Introducing the New Cloudflare Remediation Component

On top of the protection offered by the CrowdSec Security Engine itself, all CrowdSec users benefit from a community blocklist generated by the largest CTI in the world. Those blocklists can be easily plugged into your existing infrastructure using the Remediation Components (previously known as Bouncers).

CrowdSec provides easy integration with Remediation Components covering a wide range of use cases and allowing many third-party services to benefit from CrowdSec’s IP reputation — from basic services like iptables and web servers like Nginx to generic IP list distribution via an HTTPS mirror for any firewall appliance (Palo Alto, Fortinet, and more) and SaaS security products like AWS-firewall.

But the focus of this article is none other than the brand new version of CrowdSec Remediation Component for Cloudflare which unlocks new capabilities.

The new Cloudflare remediation component takes advantage of Cloudflare Workers and provides a configuration wizard to effortlessly cover your selected zones and benefit from CrowdSec protection.

What are Cloudflare Workers

Cloudflare Workers provide a serverless execution environment that allows users to create entirely new applications or augment existing ones without configuring or maintaining infrastructure. 

The core idea behind Cloudflare Workers is to run scripts as close as possible to the user, ensuring minimal latency by leveraging Cloudflare's global network. This is particularly beneficial for security applications, where speed and responsiveness are crucial.

How does the CrowdSec Remediation Component take advantage of the Workers feature?

To understand what the Workers bring it’s important to first explain a few things about how the CrowdSec remediation works.

• First, of course, are the IPs that attacked you directly and that the Security Engine blocked
• On top of that is the CrowdSec community blocklist that contains tens of thousands of IPs that are identified as very aggressive and should be remediated.  The list is curated by the CrowdSec expert system, frequently updating the list with new IPs, and removing IPs that ceased their aggressive activity.
• And optionally, through the CrowdSec Console, you can also subscribe to third-party IP lists that contain a large number of IPs. For example, if you want to challenge all inbound traffic from freeProxies, you can subscribe to the relevant blocklist. 

Without Workers, Remediation on Cloudflare was done by updating Cloudflare firewall entries via API call to add or remove IPs. The API calls were limited by quotas and burst rate limits that varied depending on setup. This made the initialization and update of the blocklist slow and sometimes resulted in partial remediation.

With the new Remediation Component for Cloudflare, we are utilizing Workers to quickly update the blocklist via KeyValues storage within Cloudflare and let the Worker apply the necessary remediation based on those values.

This approach offers optimal responsiveness and very low latency, making the remediation process of large sets of IPs easy and faster to handle.

Remediation with the Cloudflare Worker Remediation Component defaults to Challenge mode, a smart balance between security and user access. It greets suspicious visitors with Cloudflare antibot Challenge, filtering out bots while letting real users through.

And if you need stronger measures, you can easily switch to Ban mode, where suspected threats are blocked, conserving resources and reducing false entries. 

Your choice shapes your defense — opt for challenges to accommodate potentially legitimate users on compromised devices, or choose bans for airtight security at the risk of turning away some genuine users. It's about striking the right balance for your site's specific needs.

Important note: this remediation component requires a paid Cloudflare Worker Plan in order to be able to handle the blocklist size and have no hard limit on the Worker usage.

Ready to give it a try?

We encourage you to give the new Cloudflare Remediation Component a try and see for yourself the difference it can make in elevating the security of your website or applications.

Whether it's a success story or suggestions for improvement, your input helps us evolve and better serve the community. So, don’t hesitate to share your feedback with us on Discord and Discourse. Join our vibrant community to share your insights, get tips, and connect with fellow users.

Let's secure the digital world together — one website at a time!