Minecraft clients intermittently triggering Bot Fight Mode challenges

Website, Application, Performance Security
1

What is **the domain name

cdn.podaboutli.st

Have you searched for an answer?

Yes

Please share your search results url:

https://www.google.com/search?hl=en&q=%22cloudflare%22+%22bot+fight%22+%22minecraft%22

When you tested your domain, what were the results?

Managed challenge due to Bot Fight Mode being enabled.

Describe the issue you are having:

I have my community’s CDN behind Cloudflare. One of the items I serve via that CDN is a resource pack for our Minecraft server. Certain players have had issues with the resource pack not downloading/applying correctly, which appears to happen about 50% of the time. Upon further inspection of logs from their clients, it appears Cloudflare is issuing a JS challenge when the game requests the resource pack from the CDN.

In my opinion, Bot Fight Mode should not block clients with User-Agents like “Minecraft <Java/Bedrock>/” (i.e. Minecraft Java/1.20.1) because these are legitimate requests made by game clients that cannot solve JS challenges.

Ideally I would like to not have to disable Bot Fight Mode for the entire domain just to allow clients to download the resource pack, but since I am currently on the free plan I am unable to allowlist specific subdomains or URIs.

What error message or number are you receiving?

HTTP 403 since Minecraft clients are unable to solve JS challenges

What steps have you taken to resolve the issue?

  1. Disabled Bot Fight Mode for the entire domain zone (since I am unable to exclude specific subdomains or URIs)

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What are the steps to reproduce the error:

  1. Set up a CDN that serves a Minecraft resource pack
  2. Set up a Minecraft server
  3. Configure resource-pack= to point at the resource pack in server.properties on the Minecraft server
  4. Clients connecting to the server will display the message “Server resource pack couldn’t be applied”
  5. Checking the client logs, you will see the request being made and the JS challenge causing the error

Have you tried from another browser and/or incognito mode?

Yes

Please attach a screenshot of the error:

(Uploaded as a combined screenshot since I am only allowed to attach one file to a post. Individual screenshots can be found here: https://imgur.com/a/FMFgsl6)

problems
problems1920×1772 237 KB

4

If setting a specific User-Agent was sufficient to bypass bot protection, then every malicious bot would suddenly start using that User-Agent.

Bot Fight Mode cannot be configured in any way - it’s either on or off. If it’s making trouble for you, you need to switch it off and look for other solutions.

Or, if you want to keep using BFM, you could get a second domain to host the resource pack.

5

As mentioned above this would be easily exploitable as spoofing a user agent is very easy, and Suepr Bot Fight Mode is an on or off feature.

Ideally I would like to not have to disable Bot Fight Mode for the entire domain just to allow clients to download the resource pack, but since I am currently on the free plan I am unable to allowlist specific subdomains or URIs.

Fortunately this isn’t quite true as you can disable Bot Fight Mode with Custom Rules. Both user agent and host name are available as fields on a free plan, as is skip for different features including Super Bot Fight Mode.

1 Like
6

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.