Issues with overzeaulous Neowin's Cloudflare DDoS Protection?

[leonsk29]

Hi. Is anyone else here experiencing issues because of an overzealous Cloudflare DDoS Protection? Since Neowin enabled it, every access to the website is “challenged”. No big deal, I understand that the site needs to protect itself, OK. But the problem is that the filter is just too strict.

Sometimes it challenges me again even after clicking articles from the main page. Comments? Many times, they won’t load (silently), and when I reload the page to fix the issue, there it is: Cloudflare challenge again. Many times, I’m trying to post a comment and it won’t post (also silently). I reload the page, Cloudflare challenge again, and only THEN the comment will be posted. It’s becoming a little too annoying, and I know it isn’t me because all this started since Neowin decided to enable Cloudflare DDoS Protection, which, again, I completely understand, but it’s acting up against legitimate users like me and hurting the site’s quality during browsing sessions.

I guess what I’m trying to ask is: can you guys please relax the filter a little, if that’s even possible? Am I the only one experiencing this?

EDIT: Cloudflare challenge appeared again just after writing this and trying to post it. Why???

[C:Amie]

It might be worth sticking you IP address into a couple of IP reputation checkers to see if something else is going on to cause Cloudflare to be suspicious of your IP or device. 

You could have someone using your WiFi, a compromised IoT device or be sharing a LAN with someone up to mischief during Christmas. This is usually the cause of bring repeatedly challenged. Also check that you didn't forget to disable a VPN service as they let the actions of others dictate your threat appearance. 

 

https://www.ipqualityscore.com/ip-reputation-check

https://www.abuseipdb.com/

[leonsk29]

On 02/01/2026 at 01:22, C:Amie said:

It might be worth sticking you IP address into a couple of IP reputation checkers to see if something else is going on to cause Cloudflare to be suspicious of your IP or device. 

You could have someone using your WiFi, a compromised IoT device or be sharing a LAN with someone up to mischief during Christmas. This is usually the cause of bring repeatedly challenged. Also check that you didn't forget to disable a VPN service as they let the actions of others dictate your threat appearance. 

 

https://www.ipqualityscore.com/ip-reputation-check

https://www.abuseipdb.com/

Thanks for the reply.

I don't have any of those issues. I don't use a VPN (not for Neowin, anyway), I've checked my ISP's IP reputation and nothing bad comes up, and I run a very clean home network. My machine doesn't have malware, and I'm running up-to-date versions of every software on it, including the OS.

EDIT:  just for trying to post this reply, there it is: Cloudflare challenge, AGAIN. Neowin is the only site that I visit that does that to me, and other websites also use Clouflare's DDoS Protection.

[Brandon H Supervisor]

I know that @Steven P. has had to tighten cloudflare settings due to some recent DDOS activity. I can't say I've been challenged much, though I'm in the US; so maybe it's location/country based that determines how strict/frequent the challenges are or something.

[Steven P. Administrators]

On 02/01/2026 at 16:46, leonsk29 said:

EDIT:  just for trying to post this reply, there it is: Cloudflare challenge, AGAIN. Neowin is the only site that I visit that does that to me, and other websites also use Clouflare's DDoS Protection.

I am based in The Netherlands, and I never get the challenge unless I clear cookies or use a different browser to access Neowin and even then it is a one time thing.

When I was back in the UK I was getting challenged every day on the same device (my Surface Laptop 3) and browser!

I submitted a Cloudflare ticket last week, but I have not heard back yet.

The only thing I can think of with your situation is I am wondering if you have some sort of secure/private DNS, or is an ad blocker doing something with the cookie that Cloudflare is supposed to set or some extension? But yeah if it is only happening here and nowhere else, that seems odd too.

Have you tried to browse Neowin in Incognito/Private mode for a bit to see if the challenge keeps cropping up? (admittedly I did not do this when I was back in the UK, because the challenge only happened once per day).

Mozilla Firefox also has some aggressive privacy options enabled by default now that might be blocking things on the Cloudflare side.

