Lot of "Unclassified" threats - what's normal?

Hello CF community!

Been using CF for many years, but new to the forum. I tried searching for this topic, but couldn’t find anything relevant.

I see “Unclassified” threats on most domains I host on CF. But one has a particularly high rate (compared to others). Around 3,000 in the past 30 days.

They are spread between many different countries, so it doesn’t appear to be one particular actor. They are also spread relatively evenly throughout the entire month. I looked at two other popular domains for comparison, and they also had a large number, but centered on single dates, in the past 30 days.

What’s a “normal rate” of unclassified threats? Is there anything one can do to lower it, or is it something we have “to live with”?

I’d like to share some helpful links and posts related to your question from the topic title about specific type of the threats from below:

Are you using IP Access Rules to block some AS numbers maybe? Or some scrapper/Facebook bot hit you :thinking:

Unclassified threats comprises a number of automatic blocks that are not related to the Browser Integrity Challenge (Bad Browser). These threats usually relate to Hotlink Protection, and other actions that happen on the edge based on the composition of the request (and not its content).

Unclassified means a number of conditions under which we group common threats related to Hotlink protection as well as certain cases of IP reputation and specific requests that are blocked at the Cloudflare edge before reaching your servers.

I’d say I am not normal nowadays, however I have some specific zone with a case as looks like below one on a daily basis (related to testing and learning):

P.S. You can try to achieve it if you block the few or more AS numbers (which might include bots like Bingbot, etc.) via IP Access Rules, or having Hotlink Protection, therefore Browser Integrity Check, Firewall Rules, etc :slight_smile:

Thanks a lot for replying!

What are “AS numbers”? :smiley:

It looks a lot like bot activity when I click under Security → Overview. The same IP has 20 records in the same second. But I have not set up any specific IP rules.

The security is set to “Medium” under Security → Settings, if that matters. But I think that’s just a default setting.

Whoa, 20k threats within 24h :o
So we should just to expect to see an increase in this number as websites grow, I take?

1 Like

I’d like to share a great article from Cloudflare about this in detail:

Then it might be “Bot Fight Mode” option which seems to be enabled, otherwise as you state “Medium” that’s fair security settings level to go with, I am using it too.

That’s a good question. I really cannot tell for future, however it could possibly grow, yes.

All right, thanks again!

What I’m hearing is that from your experiences (the screenshot with almost 100k threats in a single day) a few thousand unclassified threats per month is nothing special?

1 Like

Exactly. Nothing to worry about.
Especially on a Website with a lot of regular traffic.
There are crawlers, bad bots, scrapers, etc., and it’s on our own or Website owner to determine and decide what to do with them and how to deal in future.

Again, those “unclassified” can be for example, blocking Bingbot (Microsoft ASN) which daily generates unwanted traffic to your website and crawls the content, despite you haven’t added your Website to Bing Webmaster Tools and haven’t submitted the sitemap never before. Kind of a, not needed traffic and with Cloudflare we can leverage and low the CPU workload by blocking and not serving all that to the bots and similar, rather only to the regular real visitors which are more valued and appreciate to have than those bots, and also improve the performance and loading time of our Website on the way too by cutting them off.

However, from time to time, due to the security concern and for someone who does take care of a Website security & protection, it would be really usefull and good form time to time to take a look at Security → Overview tab, and decide if we might have to improve some of our security options like using Firewall Rules and challenge or block some real potential threat by the same IP or same network (AS number), or some other way to improve.

I’d say it is a great way to explore, research and identify the “bad guys”, therefore decide either to keep it “as-is” or rather challenge/block them completly on the way and stop from either trying to acces or do some harm to our Websites.

It’s the opportunity because I doubt we’re checking our access log files at our server and then doing the lookup if the IP/visitor is good or bad, or where did it land, or was it some kind of a unusual vulnerabillity scanner, etc.

At Cloudflare dashboard → Security → Overview, in the table/list, we can clearly see this information by clicking on the each event to expand more in details.

I hope this helps a bit in your case, please let us know if you have further questions and feel free to ask/create a topic.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.