Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Cloudflare Captcha
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Cloudflare Captcha

Hi, can anyone provide me with a link that will allow me to captcha every country with the cloudflare API I have been searching but cannot find anything

Comments

  • Do you just want to captcha every visitor or only a specific set of sites?

  • You can set your website to "Im under attack" mode.

  • Why not add 0.0.0.0/0 and 0::0/0 on CF firewall rules and set it to challenge (captcha)?

    Thanked by 2klikli vimalware
  • MikeAMikeA Member, Patron Provider
    edited August 2019

    I think you need to be on the paid plan, $20/m or higher to for captcha option to show on things like page rules.

  • FAT32FAT32 Administrator, Deal Compiler Extraordinaire

    You can also set a Firewall Rule and show Challenge (Captcha) for threat score <= 100 (everyone)

  • Isn't it only on the paid plan?

  • @greatgreat55 said:
    Isn't it only on the paid plan?

    No, it's not only on the paid plan!

    You can create a firewall rule to tell Clouflare to Challenge (Captcha) all the traffic.

    I did it in the beginning, except for a few target countries, but later switched to JS Challenge instead.

  • @MikeA said:
    I think you need to be on the paid plan, $20/m or higher to for captcha option to show on things like page rules.

    Actually it's possible on free plan i did it for years and challenged every country with a Captcha that was major source of layer 7 attacks. Just go to the Tools section under Firewall page in Cloudflare and enter the Country, IP, Range or ASN you want to challenge and select Challenge instead of JS Challenge and the Captcha page will be shown to that set of users. Cloudflare JS Challenge are so easy to bypass with cookies.

  • @WebGuru said:

    @MikeA said:
    I think you need to be on the paid plan, $20/m or higher to for captcha option to show on things like page rules.

    Actually it's possible on free plan i did it for years and challenged every country with a Captcha that was major source of layer 7 attacks. Just go to the Tools section under Firewall page in Cloudflare and enter the Country, IP, Range or ASN you want to challenge and select Challenge instead of JS Challenge and the Captcha page will be shown to that set of users. Cloudflare JS Challenge are so easy to bypass with cookies.

    Are they? Can you tell me more?

  • @479555 said:

    @WebGuru said:

    @MikeA said:
    I think you need to be on the paid plan, $20/m or higher to for captcha option to show on things like page rules.

    Actually it's possible on free plan i did it for years and challenged every country with a Captcha that was major source of layer 7 attacks. Just go to the Tools section under Firewall page in Cloudflare and enter the Country, IP, Range or ASN you want to challenge and select Challenge instead of JS Challenge and the Captcha page will be shown to that set of users. Cloudflare JS Challenge are so easy to bypass with cookies.

    Are they? Can you tell me more?

    There are layer 7 attack tools and ways that can easily bypass cloudflare js challenge or under attack mode i realised it when i was still getting bombed although i had js challenge pages and had under attack mode activated.

    For an example of these tools look at https://github.com/KyranRana/cloudflare-bypass

    I talked to cloudflare support and they admitted it can be easily bypassed. There are scripts available on github that you can use to launch massive attacks from a single server just give it a list of http proxies and random users agent and thn tell it the number of connections you want and the attack begins!

    Let me post the exact answer i got from Cloudflare support about bypassing the browser check page:

    As you noticed, the Under Attack Mode is the starting point you can use for your defense. It will also allow us to see what requests are getting block and which ones are reaching your server. This is just a JavaScript challenge which can indeed be bypassed by more advance attacks. For this we have other options such as the possibility of adding Challenges to country and blocking individual IPs or ASNs - which is information we can provide during the attack.

    Thanked by 1479555
  • @WebGuru said:

    @479555 said:

    @WebGuru said:

    @MikeA said:
    I think you need to be on the paid plan, $20/m or higher to for captcha option to show on things like page rules.

    Actually it's possible on free plan i did it for years and challenged every country with a Captcha that was major source of layer 7 attacks. Just go to the Tools section under Firewall page in Cloudflare and enter the Country, IP, Range or ASN you want to challenge and select Challenge instead of JS Challenge and the Captcha page will be shown to that set of users. Cloudflare JS Challenge are so easy to bypass with cookies.

    Are they? Can you tell me more?

    There are layer 7 attack tools and ways that can easily bypass cloudflare js challenge or under attack mode i realised it when i was still getting bombed although i had js challenge pages and had under attack mode activated.

    For an example of these tools look at https://github.com/KyranRana/cloudflare-bypass

    I talked to cloudflare support and they admitted it can be easily bypassed. There are scripts available on github that you can use to launch massive attacks from a single server just give it a list of http proxies and random users agent and thn tell it the number of connections you want and the attack begins!

    Let me post the exact answer i got from Cloudflare support about bypassing the browser check page:

    As you noticed, the Under Attack Mode is the starting point you can use for your defense. It will also allow us to see what requests are getting block and which ones are reaching your server. This is just a JavaScript challenge which can indeed be bypassed by more advance attacks. For this we have other options such as the possibility of adding Challenges to country and blocking individual IPs or ASNs - which is information we can provide during the attack.

    Is it possible to bypass captchas as well, with this technique?

