Is cloudflare a part of Avast Internet Security?

[Somethngcreative]

Hi,

Today I noticed that my Malwarebytes blocked two IP addresses which are: 199.27.135.184 and 141.101.124.185.

I found it weird that it was blocking an IP adress because I wasn't visiting any websites, and when I looked up the IP address on reversedns they were both linked to a company called "cloudlflare" which, I found upon research, is a cloud based computer security company. That got me thinking.. avast internet security is the only program that I have that is cloud based.

Anyways was it an FP by malwarebtes or something else?

Thanks!

[CraigB]

Im getting this same alert on both of my systems when browsing the web, it doesn't have anything to do with the avast program though as one of my systems runs a different AV for testing.

[AdrianH]

http://en.wikipedia.org/wiki/CloudFlare

It is a Content Delivery Network (CDN) used by sites and forums to provide both security and faster page loading . Many admins use similar systems, Google is another provider.

[CraigB]

The issue has been brought to the attention on the MBAM forum http://forums.malwarebytes.org/index.php?showtopic=108447
I'll be interested to know which forums or system services are using this cloudflare

[polonus]

This issue can be because of rate limiting or blocking from the hosting provider or abuse on the same C-block, because of spamming from e.g. ncbuy dot com (so-called Pharmalert abuse) and is in hpHosts Online database, all traced via honeypots,

polonus

[Somethngcreative]

Thanks guys, I was worried that I was the only one getting it. Kinda interesting though so I will definitely keep track of it.

[CraigB]

The issue has been brought to the attention on the MBAM forum http://forums.malwarebytes.org/index.php?showtopic=108447
I'll be interested to know which forums or system services are using this cloudflare

A second thread running at MBAM forum with a little more information http://forums.malwarebytes.org/index.php?showtopic=108496

[iroc9555]

I'll be interested to know which forums or system services are using this cloudflare

I haven't got any alerts from MBAM yet. I don't kown if you have seen its hosting provider list.

-https://www.cloudflare.com/hosting-partners

EDIT: Ok when I looked for the site above I did not get any alert from MBAM. Now clicking the above URL I get a malicious IP 173.245.60.250

[polonus]

Hi folks,

Users that reported here also get problems going here? : htxp://forums.radioreference.com/
This site is also being reported for these issues at the MBAM forum,

polonus

[CraigB]

Latest update from MysteryFCM ( moderator on the MBAM forum )

I'm still awaiting a response from CloudFlare.
 
The reason is due to CloudFlare providing routing for malicious domains, and telling me until recently, they weren't going to deal with them (seem to have changed their mind a couple days ago, and despite being given evidence of a few cases, have still not replied since 00:56 10/04/2012 - I've since sent an e-mail asking for an update).



At least im glad that malwarebytes are blocking this mob, there ip protection certainly works well.

[polonus]

Hi craigb,

The DNS-service that CloudFlare offers is also interesting for malversants to abuse and there in short you have the culprit of the problem that MBAM tries to tackle here,

polonus

[sperril]

A lot of people are seeing this issue if they are running a browser with AdBlock installed on it.  One of the most popular filters for AdBlock is "Fanboy's List."  AdBlock periodically updates the lists on it's own.  This particular list update goes through Cloudflare.  That's why it seems to pop up randomly when browsing.  It's not the sites that are being blocked.  It's the browser itself.

There are many filter lists available for AdBlock.  Choose a different one and it will solve this problem.  (If that's where your problem is coming from anyway.)

[CraigB]

A lot of people are seeing this issue if they are running a browser with AdBlock installed on it.  One of the most popular filters for AdBlock is "Fanboy's List."  AdBlock periodically updates the lists on it's own.  This particular list update goes through Cloudflare.  That's why it seems to pop up randomly when browsing.  It's not the sites that are being blocked.  It's the browser itself.

There are many filter lists available for AdBlock.  Choose a different one and it will solve this problem.  (If that's where your problem is coming from anyway.)

It's alot more complicated than simply turning off adblock, turning of adblock ( Fanboy list ) may stop some of the warnings but not all - read below for the latest

Posted by Malwarebytes root admin
tedivm

Hey guys, I just wanted to step in here for a second and kind of summarize things so far, as well as give you guys an idea of what's going on behind the scenes.
 
This is a very, very tough situation. On the one hand we have a a group of websites, hosted through CloudFlare, that are actively pushing drive by exploits. What this means is that people who go to those sites are getting exploited and potentially have no idea of knowing this. On the other hand we have a lot of innocent websites which are doing nothing wrong, but are caught in the cross fire.
 
This is a situation we have some experience with. We at Malwarebytes use Edgecast for content delivery- a service somewhat similar to CloudFlare, in that they distribute our main page to various nodes all over the world for easier delivery. We also use a multitude of other CDNs for delving updates- and sometimes they get blocked and we're caught in the crossfire as well. Its a sucky situation.
 
Of course, we're also on the other side of this- we do the blocking when we need to. What most people don't see is the huge amount of effort we do to keep people from being blocked. The vast majority of people pushing malware out do so without knowing or intending to- something as simple as an outdated wordpress install can be the vector which an innocent site gets used to push malware. We also know that a lot of people use CDN's or shared hosts, so blocking one site could mean blocking far more.
 
We work with a lot of CDN's and webhosts to keep them off blacklists- and we always email the abuse teams before adding them. Nine times our of ten the malware gets removed within hours or our email, and no blacklisting is required. Unfortunately there are cases were simply removing the malware isn't enough- not all websites are innocent. Some people are actually pushing the malware on purpose, so when the third party host (such as the CDN or shared web host) remove the offending URL, the people running the site simply change the URL being used. In this case we try to work with the providers to fix the issue, but if it is unable to happen we blacklist the URL.
 
Now, I want to be very clear about something- we do not blacklist information. We are not censors- knowing how to make malware is not in itself a bad thing. If it wasn't for people learning these skills, we wouldn't have researchers protecting our users. We will not block someone just for posting information. We won't even block people for hosting malware if they're doing it safely. The thing we block is people hosting active exploits or active malware that will infect users without their knowledge.
 
Unfortunately this CloudFlare situation has escalated further than I think anyone intended. We have a lot of respect for CloudFlare- I met Matt at DefCon last year, where he gave a fantastic talk about dealing with the Slowloris attack, as well as the challenges of hosting an activist group like Lulsec. I feel a lot of what's going on right now is more miscommunication than anything, but from my understanding Marcin and Matt are now in direct contact and this should be resolved soon.
 
I know this is not an ideal situation, but I assure you everyone involved is doing what they feel is right to protect their users and there is no malicious intent here. We're working as quickly as we can to get this current issue resolved, and I'm hoping this will be a learning experience for future issues. We'll have an update as with more information soon.


Robert Hafner
 Vice President of Information Technologies