Cloudflare Verification checks only on one IP address
When accessing websites using that use Cloudflare services, I'm getting "Verify that you're human" checks on many of them from my IP address (Google fiber). But when using a different ISP with a different IP address (ATT Fiber), I don't get the same checks.
Some of the examples of sites where Im experiencing this issue:
cloudflare.com
isbgpsafeyet.com
plex.tv
w3.org
namecheap.com
This problem seems to be isolated to Cloudflare, as my ISP claims no responsibility.
30 Replies
Happy to provide more info in DM as I dont want to post my public IP in a public forum
More details: No VPN on the comptuer in question or the router, Im located in the united states, DNS is set to 8.8.8.8, router is Ubiquiti with ad blocking and security features turned off
Are you having any issues passing the challenge, or just saying you are getting served them a fair bit?
No issues passing, the issue really is that the client in question is a headless server, and its trying to ping addresses using cloudflare, being a headless server its not able to pass human verification checks.
When I curl https://metadata.provider.plex.tv I get the verification check, this is the domain that I discovered this cloudflare issue with
Hopefully that makes sense so far
It makes sense to me. What you're probably hitting is you have a high IP Threat Score. CF has this value called "Threat Score" scored by IP, generated from hits on various honeypots and malicious activity, etc. Cloudflare websites have a "Security Level" which determines which threat scores get challenged. Your Fiber IP sounds like it has a high threat score
Ah, that would make sense as I was viewing some Newsgroup websites and usenet servers that might be on a list
Would generating a new IP address mitigate the issue?
If you can, yea, it could have an entirely different threat score. It's usually pretty hard to get a high threat score, have to do lots of blatantly malicious activity for an extended period of time, but that's just my anecdontal experience.
If you're using the same browser/setup, on ATT there's nothing but on Fiber there's challenges, it's almost 100% threat score
Makes sense, I suspect its from browsing a bunch of newsgroup providers in one day, those websites serve pirated movies and whatnot. Play stupid games win stupid prizes
I really doubt that would be the cause, I would think more hacked devices on your network and such (or if your ISP does CGNAT and you're sharing IPs), but I can't say anything for sure.
The threat score measures IP reputation across Cloudflare services. This score is calculated based on Project Honeypot, external public IP information, as well as internal threat intelligence from our WAF managed rules and DDoS. The threat score of a request has a value from 0 to 100, where 0 indicates low risk. Values above 10 may represent spammers or bots, and values above 40 identify bad actors on the Internet.
Oh, interesting. Never heard of CGNAT
I know CF has some magik to try to auto detect/work around CGNAT, but I doubt it's perfect
What would be your recommendation? VPN on the whole network, proxy server in a datacenter just for routing traffic, etc
I guess new IP would be the easiest first step
You could try seeing your threat_score here: https://threat.score.chaika.me/, although threat_score is a bit weird, CF also had BM scores and all the websites you listed are likely Enterprise
it's really silly that plex wouldn't be skipping security level/threat score blocks on an endpoint designed to be called by headless clients
It says 64
ok yea that's pretty high lol
I have a ticket with them and they have a ticket with you lol
But I've been waiting a week for an answer so here I am
even Essentially off would challenge that
On my ATT connection it says 0
G Fiber is 64
you're being placed in the group of threat scores with the worst of the worst
Lovely
For reference, I use mainly ATT and my G Fiber is primarily for the server, nothing else really uses that ISP
So I do all my browsing on ATT actually
(for clarification I'm not an employee, CF Champions are just community members who can escalate issues, tend to have decent knowledge of things, selected by CF for being helpful, etc)
but eitherway I would try getting a new IP first and hope that helps
Okay, btw, incredibly helpful and quick. Huge props to you
I've spent like 3 hours a day for a week on this
funny because even my VPN has a threat score of 0. I know some of that data comes from Project Honeypot, CF has fake websites, ssh servers and such that just collect bad traffic
like CF says, threat score is based off that data + being blocked by waf/ddos. Just visiting weird websites wouldn't be likely to trigger that, and even then 64 is really high, I've seen threat scores that high only on really malicious IPs/Tor Exit nodes without restrictions, etc.
Still, I hear what you're saying about the honeypots, if Im hearing you right, even that plex stuff shouldnt give me a threat score
Had to do some MAC address spoofing on my router to change my public IP (google fiber was very difficult to deal with), but I got the score to 0
usually you just need to turn it off for 30 minutes or so until your DHCP Lease Expires, but I'm sure that varies a bit by ISP
nice though, hopefully stays that way
They told me 24 hours of leaving the modem off, I wasn’t about to do that
Still need to check if I can reach that Plex Metadata service
that's fair lol, maybe really long dhcp lease then
Wow, it worked
All issues resolved. God bless
Now people can stop texting me that movie posters aren’t working
(Still, in a perfect world, Plex should not have any challenges on an endpoint designed to be called by headless clients because they obviously can't solve them)
but big companies and misconfiguring Cloudflare is nothing new
Makes sense. Now I know for the future though, fascinating