New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Do you just want to captcha every visitor or only a specific set of sites?
You can set your website to "Im under attack" mode.
Why not add 0.0.0.0/0 and 0::0/0 on CF firewall rules and set it to challenge (captcha)?
I think you need to be on the paid plan, $20/m or higher to for captcha option to show on things like page rules.
You can also set a Firewall Rule and show Challenge (Captcha) for threat score <= 100 (everyone)
Isn't it only on the paid plan?
No, it's not only on the paid plan!
You can create a firewall rule to tell Clouflare to Challenge (Captcha) all the traffic.
I did it in the beginning, except for a few target countries, but later switched to JS Challenge instead.
Actually it's possible on free plan i did it for years and challenged every country with a Captcha that was major source of layer 7 attacks. Just go to the Tools section under Firewall page in Cloudflare and enter the Country, IP, Range or ASN you want to challenge and select Challenge instead of JS Challenge and the Captcha page will be shown to that set of users. Cloudflare JS Challenge are so easy to bypass with cookies.
Are they? Can you tell me more?
There are layer 7 attack tools and ways that can easily bypass cloudflare js challenge or under attack mode i realised it when i was still getting bombed although i had js challenge pages and had under attack mode activated.
For an example of these tools look at https://github.com/KyranRana/cloudflare-bypass
I talked to cloudflare support and they admitted it can be easily bypassed. There are scripts available on github that you can use to launch massive attacks from a single server just give it a list of http proxies and random users agent and thn tell it the number of connections you want and the attack begins!
Let me post the exact answer i got from Cloudflare support about bypassing the browser check page:
Is it possible to bypass captchas as well, with this technique?
No it's not possible to bypass Google recaptcha that Cloudflare use. There are some services that offer captcha solving services but those services can't be used in an attack.
But these recaptchas can be really annoying for your first time visitors and i have noticed a loss in traffic.
Great, thanks for the answer! Yeah, as I was writing above I once had captchas enabled but soon switched to JS Challenge.
In the very, very remote case of an attack I'll just enable captchas then
Nah. I didn't find anything but my account already has every country captchad after re looking
There are services like this which forwards the captcha automatically to some chinese worker: https://2captcha.com/ or https://anti-captcha.com/mainpage lol. The latter's website is almost like from some dystopia movie.
Imagine sitting on a computer 12 hours a day solving captcha for other people's bots.
The poor girlfriend, when he comes home and tries to solve her as captcha.
Besides, at 12 hours, you wont likely have a girlfriend.
Almost as bad as the poor chaps in Chinese prisons who are forced to farm WoW gold for 12+ hours a day, which the guards sell for cash.
Create a firewall rule with this expression and set action to Challenge (Captcha). It will challenge every visitor with Captcha.