Feedback - your repeated Cloudfare security checkbox sucks.

[2una]

Guess this is just for non US users of the site but as the title says - EVERYTHING you do results in another need to check the box.
Can it not be dialled back to check when one 1st does something here?
I would guess in a 10 min visit of the forum maybe 5 times it needs to be checked especially when posting or uploading an attachment or editing.

 

[revhtree]

Ouch that does suck! Sorry about that! Is this happening while you’re logged in?

 

[2una]

Ouch that does suck! Sorry about that! Is this happening while you’re logged in?

While logged in yes
Will be a South African IP address so possibly why.

 

[revhtree]

While logged in yes
Will be a South African IP address so possibly why.

I’ll check into it!

Anyone else having this issue please let me know!

 

[2una]

I’ll check into it!

Anyone else having this issue please let me know!

Cool, thank you

 

[BeanAnimal]

I would assume that your IP keeps changing for some reason, or part of your adjacent IP block (your ISP) has a lot of IPs being used for nefarious activity and you are therefore caught up by proxy (no pun). It is more than likely the second (many IPs in adjacent address space being used to run bot, spam or hacking endpoints).


Or -- you are connecting from a VPN (pointless anyway) and that is triggering the CloudFlare Turing test.

This not something not really controlled by R2R - but rather their DNS provider/proxy (cloudlfare).

 

[BeanAnimal]

I would add that if you are running a VPN -- or (not accusing) doing any kind of port scanning, mass mailing or anything similar from your home... or have a compromised system being used as part of a bot network -- those things will certainly end up triggering cloudflare protection.

 

[2una]

Yes, is likely the start end of the IP block that is set at a "potential bad guy" level.
Not using VPN altho that would probably fix it.
That or whitelist logged in members after initial check, once is fine, the repetitive way its acting now is over the top.

 

[DanyL]

I’ll check into it!

Anyone else having this issue please let me know!

If you remember - we went through this over private messages a while ago.

The fix you applied back than lasted a few weeks, but unfortunately it did get back to the “normal” behavior eventually.

I felt uncomfortable to keep bugging you with it given that not many members are being affected, but looks like it’s not limited to my region only.

I would assume that your IP keeps changing for some reason, or part of your adjacent IP block (your ISP) has a lot of IPs being used for nefarious activity and you are therefore caught up by proxy (no pun). It is more than likely the second (many IPs in adjacent address space being used to run bot, spam or hacking endpoints).


Or -- you are connecting from a VPN (pointless anyway) and that is triggering the CloudFlare Turing test.

This not something not really controlled by R2R - but rather their DNS provider/proxy (cloudlfare).

Yes, logically - you’re correct to assume this.
These are supposed to be the triggers in a normal scenario - however, it’s not the case here.

I’m from Israel, my IP doesn’t change that often (can easily last a year), I’m not doing any fishy stuff with it, nor does a VPN or proxy are enabled either - and yes, all ISPs from my country are affected and it happens to everyone in here - so it’s not the device, nor a compromised network either.

On top of this, it isn’t a general problem with CloudFlare either, because many other sites that utilize it are working perfectly fine.
In fact, the only affected site is reef2reef, and therefore it is clearly a configuration issue.

 

[BeanAnimal]

Yes, is likely the start end of the IP block that is set at a "potential bad guy" level.
Not using VPN altho that would probably fix it.

VPN may fix this particular issue, but may not or create other issues. Worth a try for sure, just don't count on a VPN "protecting" or "hiding" you or your activity from anyone or anything.

That or whitelist logged in members after initial check, once is fine, the repetitive way its acting now is over the top.

That is not really that way it works. CloudFlare is between you and R2R, and while they may have control of some settings, it is not as granular as you think.

Rev or somebody who actually manages the site could go look for events and tell possibly tell you what is being flagged, but that is about it.

As I said above, it is more than likely your IP neighborhood or your system is compromised with malware. It could be poor route management from your ISP, but that is not as likely.

 

[2una]

If you remember - we went through this over private messages a while ago.

The fix you applied back than lasted a few weeks, but unfortunately it did get back to the “normal” behavior eventually.

I felt uncomfortable to keep bugging you with it given that not many members are being affected, but looks like it’s not limited to my region only.


