When I wrote my previous article on Cloudflare, and how it craps all over my daily internet browsing and possibly millions of others, most of the responses I got was skepticism with a healthy dose of justification. Either, it’s my fault for being born and living in a country that is not on the favorable IP blocks for Cloudflare (read Developed Nations). Or it’s the Website owner’s fault for not turning firewall rules to essentially off. Who in their right might would turn firewall essentially off? A firewall is a good thing, right?

But what responsibility does Cloudflare have in terms of making sure there are fewer false positive, in their firewall? Considering that this monstrosity of a false sense of protection is created by Cloudflare themselves, shouldn’t we put them to a higher standard, instead of blaming third parties? Let me be very clear, browsing the internet with dozens of captcha prompts is not limited to TOR users. It happens to a HUGE proportion of daily internet users, who are not spammers, whose IPs are NOT on any popular blacklists, and who did not do anything to cause suspicious behavior. Yet we continuously have to deal with this nuisance. I know this because I own an ISP with a couple of thousands of IPs and we do a routine check against spam lists, blocklists, and monitor traffic within our network for suspicious behavior.



A short video example of what we have to deal with on a daily basis. The left window is a TOR browser, right window chrome browser, with no extensions, proxy, or VPN. Now imagine this happening 30-40 times a day.

According to Cloudflare these are the reasons I see a captcha challenge page:



The IP address you are on has shown problematic activity online recently in one of our data sources. If you would like to look at your IP up, then please look at your IP up at Project Honeypot. If the IP address shows data for malicious activity, you can see why there. You can also attempt to whitelist your IP directly on that page by connecting from that IP.

As per Cloudflare, they rely on more than one source to determine whether an IP had problematic Activity recently. Project Honeypot is one of the sources suggested to check my IP (it’s not listed I checked). Not only that, according to Project Honeypot’s own list, Top 25 Harvester Countries, Top 25 Spam Server Countries, Top 25 Comment Spammer Countries, Top 25 Dictionary Attacker Countries, is mostly populated by developed countries or the upper echelon on developing countries. USA and China are in the TOP 10 of all four of these lists, where most of Cloudflare data centers are located. (My country is not listed anywhere).

Another Popular list, maintained by The Spamhaus Project (international Organization), the USA along with 3 other developed countries are the “The World’s Worst Spam Enabling Countries”, in their own word.

According to Akamai, one of the largest CDN like Cloudflare, own report (2015), At 23.45%, China was again the top source country for DDoS attacks; Germany was responsible for 17.39% and the U.S. for 12.18%. “Combined, China, Germany, and the U.S. accounted for more than 50% of attacking IPs in this quarter,” Akamai wrote. Again, my country is not listed anywhere in that report.



The site owner decided to block the country you are visiting from.

Nothing to do here if the site owners specifically block any country. In that case, I would be blocked, won’t be able to access the site at all. I suspect the percentage of site owners who do this is very low. You can do this with few lines on apache or Nginx config, nothing new or unique to Cloudflare.



Your actions are triggering a Web Application Firewall rule that the website owner has turned on.

Again, this doesn’t address just browsing through the google search and going to a link and get hit by the captcha challenge page. Web Application Firewall rule shouldn’t be triggered by this behavior.

So what’s going on here, captcha challenge page being triggered by harmless browsing activity? Please note that this is not an isolated incident that happens once in a while to me and a few of my friends. These happen a lot more frequently than you think. Not only do I see this often in thousands of IPs in our ISP, but we also do market research on our competition and see this behavior just as frequently. Forget about my location, just do a simple google search for “<a href=”https://www.google.com/search?q=cloudflare+captcha””>Cloudflare Captcha” and you will see thousands of similar complaints dating back as far as 4-5 years. And almost all the responses point the issue towards website owners or your ISP or something fishy (malware) happening on your computer that’s triggering this behavior. Even Cloudflare’s official stance is that it’s not their fault or responsibility

I have two theories:

There is something fundamentally wrong with the Cloudflare challenge page and CF is unwilling or unable to fix it.

Or, more likely, this is done intentionally by design. There was a time when anti-virus and anti-spyware used to resort to a false advertisement method where they would report non-existing virus or spyware found in your system, with a promise to clean up your system if you just buy the pro version. The Difference with Cloudflare is that it gives you this false sense of protection against a potential non-existent threat. And it’s a free advertisement for Cloudflare services. Every time a user visits a CloudFlare captcha page, it’s saying “Look at this shiny annoying feature this website owner uses, powered by Cloudflare, you should try it out too”. The barrier to entry is very low, its free, and a couple of clicks away.

There were CDN’s and DDOS protection services before CloudFlare, and there are CDN’s and DDOS protection services now, and none of them works as disruptively in your face as Cloudflare does. Akamai is one of the largest CDN providers and also provide DDOS protection, how often do you get rudely policed on your daily internet usage?

Something to think about.