[tor-talk] CloudFlare

Lucia Liljegren lucia at rankexploits.com
Sun Apr 21 17:24:07 UTC 2013


grarpamp--
I know what XX is used for. That's why I added it to your lists. I thought you would want to know that.

Cloudflare can block for two reasons:
1) Cloudflare itself diagnoses that a particular request should be blocked. This could happen because the IP doesn't pass some virus checks or because the IP is diagnosed dirty due to past history. (For example: Having a high number of spam counts at project honeypot will get an IP blocked.)  The user can request that Cloudflare use a 'strict' or 'lenient' setting on these tests.

2) The user specifically requests a block.

My understanding is that if a sufficient number of users block a particular IP, Cloudflare uses that data as part of their criteria under (1). These means that, potentially, a Tor IP can become blocked at Cloudflare if a sufficient number of users block it after a Tor IP tries to hack into their site. Cloudflare doesn't know it's Tor. It only knows the IP is banned by many individuals. 

I happen to like that feature and consider this a good reason to block an IP even if no one using that IP has tried to hack *my* site yet. 

With regard to (1) Cloudflare  permits A1 country codes through Cloudflare.  So that is not the reason Tor is banned.  

With regard to (2), I'm not sure that A1 is blockable by the user. Many anonymizers pass country codes anyway (e.g. SE) anyway. A user could block Sweden.  I currently block China at Cloudflare. It's the only country I currently block. The only other countries I recollect ever blocking are... .. Brazil and Israel. I am not making this up merely because you were blocked for using an IP from Brazil.

I no longer block Brazil or Israel because I solved the problem of incessant hammering by identifying the IP ranges that cause me grief and block those specifically.  But I don't think I can block A1, A2, O1 or XX at Cloudflare. If I can, I don't know what to type to block those.  I do read these and have always blocked them from wp-login.php. Those that try to hack into wp-login.php are subsequently banned at Cloudflare. (I block lots of things from wp-login.php)   

For what it's worth: When a user blocks a country, cloudflare presents a captcha. If the user passes the captcha, cloudflare lets them pass. I don't know what happens if a connection is blocked because they appear to be a threat but I think Cloudflare may present the Captcha. Cloudflare passes information that permits me to detect a user passed a captcha or more specifically that the user did not pass the virus scan. If I see they did not pass the virus scan, I block them and tell them they are not allowed to visit until they fix their browser. 

If you want to know more, you could ask Cloudflare. They tend to be very willing to answer anything. 




> > Lucia added:
> > Yes, I do see those codes passed in $_SERVER["HTTP_CF_IPCOUNTRY"].
> > from time to time they contain A1, A2, O1 or XX.
> 
> Not long ago someone here discovered that GeoIP is including the
> Tor exits in their A1 designation. So perhaps even though Cloudflare
> says they have no specific Tor provisions, Tor may be covered by
> whatever is applied via Cloudflare/admin to the A1 category.
> 
> http://dev.maxmind.com/geoip/codes/iso3166
> Cloudflare: XX is used if CF cannot determine the country from GeoIP.



More information about the tor-talk mailing list