Yes, logically - you’re correct to assume this.
These are supposed to be the triggers in a normal scenario - however, it’s not the case here.

I’m from Israel, my IP doesn’t change that often (can easily last a year), I’m not doing any fishy stuff with it, nor does a VPN or proxy are enabled either - and yes, all ISPs from my country are affected and it happens to everyone in here - so it’s not the device, nor a compromised network either.

On top of this, it isn’t a general problem with CloudFlare either, because many other sites that utilize it are working perfectly fine.
In fact, the only affected site is reef2reef, and therefore it is clearly a configuration issue.

Yes i also believe its country IP related.
When I'm at work we use starlink which gets routed through a Nigerian groundstation & another local site I use then also becomes a similar cloudfare story.

 

[BeanAnimal]

Yes, logically - you’re correct to assume this.
These are supposed to be the triggers in a normal scenario - however, it’s not the case here.

I’m from Israel, my IP doesn’t change that often (can easily last a year), I’m not doing any fishy stuff with it, nor does a VPN or proxy are enabled either - and yes, all ISPs from my country are affected and it happens to everyone in here - so it’s not the device, nor a compromised network either.

I gave the most likely reasons that cause this. There are plenty of others -- we could fill a page full of them

I can't speak to your situation in Israel without getting into politics- other that it being IP neighborhood and route based -- and given the regional conflict, there is a LOT of IP activity that is not people sitting at home browsing websites... thus large blocks of IPs from where you live are caught up.

On top of this, it isn’t a general problem with CloudFlare either, because many other sites that utilize it are working perfectly fine.
In fact, the only affected site is reef2reef, and therefore it is clearly a configuration issue.

Different sites utilize different levels of CloufFlare security and filtering. The issue becomes one of balance for sure, but if you understood the amount of abuse aimed at a site like this and understood the CloudFlare filtering and security model, the needed protections sometimes comes with unwanted, side effects for a small group of subscribers.

I work with this technology daily for a living...

I any case - I will let Rev work this out with the OP.

Happy Reefing!

 

[2una]

That is not really that way it works. CloudFlare is between you and R2R, and while they may have control of some settings, it is not as granular as you think.

So the meat & potatoes solution is likely to whitelist member countries.
UK,Australia,NZ,Israel,South Africa,Sweden,Brazil are some I remember, no doubt tons more.
EU whitelisted perhaps already?

 

[DanyL]

I can't speak to your situation in Israel without getting into politics- other that it being IP neighborhood and route based -- and given the regional conflict, there is a LOT of IP activity that is not people sitting at home browsing websites... thus large blocks of IPs from where you live are caught up.

Oh believe me - I didn’t expect anything else to instantly come up here as the number one reason. And yet, I stand still with my analysis.

Different sites utilize different levels of CloufFlare security and filtering. The issue becomes one of balance for sure, but if you understood the amount of abuse aimed at a site like this and understood the CloudFlare filtering and security model, the needed protections sometimes comes with unwanted, side effects for a small group of subscribers.

That is correct - different sites do utlise different security models. There is no doubt about it.

However - sites that are FAR more likely to be attacked and are using cloudflare aren’t affected. They were however affected in the early weeks of the war.

Reef2reef can be a target for abuse, but it’s far from the position of news sites for example, or government related websites.

I work with this technology daily for a living..

I’m am a security researcher, my focus it different and I don’t work with CloudFlare, however I do understand the threat models in play, how the technology work in practice, and how easily it can be misconfigured.

 

[BeanAnimal]

So the meat & potatoes solution is likely to whitelist member countries.

That creates a catch 22

The blocks are due to bad neighborhoods - so whitelisting defeats the very purpose of the filter. Doing so by country is an even broader defeat of the very reason for the filter.

But maybe Rev can come up with something. I don't manage or am I privy to their CF or hosting -- so can't speak to an actual workaround.

 

[BeanAnimal]

However - sites that are FAR more likely to be attacked and are using cloudflare aren’t affected. They were however affected in the early weeks of the war.

Reef2reef can be a target for abuse, but it’s far from the position of news sites for example, or government related websites.

