We’ve started seeing a lot of Bot/DDOS activity from AS16509 AMAZON-02 and others.
We’ve blocked those connections from Security > WAF > Tools and applied to all websites in the account.
We’ve since noticed that Stripe is using this network for it’s webhooks service and will return payment success messages via that network. Due to the “global” AS16509 block this results in 403 forbidden error within Stripe logs.
I’ve tried adding the following exceptions
Security > WAF > Custom Rules -
If the user agent contains Stripe AND
URI Path contains /path_to_webhook/webhook.php
THEN Skip
(ticked everything possible to skip)
Placed rule first in list.
Neither of the above rules have any effect on bypassing the block rule for AS16509.
So the questions I have is if a rule has been added within Security > WAF > Tools does this take priority before any other rule options and therefore cannot be overridden by other options??
If it possible that because I included https:// within the URL of the Page Rule I created that it’s not being matched? The example for that field on the page shows the URL without https:// (i.e. www.domain.com/*)
I’m surprised that Stripe is using AS16509 AMAZON-02 as it’s reported that it’s mostly used by hackers for vulnerability scans and bots, we have so many domains within our account that I’d rather block it on all domains in the account instead of individually and then just right override rules where needed.
I started off manually blocking the ASN within WAF rules but soon realised this would be time consuming for the amount of domains in the account and isn’t practical. Adding it as a block in Tools allows it to have global effect which can’t be achieved within Custom Rules
I’d like to be able to block the ASN globally as it does more harm than good and this can be set in Security > WAF > Tools. So referring back to my original requirement, is there no way to override this when needed?
The IP access rules in tools are executed first when Cloudflare is processing a request (being global) so a block there cannot be overridden by other features. I assume if you put all the Stripe webhook IPs as allow, and the ASN number as block, the allows will process first, but I’m not sure on that. I’ll try and do a test.
[Edit]
Confirmed this is ok. Added an ASN for one of our offices to the IP access rules as block, it was blocked. Then added the IP addresses to the IP access rules as allow, leaving the ASN blocked and access was allowed.