[leonsk29]

On 03/01/2026 at 04:46, Steven P. said:

I am based in The Netherlands, and I never get the challenge unless I clear cookies or use a different browser to access Neowin and even then it is a one time thing.

When I was back in the UK I was getting challenged every day on the same device (my Surface Laptop 3) and browser!

I submitted a Cloudflare ticket last week, but I have not heard back yet.

The only thing I can think of with your situation is I am wondering if you have some sort of secure/private DNS, or is an ad blocker doing something with the cookie that Cloudflare is supposed to set or some extension? But yeah if it is only happening here and nowhere else, that seems odd too.

Have you tried to browse Neowin in Incognito/Private mode for a bit to see if the challenge keeps cropping up? (admittedly I did not do this when I was back in the UK, because the challenge only happened once per day).

Mozilla Firefox also has some aggressive privacy options enabled by default now that might be blocking things on the Cloudflare side.

Thanks for the reply. I'm using Edge with DoH enabled, but that's it, and that's DNS-related, so it shouldn't have any impact on the browsing itself.

Many websites use Cloudflare DDoS Protection, but this only happens to me when visiting Neowin. I hope Cloudflare gets back to you about that ticket.

EDIT: I was challenged AGAIN when trying to post this, and it took me literally 30 seconds to write it, meaning that in those 30 seconds between my first visit (I was challenged, of course) and posting moment (challenged again), Cloudflare interpreted that I was a bot for some reason! 🙄

[fintechfooty]

I've only gotten the challenge once and that was on my phone with no VPN. On my PC which I'm using to type this, I'm using ProtonVPN with nine reports on abuseipdb.com (none in the past two months) but no capcha on Neowin. Funny enough I did get a captcha when I accessed the link thru C:Amie's post above. 

Also I just noticed Firefox mentioned on Steven's post and I'm using it right now. I have Adguard installed on my PC, and Consent-o-Matic and Canvas Blocker extensions on Firefox. I have strict tracking protection, HTTPS-Only Mode enabled. DNS is thru my network is configured at router level and is HTTPS over DNS thru Cloudflare. 

If you have any questions, lmk. 

FYI I disabled my VPN and only got one cloudflare captcha on my first attempt to access Neowin but not when I clicked the comments button or accessed articles. 

 

edit: No VPN, but I got another captcha when I clicked post! That's definitely not normal for me. 

[leonsk29]

On 03/01/2026 at 19:17, fintechfooty said:

I've only gotten the challenge once and that was on my phone with no VPN. On my PC which I'm using to type this, I'm using ProtonVPN with nine reports on abuseipdb.com (none in the past two months) but no capcha on Neowin. Funny enough I did get a captcha when I accessed the link thru C:Amie's post above. 

Also I just noticed Firefox mentioned on Steven's post and I'm using it right now. I have Adguard installed on my PC, and Consent-o-Matic and Canvas Blocker extensions on Firefox. I have strict tracking protection, HTTPS-Only Mode enabled. DNS is thru my network is configured at router level and is HTTPS over DNS thru Cloudflare. 

If you have any questions, lmk. 

FYI I disabled my VPN and only got one cloudflare captcha on my first attempt to access Neowin but not when I clicked the comments button or accessed articles. 

 

edit: No VPN, but I got another captcha when I clicked post! That's definitely not normal for me. 

I don't get that many captchas, only the "Verifying" spinner thingy, but it's EVERY damn time I try to enter Neowin, sometimes trying to open an article from there, or trying to post comments, or trying to load the comments section. And it only happens here, other websites also use Cloudflare DDoS Protection but none of this happens on those.

I use the latest version of Edge on the latest version of Windows 11, everything is up-to-date, DoH enabled, HTTPS enforcement enabled, a standard ad-blocker and strict tracking protection enabled. No VPN, (at least not for Neowin). I've checked my IP's reputation and nothing shady comes up, it's clean. It's not this machine since it happens on others, too, more or less frequently. Microsoft Defender is up-to-date and enabled, too, along with UEFI and Secure Boot. I don't have a TPM but I'll assume that's not the problem, Cloudflare wouldn't go THAT far, I imagine, and I'm pretty sure that JavaScript code running sandboxed inside a web browser can't access that info anyway.