The sites you speak of are using a insanely more expensive CF tier with both more granularity and dedicated support, as well as those companies having internal IT resources. Two very different SLA and response models . Major customers and important traffic sites get custom solutions and fixes... R2R is not a blip on that radar. So apples and oranges.

I’m am a security researcher, my focus it different and I don’t work with CloudFlare, however I do understand the threat models in play, how the technology work in practice, and how easily it can be misconfigured.

We use the product in some instances, as it is easy to deploy and inexpensive for basic needs. For most reasonable priced tiers, CF is not overly configurable. For example, something as simple as page load timeout is NOT editable. To get granular features and control, you must pay for enterprise.

Anyway - this conversation is not going to help the OP or anybody else. Thanks for your input though.. interesting topic for some of us that may be better suited to a conversation in some other place

 

[DanyL]

The sites you speak of are using an insanely more expensive CF tier with both more granularity and dedicated support, as well as those companies having internal IT resources. Two very different SLA and response models . Major customers and important traffic sites get custom solutions and fixes... R2R is not a blip on that radar. So apples and oranges.

That’s correct, however I gave this as an example of an extreme case to rule out any actual threats coming from a specific device or network.

There are other similarly sized websites that have the very same threat model as R2R, they most definitely aren’t using an enterprise account, nor extremely special and customized configuration that isn’t available on more affordable tiers.

It simply is something that needs to be looked at and be figured out in the bounds of what normal tiers allows to achieve.
And yes, it does possibly imply loosening some of the global filtration that is currently applied, and applying a more complex configuration instead.

We use the product in some instances, as it is easy to deploy and inexpensive for basic needs. For most reasonable priced tiers, CF is not overly configurable. For example, something as simple as page load timeout is NOT editable. To get granular features and control, you must pay for enterprise.

Actually, there are many different tiers and ratings coming from CF, for a site like R2R, I somewhat doubt it uses the absolute most basic tier, simply due to traffic limitations.
But I may possibly not evaluate the needs of a site like R2R correctly.

That being said, even if it does require some more granularity, it’s something that needs to be taken into consideration, and does not necessarily mean you will have to upgrade to an enterprise tier account, given that some features can be enabled selectively, for more sane pricing than the ridiculous and seemingly random pricing they ask for enterprise.

Anyway - this conversation is not going to help the OP or anybody else. Thanks for your input though.. interesting topic for some of us that may be better suited to a conversation in some other place

Well, The dive in was mainly to address the impression your first comment may have left on OP, and maybe others reading it - while possible, it is very unlikely this was caused due to a compromised network or device, simply due to the way this problem behaves.

Hopefully rev will figure this out.

 

[BryanM]

best bet is likely a vpn where the OP can use a source IP from the VPN within the USA.

 

[DanyL]

best bet is likely a vpn where the OP can use a source IP from the VPN within the USA.

This wouldn’t work unfortunately.
In theory, it should - however, public VPN IP addresses as well as hosting IP ranges are usually getting the same treatment from CloudFlare.

Of course, someone in the US could potentially setup a VPN on his home network and allow others to use it, which will work perfectly fine - but this scenario is very unlikely to happen and has too many potential threats to be viable.

 

[BeanAnimal]

Hi Dany - you appear to be conflating and/or reframing parts of what I said. I have no interest in further developing a pointless conversation that does not aide the OP or R2R.

I simply gave the OP the most likely causes, based on simple facts. I also explained the general issue with the risk of loosening filters to accommodate what is likely a small portion of the user base that is inconvenienced. Sometimes there are no easy fixes for things was the point. That decisions is of course is up to R2R and whoever manages their DNS and firewall.

I don't really care to get into the weeds with edge cases, geopolitical IP issues, or the actual features of each CF tier (a product that you admit to not being overly familiar with) or quibble about what sites get what kind of traffic or what level of filtering that they need or what particular threats or attack vectors they need to worry about.

FWIW - I am not a "researcher" - this is what I do hands-on every day with more traffic sources and endpoints than I care to discuss here. Simply put, this is an area that I have specific expertise in. But, thank you for offering your take.

best bet is likely a vpn where the OP can use a source IP from the VPN within the USA.

It may or may not help, depending on what is triggering the Turing test. There is a lot more involved than just IP.