Where can I submit IPS that fail to get ‘classified’ with the correct ASN information?
I am setting up ‘bot detection’ and I see that there are a few daily that I am picking up. I have been adding ‘custom rules’ for the missed ips, but it makes me hit my 2048 character limit and would be easier if you guys fixed it on your end.
Here’s the latest IP I am talking about.
79.127.132.0
It should be classified as AS212238 - Datacamp Limited - but it’s not and get’s right through a filter setup for ASN212238.
Is there a place I can check what “Cloudlare says the IP is?”?
Awesome! Thank you for fast reply! It would be awesome to add the 0 rule like the rest of the parts, but this works. I’ll maybe try one day in the future. Thanks again!!!
Hey. P>S. You know what would be cool? A way for me to access my “Cloudflare Worker” via “FTP” so that I can code on it the same as I do everywhere else (and not have to login to Cloudflare and like copy the code to notepad, code on it copy it back etc. Unless i’m doing that wrong… TY for listening and the help!!!
MaxMind has the IP information correct, but on my website the IP address 140.228.23.0 (140-228-23-0.websetup.net) was able to get passed the ASN detection and has done hundreds of requests with a new user agent for each request (just a few daily).
---- the IP is 140.228.23.0/24 (I cannot find the exact IP. I have annon setup on last digit and in the CLoudflare system I did everything I could to find the IP - but I can’t). There is no traffic with ASN0 or ASN 16276 to my website with an IP inside of 140.228.23.0/24
Can you please help me understand what is happening here? It should be classified as ‘OVHcloud’ AS16276 - OVH SAS
Please let me know the best thing to do here. I am like in a loop of blocking these, my old rules getting too large and then removing etc. I THINK this is some type of proxy like they suggested in the first thread because of the user agent switching (which makes it even harder to detect for me).
To respond to last thread (I missed it by 6 hours) - that I am def using the API ( I just created two API endpoints)- the only thing that has ‘stopped me’ from putting it live yet is that I have to ‘update ALL of the rules everytime’. I use the Cloudflare web interface always… and then it seems like it will get ‘to confusing, to much’.
What I wanted to do was a ‘copy rule’ and rename it ‘copy API Endpoint’ and have just that rule automated - but I can’t it doesn’t appear. So it’s an ALL or NONE thing…
So that has me in some mental block lol.
---- i have a secondary domain setup on the FREE - I can’t see analytics in that account . - but I confirmed that ASN0 is setup and ASN16276 rule. These requests can’t be passing the JS challenge, there’s like requests with user agent Firefox 3.6 <=- lol
I wanted to ask another question that I hope goes all together with the API suggestion (and why I didn’t want to use it) and having two plans (.com and .ca version of website).
Is there a way to maybe set a Macro, ‘Storage & Databases’ or R2 Object Storage and access that via the API?
Where i’m going with this is… is it possible to set a Macros, storage & database or R2 Object Storage as an expression in a rule?
That would basically allow me to update “1 rule only” by updating the macro only with my expression and setting the rule to {DATABASE}
Expression Preview
Edit expression
(http.request.uri contains “/” and {DATABASE})
Something like that? I found another “IP”, but this one was my fault because I didn’t update the .ca version of an expression.
With this ‘database’, I can update my .ca, and .com version of just 1 rule and API call etc.
Trying to think of the best way to do this… updating ALL of the rules I don’t think for two domains is going to be practical for me…
‘cloudflare global expressions’ ?
You could do a rule like (http.request.uri contains “/” and {COUNTRYRESTRICTIONS} {DATABASE} {BLOCKLIST1})
Then just updating {BLOCKLIST1} with the API can update both websites with just 1 endpoint.
Then I can actually update like ALL of my rules at once, with 1 endpoint update
Hi, Also another problem that doesn’t work for me is when I search for ANalyics & Logs for HTTP Traffic using this express
If Source IP is in 34.90.27.0/24
It returns nothing for anything ‘is in’ for HTTP traffic logs and so because i Have the last digit anonymized, it’s much harder to find the actual ips.
But the same ‘is in’ expression 34.90.27.0/24 works via the firewall and everywhere else (at least I hope it is? )
But…
Am I doing something wrong? Is there away to search for a /24 in the HTTP Traffic logs?
I discovered a FAKE GOOGLE BOT that is bypassing all Cloudflare detection because it is on the same /24 as the REAL GOOGLEBOT!
REAL GOOGLE BOT: 66.249.89.107, 66.249.89.0, 66.249.89.108
FAKE GOOGLE BOT: 66.249.89.37 66.249.89.38 AND 66.249.89.101
This FAKE GOOGLE BOT is PRETENDING TO BE YOUTUBE, GOOGLE READ OUTLOUD, Mediapartners-Google/2.1 and other fake Google services.
I believe there must be some 66.249.89.0/24 rule that needs to be looked at, or my account settings are incorrect or something.
I SHOULD be blocking ‘fake Google bots’ because I have seen that rule picked up many times in my firewall logs.
Please investigate: 66.249.89.37 66.249.89.38 AND 66.249.89.101 - I am 1000% sure these are fake bots! If you need the proof, I would rather tell you by message or something.
This bot is related to Adsense ‘Search Console account’ data to see ‘login-protected pages’.
