WAF started blocking a high volume of requests (GET) including Zaraz (POST)

Hi CF team!
We’ve been using CF Pro for a while and currently we use the Free Plan for a website targeted to Portuguese users.

The WAF is activated for years and we usually monitor the number of events that are blocked, just to check if everything is working as expected.
Each day the WAF blocks around 200-500 requests, mostly from Russia or China.

In the past two days (18th and 19th March), the number of blocked requests sky-rocketed to 17k on Monday and 30k on Tuesday.
The site traffic is similar to the previous weeks, so the % of blocked requests is much much higher than expected.

Quick note on the blocked requests:

  • 99% of the blocked requests are from Portugal
  • from these requests, around 98% are simple GET requests - for images, JS, CSS files
  • the other 2% are POST requests for Zaraz (for GA purposes)

Examples of Ray IDs some legit users sent us:
864b89d57eff5bea / 866295559cb5bdb
866ff08c6d34489d
866520005b7a03de

Could you please help us figure out what is happening for blocking such a huge volume of users?
Did something happened to the WAF configuration? Perhaps a recent deploy of managed rules?

Regards

You can look those up on your security events log to find the reason for the blocked request and debug from there…
https://dash.cloudflare.com/?to=/:account/:zone/security/events

Yes, we’ve checked that option for more info. The requests appear there, but there is no additional log that explains it. Both rule and ruleset say: “Unavailable”.

The blocked requests have a OWASP score ~40-45.
The Additional Logs don’t add much more info since each line says “Score +0”.

Is there another field that can help debugging? Why is the rule not available?

Hi @nps

I can see you have created a skip rule, did this solve your issue?

Hi @louise2
Sort of. The users are no longer impacted, but the site is less secure. I don’t think this is a proper solution.

Any feedback on the absence of a specific rule when the requests are blocked?

The error keeps going on. The rule is never available.
This is a very strange behaviour from a WAF.