Firewall not working! captcha bypass?

my server is getting flooded with requests from cloudflare IPs

i have a firewall rule to force a captcha on all requests to my server so my firewall logs look like this now

however, in my server i can see that there are still 1000s of requests from cloudflare IPs, and the logs also say mydomain.com/cloudflarebypassbooter followed by a website name (clearly an advert for the ddos tool they are using)

are these attacks able to bypass captcha now? how can i stop cloudflare IPs from flooding my server!

please help

Unlikely. Did you make sure they cannot connect directly to your server?

Whats the domain?

if it was directly connecting, it wouldn’t show the cloudflare IP, right?

That is correct. So you are not rewriting IP addresses on a server level? And the requests come in with Cloudflare addresses?

im not rewriting them on the server level

im rewriting them on my web forum which works fine for my needs

my apache status on whm is showing that the server is being flooded with requests and all the IPs are cloudflare IPs, ever single one and there are 1000s per minute

That would suggest the requests go via Cloudflare.

The screenshot you posted looks alright and requests should not skip the challenge.

do you have skype or discord? id prefer not to reveal my domain on a public forum if thats OK

my logs on my server look like this

and yet on cloudflare i have this rule

so in my mind, every single GET request should get a captcha, and yet my server is being flooded by GET requests from cloudflare IPs

whats worrying more is that earlier, they were sending the requests to a ficticious page on my site which was like

mydomain.com/cloudflarebypass/buynowatblahblah.com

I am afraid, communication is only done via the forum.

If you dont want to post the domain publicly, the only thing I can offer is for you to run a check at sitemeer.com and then post the exact time here when you ran it, so I can dig it out.

i ran it right now

I could only narrow it down to a .biz domain starting with t and a .com domain starting with i. Which one is it?

beginds ins

Alright, yes, there is a CAPTCHA in place, so that should be propery configured.

The only explanation I would currently have is from a recent thread where the OP pointed out that the CAPTCHA is currently relatively easy to solve - Clicking any Challenge image works. I cant say whether that is still the case, but if it is, it might be an explanation why they manage of solve - IF they solve it, thats speculation.

Can you narrow it down to countries and maybe block certain countries via firewall rules altogether? If it then stops, you did confirm the requests go via Cloudflare and apparently manage to pass the CAPTCHA.

Also, open a support ticket and try to clarify it with support. They should have more insight as well.

ok sir, i will contact cloudflare for more information

thank you for all your time and effort

Also notice that cloudflare has many known bots include those that acts as monitor for example those for check speed etc I have a similar issue time a go and it was the automatic bot check of wordpress that constantly checks my site and another from a security website scanner and so on

So what I did is that if there is a known bot but the ASN is not from Facebook, Google Yandex Baidu or Microsoft block the request and that solve the problem Google bot bing bots and yandex bots are able to bypass but the other ones are just blocked.

Of course I did that just for an specific page the other ones I just leave as it. Also I did huge blacklist of ASN for example OVH allow many bad traffic from their networks because they operates VPN tor and many malware websites so I just block the ASN of OVH and suddenly a huge amount of bots and bad traffic disappeared because most of then were coming from the OVH network so it takes time to take advantage of the cloudflare firewall but once you find a way to adapt it to you needs the your life will become easy

So I suggest to check the cloudflare firewall logs to see who is sending so many traffic to that specific page

Maybe there is a known bot bypassing the challenge.

This topic was automatically closed after 30 days. New replies are no longer allowed.