I have created a simple firewall rule to Javascript Challenge older versions of Chrome.
My rule is (http.user_agent contains “Chrome/” and not http.request.uri.path contains “/static/” and not http.user_agent contains “Chrome/1” and not http.user_agent contains “Chrome/9” and not http.user_agent contains “Chrome/8”)
This seems to be working for most requests,…
But I am still seeing requests get through that are not challenged.
The last user agents being:
Mozilla/5.0 (Linux; Android 8.0; Pixel 2 Build/OPD3.170816.012) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.6306.1020 Mobile Safari/537.36
Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.1940.1868 Mobile Safari/537.36
When I change my Chrome user agent manually to this user agent, I am presented with a challenge.
I have checked to make sure these requests are not bypassing Cloudflare, and that is not the case.
How are these ips getting past the Firewall and making requests to my page that should be firewalled with the above rule?
It is not firewalled to only accept Cloudflare connections, but I log all connections that are direct.
There are no direct connections happening…
There is also another version www.infinitesweeps.ca with a Cloudflare separate account, but there is nothing there either.
It looks like all of the requests bypassing the javascript challenge have the wording “Mobile” in them.
Are challenges not presented to Mobile users? When I spoofed my user agent with this on Mobile Desktop, I was presented a challenge and denied access for an out-of-date browser.
If you change the rule’s status, it can take a few seconds until it is working in all datacentres, but apart from that it really probably is a direct request.
These requests should pick up too. There is lots of them and they are all requesting the same pages - but some seem to miss or have a “pre authorized challenge” and are bypassing having to take the challenge again.
I have that setting turned off to use other websites Challenges, but that’s all I can think of.
If I find something, I’ll post here. But I looked for over an hour and it keeps happening to multiple ISP"s for it to be a weird rule in my settings
If they passed the challenge before, they’ll certainly be “pre-authorised” for the period you indicated for your account. Such requests won’t be re-challenged until that expired.
But generally, the challenge seems to work, unless you have one of the mentioned exceptions.
Not preauthorized by my website. These are new requests…
I was being flooded with Cloud IPS and this week have setup good detection using CLoudflare and now they have shifted to these like virus out of date browsers that are ISP’s from the USA now.
They should be picking up with that challenge rule… Hopefully I can find something.
New request again got through:
IP: 17.241.75.x
agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.6105.1361 Mobile Safari/537.36
Is it possible for a browser to bypass the Bot Detection, and then keep bouncing around ips with a proxy ? Would each proxy not have to request the challenge again? I don’t see why they would use such out of date user agents then. That scenario, it should still log. Something is weird I think.
