IP Passed Through WAF

Cloudflare have been doing a great job providing my news publication it’s WAF. Thank you.

Just now, I found that an IP address was able to pass right by one of my WAF rules for RSS feeds. This is the first time I have ever detected such a direct traffic hit beyond my WAF rules.

This IP address was able to visit and hit the following URL on my news publication

category/technology-news/feed

Local Log (WordFence) below

As you will see. I have this url well protected by cloudflare WAF rules (All others in the same rule work perfectly

In this instance, I would like to ask this question.

  1. How could of this IP 41.140.244.162 passed right through the WAF?
  2. Can C/F WAF stop running for a few million seconds from time to time?

Additional details.

  1. I dont have this IP allowlisted anywhere in c/f
  2. I cant see this as being a direct host to IP hit

How did he get in?

The user agent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 OPR/99.0.0.0

From the above shared screenshot, I’d suggest you to replace the “equals” with “contains”, then it would work as expected :wink:

You can change it and make sure it’s only one, if URI Path contains feed → if the “feed” is anything related to the RSS feed which you’d like this bot or scraper to block access to anykind of the feed on your Website. Would match article/feed, /commets/feed/, /feed/, /rss-feed/ and all other options which contain “feed” term.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.