  • @479555 said:

    @WebGuru said:

    @479555 said:

    @WebGuru said:

    @MikeA said:
    I think you need to be on the paid plan, $20/m or higher to for captcha option to show on things like page rules.

    Actually it's possible on free plan i did it for years and challenged every country with a Captcha that was major source of layer 7 attacks. Just go to the Tools section under Firewall page in Cloudflare and enter the Country, IP, Range or ASN you want to challenge and select Challenge instead of JS Challenge and the Captcha page will be shown to that set of users. Cloudflare JS Challenge are so easy to bypass with cookies.

    Are they? Can you tell me more?

    There are layer 7 attack tools and ways that can easily bypass cloudflare js challenge or under attack mode i realised it when i was still getting bombed although i had js challenge pages and had under attack mode activated.

    For an example of these tools look at https://github.com/KyranRana/cloudflare-bypass

    I talked to cloudflare support and they admitted it can be easily bypassed. There are scripts available on github that you can use to launch massive attacks from a single server just give it a list of http proxies and random users agent and thn tell it the number of connections you want and the attack begins!

    Let me post the exact answer i got from Cloudflare support about bypassing the browser check page:

    As you noticed, the Under Attack Mode is the starting point you can use for your defense. It will also allow us to see what requests are getting block and which ones are reaching your server. This is just a JavaScript challenge which can indeed be bypassed by more advance attacks. For this we have other options such as the possibility of adding Challenges to country and blocking individual IPs or ASNs - which is information we can provide during the attack.

    Is it possible to bypass captchas as well, with this technique?

    No it's not possible to bypass Google recaptcha that Cloudflare use. There are some services that offer captcha solving services but those services can't be used in an attack.

    But these recaptchas can be really annoying for your first time visitors and i have noticed a loss in traffic.

  • 479555479555 Member
    edited August 2019

    @WebGuru said:

    @479555 said:

    @WebGuru said:

    @479555 said:

    @WebGuru said:

    @MikeA said:
    I think you need to be on the paid plan, $20/m or higher to for captcha option to show on things like page rules.

    Actually it's possible on free plan i did it for years and challenged every country with a Captcha that was major source of layer 7 attacks. Just go to the Tools section under Firewall page in Cloudflare and enter the Country, IP, Range or ASN you want to challenge and select Challenge instead of JS Challenge and the Captcha page will be shown to that set of users. Cloudflare JS Challenge are so easy to bypass with cookies.

    Are they? Can you tell me more?

    There are layer 7 attack tools and ways that can easily bypass cloudflare js challenge or under attack mode i realised it when i was still getting bombed although i had js challenge pages and had under attack mode activated.

    For an example of these tools look at https://github.com/KyranRana/cloudflare-bypass

    I talked to cloudflare support and they admitted it can be easily bypassed. There are scripts available on github that you can use to launch massive attacks from a single server just give it a list of http proxies and random users agent and thn tell it the number of connections you want and the attack begins!

    Let me post the exact answer i got from Cloudflare support about bypassing the browser check page:

    As you noticed, the Under Attack Mode is the starting point you can use for your defense. It will also allow us to see what requests are getting block and which ones are reaching your server. This is just a JavaScript challenge which can indeed be bypassed by more advance attacks. For this we have other options such as the possibility of adding Challenges to country and blocking individual IPs or ASNs - which is information we can provide during the attack.

    Is it possible to bypass captchas as well, with this technique?

    No it's not possible to bypass Google recaptcha that Cloudflare use. There are some services that offer captcha solving services but those services can't be used in an attack.

    But these recaptchas can be really annoying for your first time visitors and i have noticed a loss in traffic.

    Great, thanks for the answer! Yeah, as I was writing above I once had captchas enabled but soon switched to JS Challenge.

    In the very, very remote case of an attack I'll just enable captchas then :)

  • @MikeA said:
    I think you need to be on the paid plan, $20/m or higher to for captcha option to show on things like page rules.

    Nah. I didn't find anything but my account already has every country captchad after re looking

  • stefemanstefeman Member
    edited August 2019

    There are services like this which forwards the captcha automatically to some chinese worker: https://2captcha.com/ or https://anti-captcha.com/mainpage lol. The latter's website is almost like from some dystopia movie.

    Imagine sitting on a computer 12 hours a day solving captcha for other people's bots.

    Thanked by 1MasonR
  • NeoonNeoon Community Contributor, Veteran

    @stefeman said:
    Imagine sitting on a computer 12 hours a day solving captcha for other people's bots.

    The poor girlfriend, when he comes home and tries to solve her as captcha.
    Besides, at 12 hours, you wont likely have a girlfriend.

  • MasonRMasonR Community Contributor

    @stefeman said:
    There are services like this which forwards the captcha automatically to some chinese worker: https://2captcha.com/ or https://anti-captcha.com/mainpage lol. The latter's website is almost like from some dystopia movie.

    Imagine sitting on a computer 12 hours a day solving captcha for other people's bots.

    Almost as bad as the poor chaps in Chinese prisons who are forced to farm WoW gold for 12+ hours a day, which the guards sell for cash.

    Thanked by 1Ouji
  • Create a firewall rule with this expression and set action to Challenge (Captcha). It will challenge every visitor with Captcha.

    (http.request.uri contains "")

Sign In or Register to comment.