Legitimate Japanese Users Blocked via Tencent ASN (132203)

What is the name of the domain?

https://toursbylocals.com

What is the error number?

Block by WAF

What is the error message?

You are blocked.

What is the issue you’re encountering

User’s getting blocked while accessing website via Tencent

What steps have you taken to resolve the issue?

Hello Cloudflare Team/Community,

We’re experiencing false positives where legitimate users in Japan are being blocked by Cloudflare’s WAF due to their ISP being flagged under TENCENT-NET-AP-CN (AS132203).

Issue Details:

• Affected Users: Japanese visitors (clientCountryName: JP)
• Block Reason: Associated with Tencent’s ASN (132203), which is flagged for abuse/DDoS risks
• Example Blocked Request:

  {  
    "clientIP": "43.133.14.237",  
    "clientCountryName": "JP",  
    "clientASNDescription": "TENCENT-NET-AP-CN Tencent Building, Kejizhongyi Avenue",  
    "userAgent": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X)...",  
    "action": "block",  
    "ruleId": "874a3e315c344b2200046aab6f",  
    "description": "manage definite bots"  
  }  
  

Current Mitigation:

• Using Challenge actions instead of blocks for AS132203 traffic.

Request for Guidance:

1. How can we allowlist Japanese users on Tencent’s ASN without compromising security?
2. Are there additional signals (e.g., device headers, threat score thresholds) to distinguish legitimate users from malicious traffic on this ASN?
3. Would combining clientCountryName: JP with ASN checks reduce false positives?

Proposed Rule Adjustments:

# Option 1: Allow Japanese traffic on Tencent ASN  
(ip.geoip.country eq "JP" and ip.geoip.asnum eq 132203)  
→ Action: Allow  

# Option 2: Refine bot management  
(ip.geoip.asnum eq 132203 and cf.threat_score < 25 and http.user_agent contains "iPhone")  
→ Action: Challenge  

Key Concerns:

• Tencent’s ASN serves both legitimate Japanese users and high-risk traffic.
• Over-blocking impacts iPhone users (critical audience for our travel platform).

Any insights on balancing security and accessibility would be greatly appreciated!

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full

What are the steps to reproduce the issue?

User > Website > Via > Tencent ASN > Block

Screenshot of the error

Screenshot 2025-03-25 at 2.20.54 PM.png916×1870 175 KB

If you’re simply allowing all (apparent) Japanese users on Tencent’s ASN, you will also be allowing the potentially ill bot traffic, from that location/network.

This question is impossible to answer, with an one-size-fits-all kind of solution.

Your website may have one view of what a legitimate user (and illegitimate user) may be, where my website will have a completely a different view.

It will therefore be quite individual, what patterns that you need, and what patterns that I might need.

It might, but as with #1, it might not be without a compromise regarding security.

I wouldn’t personally be allowing a single ASN and/or country code, to pass through like that.

IIRC, “cf.threat_score” was deprecated.

Something like this (e.g. combining multiple patterns together) may work for you, but it also may not, and thus have the chances of going both ways.

But finding what exact patterns that would work for you, are very individual, and will vary from website to website.

If we’re looking at Spamhaus data, - then they’re claiming that traffic patterns from this specific IP address are identical with the Andromeda botnet.

→ https://check.spamhaus.org/query/ip/43.133.14.237

So I’m wondering, - do you have any other examples of blocked traffic?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.