How to block all VPNs, Proxys and host IPs?

Hi everyone

I was wondering what is the best way to block or challenge all known Proxy’s, VPNs, and hosting providers. Those IPs tend to be bad traffic for us but I don’t think the Bot Challenges picks them up.

I have the site security set on Medium

What is the best way (settings) to go about blocking all of these bad IPs ( Proxy’s, VPNs, and hosting providers)?

Thanks

Thanks

VPNs, proxies, and others are constantly rotating, there is no way to block the 100% of them.
Best is to rely on third parties that monitor and update lists for these 24x7x367.

Yes but there must be a better way to at least block most of them. There are 3rd party tools that detect these quite well but i was hoping Cloudflare has something in their admin dashboard that can handle it.

You could block Tor with Firewall Rules but otherwise, not that I know of. VPNs and proxies (nor Tor for reference) are not inherently bad so blocking them can block legit traffic. Regardless, as mentioned, a third party is the best to rely on for this

1 Like

Cloudflare managed lists do it, but I’m afraid its only available to enterprise customers.

I have been looking up and specifically blocking any/all TOR or VPN site I find. Some of the VPNs are easy… like looking up Opera browsers with VPN enabled. When i began this part of the journey I started looking up onion sites to gather VPN networks quickly. I also utilize the heck out of the filters in the firewall overview section. There are some good filters you can employ to show lots of different data. 1st (assuming you don’t know this) turn on challenges for as much as you want. That will make it all show up in firewall overview and you can spot things quickly to start building blocks.

If you are an Enterprise customer there is an Open Proxies Managed List you can use in Firewall Rules.

I’m sure that there have been many requests for a similar managed list for VPNs and Hosting Providers (there has been at least one such request, by me!).

I use a rule like this to block a list of hosting provider and similar ASNs, while allowing good bots, and giving myself an easy way to whitelist the IPs of useful services within those ASNs.

(ip.geoip.asnum in {64496 64497 64498} and not cf.client.bot and not ip.src in $asnbypasslist)

I get contacted by some legitimate services within those ASNs. In all cases so far I have been able to add their IP addresses to my ASN Bypass List, but I simultaneously direct them to the application form to become a Verified Bot.

There was a discussion on this Community about blocking a large list of “bad” ASNs that is probably of interest.

As @Walshy said, there is real value in proxies, VPNs, Tor etc., and that the ban hammer should not be applied to them unless you actually need to. They are a valuable tool for people who are living under various levels of surveillance or oppression, or people who want to ensure a level of personal privacy. If the traffic from these sources does not cause harm to you, try and let them in. (Hosting providers hosting automated bots are fair game in my world, ban away!)

4 Likes

Special emphasis on this part, I’m glad that you brought it up:

They are a valuable purpose for people who are living under various levels or surveillance or oppression, or people who want to ensure a level of personal privacy. If the traffic from these sources does not cause harm to you, try and let them in.

We attempt to allow VPNs and proxies in our website as a whole except in the gateway/buying sections due to the high risk that they involve.

1 Like

Unfortunately, were only on a PRO plan.

Can anyone recommend a third party tool that actually integrates with Cloudflare? (can automatically add IPs to the blacklist)