Account takeover detections
Using the detection IDs below, you can detect and mitigate account takeover attacks. You can monitor the number of login requests for a given software and network combination, as well as the percentage of login errors. When it reaches a suspicious level, you can prevent these attacks by using custom rules, rate limiting rules, and Workers.
Detection ID
|Description
201326592
|Observes all login failures to the zone.
201326593
|Observes all login traffic to the zone.
201326598
|Sets a dynamic threshold based on the normal traffic that is unique to the zone.
When the ID matches a login failure, Bot Management sets the bot score to 29 and uses anomaly detection as its score source.
Cloudflare's Managed Challenge can limit brute-force attacks on your login endpoints.
To access account takeover detections:
- Log in to the Cloudflare dashboard ↗, and select your account and domain.
- Go to Security > WAF.
- Under Custom rules, select Create rule.
- Fill out the form using Bot Detection IDs along with other necessary information.
- Select Save as draft to return to the rule later, or Deploy to deploy the rule.
-
Rate limiting rules can limit the number of logins from a particular IP, JA4 fingerprint, or country.
To use rate limiting rules with account takeover detections:
- Log in to the Cloudflare dashboard ↗, and select your account and domain.
- Go to Security > WAF.
- Under Rate limiting rules, select Create rule.
- Fill out the form using the Custom expression builder and
cf.bot_management_detection_idsalong with other necessary information.
- Select Save as draft to return to the rule later, or Deploy to deploy the rule.
-
