Comments on You don’t want to be on Cloudflare’s naughty list

Be civil and read the entire article first. This is not a support forum. Comments from new contributors are moderated. English only.

Leave a comment

Required. Optional. E.g. your homepage, Twitter. or Email required unless anonymous. Not published or shared. Reuse to be recognized as the same commenter.
Plain-text only. Begin lines with a > character to quote.

I guess Cloudflare is just using "7 simple bot detection methods that won’t inconvenience users". You yourself said and practice the belief that it's okay to algorithmically block people if their browser isn't bleeding edge or something seems weird. It'll only ever effect a few people, right?

It doesn't feel so good when it happens to you, does it? Maybe consider removing your "your web browser is too old or misbehaved." blocks that actually do inconvenience people.

Exile In Paradise

Cloudflare's "we're checking the security of your connection" page is really scanning headers of your request similar to the "Bad Behavior" bot mess used by some blogs. The wording has always seemed deceptive to me since the connection is ... already made at the point you got handed back the toll booth page.

If you use privacy or security enhancing tools, cloudflare defaults to assuming you're a bot and hassles you at the border worse than the KGB ever wished they could.

Installing their "Privacy Pass" plugin is really not privacy - its just a different form of tracker following you around.

Here's what little cloudflare claims the "browser integrity check" does - to me its really them objecting and requiring a captcha payday if you don't let them pilfer your browser settings hard enough.

Welcome to the "Stop and Frisk" web courtesy of cloudflare and others who want to be them.

> To be fair to Cloudflare [...] Website administrators can configure exceptions in their Cloudflare accounts.

I don't know if I would let them off this easy. They don't make it clear that this needs to be done and offer basically no guidance. For example so many RSS feeds are blocked on sites that use Cloudflare. These are public resources that are designed to be scraped by bots. Also they are generally reachable so there isn't even a DoS attack risk (unless of course you configure your exception when trying to turn off bot protection for the feed). Even the Cloudflare Blog's RSS feed has this problem, from many IPs I can't even fetch their feed. How can we "be fair to them" when their own blog has this problem. Clearly they need to make doing the right thing easier and more obvious. (or the default)


Scan your computer for malware, using the ESET Online Malware Scanner. Restart your modem and see if your ISP gives you a new IP address.

> Check if you made it here if so, they tell you what naughty thing you did

I did check when this happened and didn’t find anything anywhere for my IP.

> For example so many RSS feeds are blocked on sites that use Cloudflare. These are public resources that are designed to be scraped by bots.

That’s the same issue as with podcasts. I’m more surprised it affected so many random apps on my phone. I guess everyone relies on Cloudflare for hosting anything nowadays.

> Scan your computer for malware […].

I log network and DNS requests. Nothing out of the ordinary.

> Restart your modem and see if your ISP gives you a new IP address.

My ISP reissues the same IP address until they eventually reboot the equipment on their end. I’d have to switch ISP to get a different IP.


For what it's worth, that's not what the bandwidth alliance is at all. It's just about lowering or eliminating data transfer costs between providers like AWS and Cloudflare. Nothing to do with sharing of IP Reputation or anything


This happened to me about three months ago. It lasted for a little over a week and then just went away. It was super annoying! Cloudflare has too much power!!


> See the discussion with the CEO of Cloudflare on Hacker News:

Unless I missed something, all that is said in that is that of the bot was hosted on the platform of the partner, they would notify that partner to try to shut it down. (Basically just an automated abuse complaint)

"If the infrastructure provider hosting the bot is part of the Bandwidth Alliance, we’ll share the bot’s IP address so they can shutdown the bot completely"

Shouldn't apply to you at all since the bandwidth alliance doesn't include residential ISPs, and that was just about shutting down abusers. It looks like the CEO of CF responded too saying they never went ahead with it anyway. Thanks for responding and your article!


If your ISP uses CG-NAT your IP address is shared with several other end users. This can cause cloudflare to be a little less than welcoming towards you as well.

Discussions also happens elsewhere! Read and participate in 2 external discussions (385 comments).