Not blocking any obvious malicious IP


#1

Cloudflare is not blocking obvious malicious traffic.

If I request my website with an obvious proxy IP which is on any blacklist I get a normal response.
Even on “high” Security Level. Even if I am doing something obviously malicious with the IP like reloading the website at an unnatural high rate.

So basically Cloudflare is not giving me any protection at all.
I am not sure but this is not a normal behaviour, right?

Browser Integrity Check does also not work. I can set any weird User Agent on any weird IP and it still get passed.


#2

It would be helpful if anybody could tell me if this is normal behaviour or not.


#3

I can tell by my Analytics screen’s Security tab that Cloudflare is blocking some malicious traffic from my website.

As customers, we’re not privy to how their firewall works, but it sounds like what you’re doing isn’t really malicious. If you want more detailed feedback, you would have to open a Support Ticket:
Login to Cloudflare and then contact Cloudflare Support


#4

I really do hope that user agents are NOT the main way a client is considered hostile: If I was an abuser, I would be sure to use the most common browser user-agent to avoid detection that’s based on that. Given that Cloudflare’s “checking you” screen is JavaScript based (and tells you that it can’t work if you disable JS, i.e. with the NoScript extension), it seems that User-Agent is not what they’re looking at, or at least, not exclusively. Which IMHO they really shouldn’t.

Out of curiosity, what makes an IP “weird”? If you can connect with it to the server, then it is a valid IP, there’s nothing weird about it. If it’s not a valid IP, your TCP connection will never complete.

It is perfectly legal to use proxies to use the Internet (well, in most of the world…), and using one does not necessarily say one is trying to abuse. Granted, if it’s a public proxy, it may attract more abuse, and Cloudflare’s anomalies detection may be more sensitive to what’s coming from there, but if they can filter at the client level that your behavior is something they consider good/not abusive (and they can, there’s a CF cookie that I imagine they use just for that - to keep reputation per client session, despite IP) - they may even let you pass from the proxy IP, and block someone else.

My opinion, of course. As in “how would I have designed it, if I were to build a Cloudflare-like service”. I do not work for Cloudflare.


#6

IP which is on all blacklist like honeypot and obviously a Proxy.

Yes, but if you set Security Level to high you expect some trigger. Especially if this IP is the cause of down time because it is hitting the website at an unnatural high rate

It is taking down the my whole website. I don’t know what could be more malicious in the context of Cloudflare which is a ddos protection service after all, right?


#7

Well, one may wonder if attack from a single IP is considered Distributed Denial of Service. DoS yes, DDoS, less so. In fact, I would expect that rate limiting of single IPs is maybe something you’ll want to configure in your server…

I don’t know if Cloudflare can detect that those requests are in fact the cause for your server going down. They’re probably chasing common patterns, and maybe that one doesn’t fall under it. Especially if it’s unique to your site and your design. i.e. your app could do something smart before allowing many requests to break it, e.g. by using your own one-time tokens for very sensitive operations. By the way, Cloudflare does have an option to force a CAPTCHA, for example, on such sensitive URLs, through Firewall rules.


#8

Can you send me an example IP (or the link from PHpot), and I can check what’s going on? Additionally, can you confirm what your security level setting is at?


#9

That type of protection is available through Cloudflare’s Rate Limiting feature.

Cloudflare looks at the connecting IP, an x-forwarded-for value can easily be forged and isn’t considered reliable.


closed #10

This topic was automatically closed after 14 days. New replies are no longer allowed.