Originally Posted by plunet

Let's add some context here.

The forum software isn't the greatest at defending itself against malicious activity. A few years ago it used to have significant outages due to IB being hit by DDOS attacks, either Flyertalk or maybe to another of their forum sites, but the collateral damage was to cause outages on Flyertalk.

Cloudflare is arguably one of the best platforms to deal with DDOS attacks as well as general web hygiene. IB have probably made a considerable investment in using Cloudflare to defend their forums. And we enjoy that as a "free" service albeit with some ads.

​​​​​​We should note that the authentication layer that the forums has is quite primitive compared to modern standards. Could IB move to something better, probably, but at the risk that they're now customising the forum infrastructure at the peril that they make future upgrades much more difficult. So they are broadly stuck with the off the shelf authentication service, which is sub-optimal.

So they're using Cloudflare with broadly the paranoia config dials to defend the forums turned up towards maximum. So source IP addresses like that of the hotel in Singapore that are probably medium risk in most situations get elevated to a higher risk level and get the annoying captchas more frequently. This keeps the site defended from DDOS and the worst the the script kiddies and spam out of the forums.

As in many situations there's no perfect solution, the medicine to defend against risks carries some compromises. The best infosec measures are transparent to users and ideally there would be no captchas or block messages, but that's not always possible when risks are too elevated. IB are damned if they do, and damned if they don't.

YMMV. Hope that's useful.