP_CONTENT_LENGTH:867 HTTP_CONTENT_TYPE:application/x-www-form-urlencoded HTTP_ACCEPT:/ HTTP_COOKIE:ASP.NET_SessionId=buzixpaedohjkwat3yludmhs; __RequestVerificationToken=FfIAZCM3iukv29NtAVu_NhsacE53BnJcAj551UfpMsEEM5WROEozJN7m0pXgpKlNhqGVaNf2AUeihy1Smfl7MJCSjbsA1 HTTP_REFERER: HTTP_USER_AGENT:Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36 HTTP_X_REWRITE_URL:/Register

Last week I blocked the IP, but I am still getting bot registrations.

Does the logflare app have information beyond what is in the header?

That’s quite the user agent string. I’m no UAS expert, but it looks questionable to me. In the Cloudflare Dashboard’s Firewall section (Settings), do you have Browser Integrity Check enabled?

Yes, it was already enabled.

Hello CloudFlare

The community has no suggestions for me.

This seems the appropriate time for CloudFlare personnel to chime in.