EDIT: what do you know, tried to post this, Cloudflare challenge, AGAIN.

[neufuse Veteran]

could IPv6 have anything to do with it? when I disable IPv6 I don't get the verifying you are human pages... but turn it on and every time I do anything there it is......

[fintechfooty]

On 03/01/2026 at 17:38, leonsk29 said:

I don't get that many captchas, only the "Verifying" spinner thingy, but it's EVERY damn time I try to enter Neowin, sometimes trying to open an article from there, or trying to post comments, or trying to load the comments section. And it only happens here, other websites also use Cloudflare DDoS Protection but none of this happens on those.

I use the latest version of Edge on the latest version of Windows 11, everything is up-to-date, DoH enabled, HTTPS enforcement enabled, a standard ad-blocker and strict tracking protection enabled. No VPN, (at least not for Neowin). I've checked my IP's reputation and nothing shady comes up, it's clean. It's not this machine since it happens on others, too, more or less frequently. Microsoft Defender is up-to-date and enabled, too, along with UEFI and Secure Boot. I don't have a TPM but I'll assume that's not the problem, Cloudflare wouldn't go THAT far, I imagine, and I'm pretty sure that JavaScript code running sandboxed inside a web browser can't access that info anyway.

EDIT: what do you know, tried to post this, Cloudflare challenge, AGAIN.

i gotcha. still though, i generally only get a captcha on the first visit to Neowin. ^this ipv6 thing might be worth checking out. hope everything resolves quickly for you. 🙂

[Raa]

I've never seen the Cloudflare challenge - in fact I'm yet to see any existence of Cloudflare on this site.

Not saying it isn't present - just that it's been completely transparent to me.

Another website I use I do see Cloudflare interaction (which lasts momentarily before disappearing) reasonably often, but it has never caused an interruption on my desktop. My mobile it has - simply to verify i'm a human and off I go. (Confirmed DDOS protection)

If you are seeing this repeatedly, there is something that either you, your computer, or your network are doing. Perhaps you are on CG-NAT, this will definitely trigger the prompt. (My mobile, when I am away from home, does this due to the carrier's use of CG-NAT on mobile networks)

[Steven P. Administrators]

On 05/01/2026 at 01:10, neufuse said:

could IPv6 have anything to do with it? when I disable IPv6 I don't get the verifying you are human pages... but turn it on and every time I do anything there it is......

Yes! My parents only have IPV6 and I was being challenged every day back in the UK. 

I found this topic, which suggests that the geo location of the IPV6 address could be incorrect and why it is flagging https://community.cloudflare.com/t/problem-accessing-sites-secured-by-cloudflare-with-ipv6/262108 more reading (wrong geo) 

You can check neowin by using this URL https://www.neowin.net/cdn-cgi/trace

I still have not gotten a reply from Cloudflare on my ticket, seems they aren't very good with support (we're on a Pro plan).

[cork1958]

FWIW, I was here earlier using current version of Edge and got the Cloufare thing 1 time and I was in. Just now tried coming back here in Edge and can't get past the Cloudfare thing. Tried verifying 10 times and couldn't get past it. Tried in Firefox now and got the verifying thing once and now here I am.

First time that's happened in Edge, which is what I usually use when coming here, as Neowin just seems faster using it over Firefox. 

Edit: Just tried coming here using the Helium browser and no issues with it either.

Edit 2: Tried coming back using Edge now and didn't even get the Cloudfare thing

I am using Nordvpn atm also.

[leonsk29]

On 04/01/2026 at 19:10, neufuse said:

could IPv6 have anything to do with it? when I disable IPv6 I don't get the verifying you are human pages... but turn it on and every time I do anything there it is......

My ISP doesn't use IPv6, so no. Or are you actually referring to disabling IPv6 on the NIC's properties?

On 04/01/2026 at 23:09, Raa said:

I've never seen the Cloudflare challenge - in fact I'm yet to see any existence of Cloudflare on this site.

Not saying it isn't present - just that it's been completely transparent to me.

