To prevent the cloudflare cookie from being used with a different ip

This recommendation is for Cloudflare developers.

attackers, botnet and ddos attackers, using multi-core real servers, make the web page visit with a real headless chrome browser, and by taking the cf cookie id, they make requests over proxy ips or infected routers, arm devices etc.

When Cloudflare assigns a cookie to the visitor, it must associate this cookie with the user’s ip in order to recognize the user again, so that a real cookie received cannot be used with a request on another different ip.

In the web page visit, if the first assigned cf cookie is incompatible with the first user ip address association, it should not allow its visit even if the security underattack is turned off.

The fact that each created cf cookie has a short life, is updated without being noticed while the user is browsing the page, and is locked to the ip, it can ensure that the cookie cannot be used by receiving and distributing, increasing security.

[08:50:17] [info] Start attacking with 45.199.xx.xx:3128 (proxyip) | cookie: __cf_bm=jalNC00Ik1E2fGEwWupS7jRapxnhlfm.LR3BdfM6ks8-1650005409-0-AT1/RtQd7lw3zWRaM3frVGNq00fU/i7wtJ7yaV2rstfiqkcMRnRfaKslsVU6sNEhlXK3O3JKyDI76EKgTLqcrKByJCZfY+Rl/YdZM3U4ziedm7jeKS/wAdBri3I07inGJQ==; | target:

[08:43:51] [info] Start attacking with 23.95.xx.xx:3128 | cookie: cf_clearance=0MShXC.l3UPdkhp5bWf5Ff6ApEUXvjCq3aXAtE.i19E-1650004995-0-150; | target:

Attackers can’t do this. Cloudflare challenge cookies are tied to IPs and other browser features.

I don’t think there is any valid reason to waste computer resources on validating a cookie that could be valid (or not) when the customer has the security settings disabled.

This idea is arguably terrible and not viable.

Cloudflare customers can face complex attacks that solve the JS challenge; however, it is the customer’s responsibility to build rules that stop the attack; an experienced system administrator can deal with those types of attacks with ease as they are getting more common. At worst, customers can reach out to support or ask here in the community.
Refer to Understanding Under Attack Mode if you want a slightly more dive into the topic.


I have seen and experienced the situation with my own eyes, what you write may not serve your interests, but it does not change the reality.

You can connect and observe various botnets to see the situation and how to them bypas underattack mode.

Personal experience couldn’t be less relevant to what companies see on a mass scale; if any trend affected a decent number of customers, it would have been mitigated.

Cloudflare gives you the tools you need to mitigate any attack at any scale; if you don’t know how to do it, it’s your fault. It’s unrealistic to expect a single layer of security (UAM) to be a silver bullet against all attacks.

You either didn’t read what I sent you earlier or don’t understand it. Relying on UAM for complex attacks in 2022 isn’t viable.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.