I've just spent a couple of weeks in Taiwan - this verification happens every few minutes (iPhone) unless I constantly interact with this forum. Just stopping for a couple of minutes to read a post, or do something else, and the verification comes back.

Most of the time, after a few seconds, it verifies itself, but every few times it'll ask me to tick a box which somehow comprehensively proves I'm a real person.

Now I'm back in Europe, I'm getting this issue on my laptop (although I rarely need to tick the box). I don't understand why it can't be turned off for people logged in who have been members for a while, or at least whitelist an IP address for more than a few minutes.

The Cloudflare block/popup happens at the network infrastructure layer -- completely independently of what happens on the site. The two are in n:o way connected.

Well, it's still annoying 😁

It does not mean that you cannot pass a token, have Cloudflare verify it, and skip captcha if it's fine.

There is clearly a cloudflare configuration problem for Flyertalk. Currently in Germany, it is extremely intrusive unless I VPN to the UK or US. Consequently, I am accessing FT much less than usual. It’s completely frustrating. And where is the official feedback on our complaints? Is this forum just for venting or does FT even take note and attend to issues?

Does every Flyertalker get the Cloudflare check or is it only for the chosen few?
After a while of it automatically checking me out and letting me in I had to tick the box again this morning. Always use the same computer,browser IP Address.

Maybe cost cutting related on Cloudflare’s side?

https://www.reddit.com/r/Layoffs/s/0qSDNt75wM

Considering they've not fixed the "[ARG:6 UNDEFINED]" issue which started years ago, I would have to assume "no" answers your question. At least, it's not a priority.

The cloudflare is to protect FT and pretty much an existential issue. 'ARG undefined' shows up because the vb plugin used for the like function is outdated and needs to be replaced entirely.

The impacts of anything announced in the last few days wouldn't be having any operational impact to cloudflare services now.

Internet Brands have taken a pretty standard Cloudflare control against bots and other automated attacks and turned the paranoia dial up from the standard setting to somewhere close to maximum. I assume the same control applies to other IB fora as well. The software the fora are based on is pretty useless at defending itself, the authentication mechanism is built for a different decade.

Whilst we can all debate whether they have got the right balance between defence and service continuity, noting that the best security is invisible to the end user, there probably are some hard choices at play here between keep the fora up and running or suffering the consequences of denial of service and the possibility of personal information disclosure. We also remember that we use this service for "free", and whilst IB are not a charity and they get ad revenue from our clicks, the T&C's don't make much commitment to anyone wanting to use the service....

The difficulty is that any organisation who is defending itself against attacks has an extraordinary difficult position to make meaningful public statements to it's customers without disclosing useful information to attackers or litigants. So whilst an IB staffer has made some comments upthread, it's probably hard for them to say much morethan has already been said.

on PRG hotel wifi; getting about a three-second Cloudflare delay pretty much every time I go to a new forum (airline, hotel, TravelBuzz, etc) … yeah it’s a nuisance, but not worth ranting at IB :rolleyes:

Cloudflare has been coming up for me consistently unless my IP is from the US. Highly annoying.

Cloudfare annoyance in Singapore, Thailand and Hong Kong too from my recent travels. Awful.

I just typed a lengthy review of a hotel and posted it, only to be redirected to the Cloudfare thingy. I jumped the hoop, only to have the review disappear. I'd have been exceptionally unhappy if I hadn't copied the review first. I certainly wouldn't have been writing it again.

Brazil, Argentina, Guatemala, Costa Rica, and Thailand for me so far - though, last year, I also had it in Singapore when it seemed less widespread - it’s horrible when it causes my photo uploads to fail when it needs to reverify. On US data roaming, it doesn’t pop up, but I’m not going to upload my photos while roaming.

Basically unless you're in the US or UK, Cloudflare thinks you're a hacker. Because there are no hackers or bots in the US and UK.

I am based in Singapore and encounter Cloud Flare verification every single time I go to FT.

I've had this sort of thing happen as well. it is M:mad:ST annoying. I feel your pain as I'm often not smart enough to remember to copy first..

This has happened to me twice today when trying to post a quick reply. This is very annoying! Can the admin fix it?

I think it is clear by now that either the IB staff don't care and are happy for the current situation to continue, or they are completely incompetent and unable to fix the problem.

The current situation is that if we lift the security settings, the site goes down, ya jerk.

It does make you wonder who this prolonged would get a kick out of trying to take down a site like this? Lufthansa being unhappy with the harshness of the tone?

(I know one should not look for reason, as it is probably just because they can)

What we know for sure is that whoever is behind the botnet is vehemently against using US based computers to attack the site.

This must be one of the most prolonged and heavily targeted attacks on any one site in the history of the internet. But with attackers who haven’t been smart enough to realise they can get past the protections if they just use a UK or US internet connection, since those have been allowed to skip these Cloudflare security protections entirely.

Would love to know who or what’s behind it.

It's remarkable then that every other site I visit on the internet seems to be able to overcome this problem.

Is there something that the attackers are doing that is unique to IB?

UK is not bypassing completely, I still get Cloudflare prompts from time to time these days in London.

Not all of the U.S. is "safe" either, including the CNMI and perhaps Guam. :rolleyes:

Its not only an occasional DDOS attack but bots are systematically

- scraping/harvesting forums like FT for information for their AI models
- signing up spam accounts
- bruteforcing the ancient vb login to gain access to the member accounts

FT and other IB sites look at where most of their traffic comes from (one must presume US&UK) their first WAF rule on cloudflare is a strict Geo-block (block any country you or your users don't live or travel to) to instantly kill 90% of the garbage.

https://developers.cloudflare.com/wa...-access-rules/

https://developers.cloudflare.com/waf/

So our good content are in our PM inboxs and AI needs access...our public posts are garbage...

Geo-blocking seems to be the latest security fad. At least flyertalk has a way to get through and it isn’t just blocking outright. Many UK sites and apps are now blocking any non-UK traffic. I’ve even seen it in restaurants with QR code ordering where it blocks people using a phone from another country. Obviously whoever configured it didn’t think about tourists or expats.

The bots don't know what's what, they just want everything

I'm stunned any member would think it acceptable to call another member a "jerk", let alone an administrator.

FWIW, I often get the Cloudflare p:opup when at home in the US.

The other challenge is uploading, or viewing uploaded images e.g. https://www.flyertalk.com/forum/37787907-post10.html

I appreciate admins' team are doing their best in a situation not necessarily of their control but this is an ongoing impairment to functionality

We are going through and starting to whitelist countries. I started with Germany. Please let me know your country of access (here or via PM if you prefer more anonymity). Please note we can't do Hong Kong yet. I know that's a sticking point.

I'd like to also give you all a look at what we're trying to avoid here: https://www.fitday.com/fitness/forums/
I know the Cloudflare issue is extremely irritating, but that site is now functionally unusable. It's a low revenue/priority site, so it didn't receive the same protections as FT. It has HUNDREDS of pages THREAD LISTINGS of spam. Every subforum.

Thank you for your guys' efforts. Connect from Japan mostly.

I live in the Commonwealth of the Northern Mariana Islands (the CNMI) in the western Pacific, about 125 miles north of Guam (another U.S. territory).

Thank you, Netherlands is usually where I'm browsing from.

Japan, Northern Mariana Islands, Guam, and Netherlands have been whitelisted

Thank you! :tu: :cool: 🎶 🌴 :star: :) 🇬🇺 🇺🇳

I noticed the lack of Cloudflare when opening my "favorite" cell phone bookmark this morning, and immediately came over to this thread to verify my positive suspicions. :D :tu: