Cidram: Cloudflare IPs getting blocked

Created on 7 Apr 2018  路  5Comments  路  Source: CIDRAM/CIDRAM

Today I have seen multiple instances in log where cloudflare IPs getting blocked.
To be noted : I have not enabled Cloudflare block list.

ID: 597
Script Version: CIDRAM v1.5.0
Date/Time: Sat, 07 Apr 2018 15:16:12
IP Address: 162.158.67.83
Signatures Count: 1
Signatures Reference: 162.158.64.0/20
Why Blocked: Cloud service ("CloudFlare, Inc", L797:F0, [US])!
User Agent: Mozilla/5.0 (compatible; CloudFlare-AlwaysOnline/1.0; +http://www.cloudflare.com/always-online) AppleWebKit/534.34
Reconstructed URI: https://example.com/
reCAPTCHA State: Enabled.
ID: 587
Script Version: CIDRAM v1.5.0
Date/Time: Sat, 07 Apr 2018 15:16:06
IP Address: 162.158.64.234
Signatures Count: 1
Signatures Reference: 162.158.64.0/20
Why Blocked: Cloud service ("CloudFlare, Inc", L797:F0, [US])!
User Agent: Mozilla/5.0 (compatible; CloudFlare-AlwaysOnline/1.0; +http://www.cloudflare.com/always-online) AppleWebKit/534.34
Reconstructed URI: https://example.com/
reCAPTCHA State: Enabled.



md5-a4ae5b6bc28319994d6b18b01327dbc0



ID: 586
Script Version: CIDRAM v1.5.0
Date/Time: Sat, 07 Apr 2018 15:16:05
IP Address: 2400:cb00:36:1008:0:0:a29e:40ea
Signatures Count: 1
Signatures Reference: 2400:cb00:36::/48
Why Blocked: Cloud service ("CloudFlare, Inc", L180:F0, [US])!
User Agent: Mozilla/5.0 (compatible; CloudFlare-AlwaysOnline/1.0; +http://www.cloudflare.com/always-online)
Reconstructed URI: https://example.com/
reCAPTCHA State: Enabled.
Resolved Support

Most helpful comment

This is the case by default afaik. Does the Cloudflare blocklist let Cloudflare through? You may have to allow Cloudflare as their servers fetch the content from your server (the origin) from time to time to get the new content for their edge nodes in their network / CDN.

All 5 comments

This is the case by default afaik. Does the Cloudflare blocklist let Cloudflare through? You may have to allow Cloudflare as their servers fetch the content from your server (the origin) from time to time to get the new content for their edge nodes in their network / CDN.

Now added Ignore CloudFlare, Inc in my Ignore.dat file.

Thank You, :-)
Actually, I thought Cloudflare IPs will only get blocked when we activate Cloudflare blocklist.

Actually, I thought Cloudflare IPs will only get blocked when we activate Cloudflare blocklist.

Bit of a redundancy backup. MacMathan's lists are generally more up-to-date, all updated automatically (AFAIK), and should be used by anyone wanting to block Cloudflare (or whatever else corresponds to any particular given blocklist) completely with the most up-to-date ranges (I'm a little wary of updating the default signature files automatically, due to some different and somewhat complex rules for some of the different providers and some of these ranges coming from different sources and other such considerations, and it takes me a while to get through to all the sections sometimes when they need updating), but Cloudflare is included both as one of the optional blocklists (to have more up-to-date ranges available to be blocked), as well as in the default signature files, due to unwanted activity seen from IPs within Cloudflare's ranges in the past.

Most of the old discussions about this unwanted activity (these discussions occurred mostly between 2014 and 2016) were on the old Spambot Security forum (partly public, partly private), and unfortunately aren't available anymore, so it's difficult to reliably delve into these too much.

That all said though.. I'd be more interested in current information anyway, rather than old information, as to gage whether continuing to block them now in the default signature files is worthwhile (regardless of being worthwhile in the past), so, I might need to reconnect and talk with some of the people that originally reported this unwanted activity and some of the people involved in these discussions, to see whether they're still seeing any unwanted activity, and to try to get some examples of it (if it's still happening now), because I've been looking over the access logs and CIDRAM logfiles for some of the honeypots that I currently run, as well as some of the websites that I'm personally managing at the moment where CIDRAM is installed (the oldest of these logfiles dates from October 2016; I don't have anything older than that anymore unfortunately either), and I'm actually not seeing anything in there at all to justify a continuation of the current blocks.

In short: I'm going to try talking with some people to figure out whether to keep blocking them, or whether to remove the blocks.

Anyhow, for now, adding Ignore CloudFlare, Inc to your ignore.dat as you've done, should solve the problem, and should prevent Cloudflare from being blocked anymore at your website. :-)

Thanks a lot for detailed response :-)
You have answered all my queries :+1:

So.. None of the people I talked to were able to produce any evidence for current unwanted HTTP/S traffic from Cloudflare. A few suggested that they think they might've seen something, but didn't have any logs for it anymore. Anyway.. I'm going to go ahead and remove them from the signature files for now. If evidence turns up, they can always be re-added in the future I guess, but for now, I'm inclined to believe that there's no value reason to keep them in the signature files anymore.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

Maikuolan picture Maikuolan  路  4Comments

gizmecano picture gizmecano  路  6Comments

Dibbyo456 picture Dibbyo456  路  6Comments

Dibbyo456 picture Dibbyo456  路  5Comments

eurobank picture eurobank  路  3Comments