What do the items in Cloudflare's analytics mean?

Types of Threats

Here is an overview of what each type of threat means:

Botnet Zombie: Computers that appear to be infected with a virus and doing something like sending email spam

Rule Breaker: Automated crawler that doesn't appear to follow robots.txt and other rules

Email Harvester: Steals email addresses from websites Web Spammer: Seen posting comment/blog spam Exploit

Hacker: Seen attempting exploits It is possible that a threat could fall into multiple buckets (for example, most exploit hackers are also botnet zombies).

The list is in approximate order of severity, exploit hacker being the most severe. So, if you're a web spammer and exploit hacker then Cloudflare lists you as an exploit hacker.

What should I focus on? Are some things more important than others?

Cloudflare shows "high priority" alerts for the things that are worth worrying about. These have a little "!" symbol. Generally, these high priority alerts will fall into one of two buckets:

A. Visitors who Cloudflare blocked but passed the CAPTCHA and left you a message requesting to be permanently whitelisted

B. Visitors who were listed as threats in Cloudflare's global system but your security settings allowed to get through

What's the meaning behind Threat Scores?

Threat scores are an approximation of how bad something is within the particular category. They are theoretically infinite, but logarithmic so, in practice, you won't see anything over about 100. A threat score above 10 is already getting pretty bad. If it's in the 50s it's really bad. HIGH - Anything >0 MEDIUM - Anything >8 LOW - Anything >15 ESSENTIALLY OFF - Anything >25

Do I have to block visitors every time that I log in?

No, definitely not. Generally, you can just let the system run and do its thing. If you hear complaints from users that they're being challenged, you can go in and trust them. If something gets through that we should have stopped, you can block it. But, generally, you can just leave the system alone and it'll do its thing.

Blocking or Trusting Visitors

If you BLOCK/TRUST a visitor in the Firewall app, it does two things:

A. It allows you to override Cloudflare's global behavior (trusting people Cloudflare thinks are bad, but you know are not or blocking visitors permanently)

B. It teaches the system to help us refine the global system (fixing false positives and adding new threats we didn't detect in another way)

Still not finding what you need?

The CloudFlare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk