Unable to determine why my company is being flagged by sites fronted by Cloudflare


#1

As of yesterday afternoon (Thursday, 04January2018), connections from internal hosts on my company network to sites fronted by Cloudflare are being challenged with a reCaptcha. While this is mildly annoying for users, we actually have automated processes that rely on the ability to download content from external sites behind Cloudflare and these jobs are failing because…well…they actually are robots. However, to this point, we’ve been unable to get an answer from Cloudflare as to why this is happening and what we can do to resolve it (beyond “scan the 10k+ machines on your network to see if one is infected with malware”). We have opened at least two support requests with Cloudflare and have been told in both cases that “your IP reputation was cleared today” and the support cases have been closed, but the issue persists. From what I can see, we are not on any blacklists, have been told by both Cloudflare and Project Honeypot that we are not on a blacklist, but we cannot seem to get ourselves out of this jam.


#2

As a customer, I don’t have insight into why this is happening. But out of curiosity, would you be able to have one of these site operators whitelist your IP address range? I know that won’t fix all of your problems, but it would add a data point.

How often are your bots hitting these servers?

Did it ever clear up, for even a little bit, after they told you it was clear?


#3

Thanks for your reply. We’ve begun reaching out to site operators but haven’t yet had any luck. The issue is actually affecting any site fronted by Cloudflare (not just the sites the build systems leverage) and no, the issue has never cleared up…not even for a little bit. It’s been extremely frustrating as we’re just not able to get any answers. A typical response from Cloudflare support has been very generic and doesn’t tell us any useful about what we can do to permanently resolve this. The latest response is included below but I’ve redacted the names:

Jan 5, 1:50 PM PST
Hi there,
I am sorry to hear this is still persisting. I can confirm the IP reputation for address xxx.xxx.x.x was cleared and is still cleared. At this time the only things I can state that we did see a number of security events related to that IP but have now been cleared. I will mark this as solved but do let us know if you have any further questions or issues by replying to this e-mail or ticket, which will then reactivate the ticket for us to investigate or answer any outstanding queries.
Thanks,
xxx


#4

If you have a Support Ticket # to go along with the above response, post it. The mods here sometimes re-open tickets to take a second look.

The “Security Events” they mentioned isn’t very clear, but could it possibly be a high number of connections by frequent bot traffic? Non-human connections tend to raise more red flags than regular visitors.


#5

The support request# is 1461511. As of this morning (08Jan2018, 8:58 a.m. EST), the issue is still occurring (happens even when I try to visit cloudflare.com). The lack of communication and engagement on the part of Cloudflare has been very frustrating. We have an issue, we would like to solve said issue, and they keep closing the request saying that we’re all set when we are most definitely not all set.


#6

That’s certainly frustrating that your access is still being blocked.

My suspicion is that the bots are what’s tripping the CAPTCHA. I have my sites set to a more secure setting to block bots (typically brute force attacks). Once you’ve tripped the CAPTCHA at one (or a few sites), Cloudflare’s security system has increased awareness of “attacks” coming from your IP range and clamps down on all requests from you.

So…based upon my wild assumptions, the issue is one of two things:

  1. The sites you visit have their security settings pretty sensitive, so this is probably happening to other users of those sites. Keep bugging them until you get a response.
  2. There really is something unique about what’s going on in your IP address range that you’ll need to work out.

In any case, being persistent with Cloudflare Support might pay off in finding out exactly what’s tripping the security block, but I don’t think it’s something Cloudflare will be able to undo from their end.


#7

Thanks for your contributions! As of about 10 minutes ago, the issue has mysteriously cleared up. We are going to try to get some more information from Cloudflare about what was tripping us up and how to avoid this in the future. Thanks, again.