Cloudflare Firewall – Restricting Rogue Networks
Published: August 5, 2021 11:11 am
If you are using Cloudflare then you should definitely take a look at the powerful free firewall they provide.
Here is a list of rogue network autonomous system numbers and a Cloudflare firewall configuration to help get you started with protecting your website. It is important to read to the end to understand Known Bots such as Google and Bing.
| Name | ASN |
|---|---|
| OVHCloud | 16276 |
| Digital Ocean | 14061, 46652 |
| Amazon | 16509 |
| Microsoft | 8075 |
15169 |
|
| Rackplace | 58329 |
| GleSYS | 43948, 42708 |
| Linode | 63949 |
| Phase Layer Global Networks | 51852 |
| GoDaddy | 26496, 30083 |
| Alibaba | 37963, 45102 |
| DediPath | 35913 |
| Rackspace | 12200, 45187, 58683 |
| Tencent | 45090, 132203, 132591 |
| UAB Rakrejus | 62282 |
| Hetzner | 24940 |
| Global Layer | 49453 |
| ColoCrossing | 36352 |
| InterServer | 19318 |
The networks themselves cannot be considered bad actors – it’s the people using them.
Creating the Cloudflare Firewall
First, you need to create the rule:
Firewall > Firewall Rules > Create a Firewall rule
And then give it a name. I like to use OOB Networks, short for Out-of-Bound Networks. From here you can start to build your rules. You can either use the Expression Builder and create them manually or copy and paste the ruleset below.
(ip.geoip.asnum eq 16276 and not cf.client.bot) or (ip.geoip.asnum eq 14061 and not cf.client.bot) or (ip.geoip.asnum eq 46652 and not cf.client.bot) or (ip.geoip.asnum eq 16509 and not cf.client.bot) or (ip.geoip.asnum eq 8075 and not cf.client.bot) or (ip.geoip.asnum eq 15169 and not cf.client.bot) or (ip.geoip.asnum eq 58329 and not cf.client.bot) or (ip.geoip.asnum eq 43948 and not cf.client.bot) or (ip.geoip.asnum eq 42708 and not cf.client.bot) or (ip.geoip.asnum eq 63949 and not cf.client.bot) or (ip.geoip.asnum eq 51852 and not cf.client.bot) or (ip.geoip.asnum eq 26496 and not cf.client.bot) or (ip.geoip.asnum eq 30083 and not cf.client.bot) or (ip.geoip.asnum eq 37963 and not cf.client.bot) or (ip.geoip.asnum eq 45102 and not cf.client.bot) or (ip.geoip.asnum eq 35913 and not cf.client.bot) or (ip.geoip.asnum eq 12200 and not cf.client.bot) or (ip.geoip.asnum eq 45187 and not cf.client.bot) or (ip.geoip.asnum eq 58683 and not cf.client.bot) or (ip.geoip.asnum eq 45090 and not cf.client.bot) or (ip.geoip.asnum eq 132203 and not cf.client.bot) or (ip.geoip.asnum eq 132591 and not cf.client.bot) or (ip.geoip.asnum eq 62282 and not cf.client.bot) or (ip.geoip.asnum eq 24940 and not cf.client.bot) or (ip.geoip.asnum eq 49453 and not cf.client.bot) or (ip.geoip.asnum eq 36352 and not cf.client.bot) or (ip.geoip.asnum eq 19318 and not cf.client.bot)
One thing to be aware of is allowing Known Bots[1] (such as search engines or other legitimate bots). This will need to be set to off so that if it matches the ASN and is a known good bot it will allow the connection.
The general layout for the Expression Builder is ($rule AND $rule) OR.
("AS Num" equals "n" AND "Known Bots" equals "Off") OR
("AS Num" equals "n" AND "Known Bots" equals "Off") OR
Then choose an action. You can Block, Challenge (both Captcha or JavaScript), Allow or Bypass. I use the JS Challenge – it’s the challenge that presents an interstitial spinning loader icon while it checks the user. I use this because it will allow a genuine user to visit without clicking on endless pictures of buses, taxis or mountains but will prevent malicious connections. Usually, there aren’t many genuine users unless they are on a VPN.
Testing Known Bots
To test your Firewall rules with Known Bots such as Google and Bing, you can use the URL Inspection tools provided by the respective providers.
- Google: https://support.google.com/webmasters/answer/9012289
- Bing: https://www.bing.com/webmasters/urlinspection
You can also test social media access through a variety of methods, either using their URL sharing debugging tools or by pasting the page URL into a new post and waiting for their system to scrape the page and display the preview image.
- Twitter: https://cards-dev.twitter.com/validator
- Facebook: https://developers.facebook.com/tools/debug/
- LinkedIn: https://www.linkedin.com/post-inspector/