Paul Hempshall

Website Cyber Security Professional

Cloudflare Firewall – Restricting Rogue Networks

Published: August 5, 2021 11:11 am

Guide Application Security

If you are using Cloudflare then you should definitely take a look at the powerful free firewall they provide.

Here is a list of rogue network autonomous system numbers and a Cloudflare firewall configuration to help get you started with protecting your website. It is important to read to the end to understand Known Bots such as Google and Bing.

Name ASN
OVHCloud 16276
Digital Ocean 14061, 46652
Amazon 16509
Microsoft 8075
Google 15169
Rackplace 58329
GleSYS 43948, 42708
Linode 63949
Phase Layer Global Networks 51852
GoDaddy 26496, 30083
Alibaba 37963, 45102
DediPath 35913
Rackspace 12200, 45187, 58683
Tencent 45090, 132203, 132591
UAB Rakrejus 62282
Hetzner 24940
Global Layer 49453
ColoCrossing 36352
InterServer 19318

The networks themselves cannot be considered bad actors – it’s the people using them.

Creating the Cloudflare Firewall

First, you need to create the rule:

Firewall > Firewall Rules > Create a Firewall rule

And then give it a name. I like to use OOB Networks, short for Out-of-Bound Networks. From here you can start to build your rules. You can either use the Expression Builder and create them manually or copy and paste the ruleset below.

(ip.geoip.asnum eq 16276 and not or 
(ip.geoip.asnum eq 14061 and not or 
(ip.geoip.asnum eq 46652 and not or 
(ip.geoip.asnum eq 16509 and not or 
(ip.geoip.asnum eq 8075 and not or 
(ip.geoip.asnum eq 15169 and not or 
(ip.geoip.asnum eq 58329 and not or 
(ip.geoip.asnum eq 43948 and not or 
(ip.geoip.asnum eq 42708 and not or 
(ip.geoip.asnum eq 63949 and not or 
(ip.geoip.asnum eq 51852 and not or 
(ip.geoip.asnum eq 26496 and not or 
(ip.geoip.asnum eq 30083 and not or 
(ip.geoip.asnum eq 37963 and not or 
(ip.geoip.asnum eq 45102 and not or 
(ip.geoip.asnum eq 35913 and not or 
(ip.geoip.asnum eq 12200 and not or 
(ip.geoip.asnum eq 45187 and not or 
(ip.geoip.asnum eq 58683 and not or 
(ip.geoip.asnum eq 45090 and not or 
(ip.geoip.asnum eq 132203 and not or 
(ip.geoip.asnum eq 132591 and not or 
(ip.geoip.asnum eq 62282 and not or 
(ip.geoip.asnum eq 24940 and not or 
(ip.geoip.asnum eq 49453 and not or 
(ip.geoip.asnum eq 36352 and not or 
(ip.geoip.asnum eq 19318 and not

One thing to be aware of is allowing Known Bots[1] (such as search engines or other legitimate bots). This will need to be set to off so that if it matches the ASN and is a known good bot it will allow the connection.

The general layout for the Expression Builder is ($rule AND $rule) OR.

("AS Num" equals "n" AND "Known Bots" equals "Off") OR 
("AS Num" equals "n" AND "Known Bots" equals "Off") OR

Then choose an action. You can Block, Challenge (both Captcha or JavaScript), Allow or Bypass. I use the JS Challenge – it’s the challenge that presents an interstitial spinning loader icon while it checks the user. I use this because it will allow a genuine user to visit without clicking on endless pictures of buses, taxis or mountains but will prevent malicious connections. Usually, there aren’t many genuine users unless they are on a VPN.

Testing Known Bots

To test your Firewall rules with Known Bots such as Google and Bing, you can use the URL Inspection tools provided by the respective providers.

You can also test social media access through a variety of methods, either using their URL sharing debugging tools or by pasting the page URL into a new post and waiting for their system to scrape the page and display the preview image.