Re: Captchas on Cloudflare-Proxied Sites

[Mike Hammett via NANOG <nanog () lists nanog org>]

Another example of the broken security space. The security vendor points at the tech-incapable customer. The 
tech-incapable customer points right back at the security vendor. Wash. Rinse. Repeat.



----- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 


----- Original Message -----
From: "Johannes Müller Aguilar via NANOG" <nanog () lists nanog org>
To: nanog () lists nanog org
Cc: "Johannes Müller Aguilar" <JMuellerAguilar () anexia com>
Sent: Tuesday, July 1, 2025 9:05:16 AM
Subject: Captchas on Cloudflare-Proxied Sites

Hello,

We operate as a cloud service provider, and much of our traffic is indeed—per Cloudflare’s terminology—“bot traffic.”

For about a month, users behind IP addresses we announce have been prompted to solve captchas when accessing 
Cloudflare-proxied sites. When we contacted Cloudflare support, they referred us to their customers (e.g., Stack 
Overflow, OpenAI), but support from those sites directed us back to Cloudflare.

I reviewed Cloudflare Radar but found it limited in actionable insights. We also announce prefixes to Cloudflare where 
the originating AS primarily serves end-users—and where Radar shows over 80% human traffic—yet users still encounter 
captchas, suggesting the issue may be related to our announcing AS.

Has anyone experienced this or found effective ways to resolve it? Any advice or pointers would be greatly appreciated.

Best regards,
Johannes

_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/NZO6QF5XSVPPPTZ74P74YWWDEWJ3S7EB/

_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/GJDCCAF2XZAVE2TBBHIK6IQ4JKOKYYIX/