Another website I use I do see Cloudflare interaction (which lasts momentarily before disappearing) reasonably often, but it has never caused an interruption on my desktop. My mobile it has - simply to verify i'm a human and off I go. (Confirmed DDOS protection)

If you are seeing this repeatedly, there is something that either you, your computer, or your network are doing. Perhaps you are on CG-NAT, this will definitely trigger the prompt. (My mobile, when I am away from home, does this due to the carrier's use of CG-NAT on mobile networks)

I am behind CG-NAT, yes, but that doesn't trigger the Cloudflare challenge anywhere else, just here, so I don't think that's the issue.

[leonsk29]

On 05/01/2026 at 11:17, cork1958 said:

FWIW, I was here earlier using current version of Edge and got the Cloufare thing 1 time and I was in. Just now tried coming back here in Edge and can't get past the Cloudfare thing. Tried verifying 10 times and couldn't get past it. Tried in Firefox now and got the verifying thing once and now here I am.

First time that's happened in Edge, which is what I usually use when coming here, as Neowin just seems faster using it over Firefox. 

Edit: Just tried coming here using the Helium browser and no issues with it either.

Edit 2: Tried coming back using Edge now and didn't even get the Cloudfare thing

I am using Nordvpn atm also.

Mmm, maybe it's an Edge thing, since I use Edge on both my desktop and my phone and on every other computer. I'll try to use Firefox to see if anything changes. Thanks. But that doesn't explain why the challenge isn't being triggered on other websites, though...

[cork1958]

On 05/01/2026 at 12:25, leonsk29 said:

Mmm, maybe it's an Edge thing, since I use Edge on both my desktop and my phone and on every other computer. I'll try to use Firefox to see if anything changes. Thanks. But that doesn't explain why the challenge isn't being triggered on other websites, though...

Since I posted that, and as my edit 2 says, I've been able to load Neowin using Edge and in fact, haven't seen the Cloudfare thing once since. I have closed and re-opened Edge a few times also and just surfed around other sites and then came back here and still no Cloudfare.

Whatever triggered the issue I had for a minute must've just been a weird fluke thing, I guess?

Another FWIW is I'm not seeing that Cloudfare thing at all using the Helium browser now either.

Edited January 5 by cork1958

[Raa]

Interesting. Turns out my IPv6 had disabled itself on the ISP side, so I had fallen "back" to IPv4.

Fixed that up and tested IPv6 working correctly. Instantly hit with Cloudflare verification on Neowin. It automatically passed in this case.

I might force Neowin to stick to IPv4

[Steven P. Administrators]

I was not challenged on my laptop this morning with IPV6 enabled. (I manually disabled IPV4 in the adapter).

Back in the UK I was being challenged every day on the same laptop with a IPv6 only connection, but not here at home in The Netherlands.

[Steven P. Administrators]

BTW I am getting it multiple times a day too on my main PC now that I enabled IPv6 in my ISP router. Annoying to say the least. @DaveLegghas a support ticket open, I believe @leonsk29is helping with identifying the issue too.

[neufuse Veteran]

On 12/01/2026 at 07:18, Steven P. said:

BTW I am getting it multiple times a day too on my main PC now that I enabled IPv6 in my ISP router. Annoying to say the least. @DaveLegghas a support ticket open, I believe @leonsk29is helping with identifying the issue too.

It's interesting this is happening here, we us cloudflare with the WAF and a LOT of the OWASP and other rules turned on and I don't see it on our web farm at all with IPv4 or IPv6... did you ever look up any of the ray-id's in their even log to see exactly why it's being triggered?

[Slugsie]

It's almost every other time I refresh the home page. I've even had it happen when I'm replying to a post and it's loading the post I'm replying to in the message editor. I had to confirm I was human within the iframe (or whatever is used, maybe just a div) that the previous message was being loaded.

Annoying, but at least it's just a tick box and not a full on Captcha.

[DaveLegg Developer]

We've made some changes on our end which now mean we can make the challenge rules on Cloudflare's side less strict. It was never our intention to be challenging users as regularly as you've been experiencing - the setting for that on Cloudflare is set to rechallenge after 30 days. Despite long conversations with support at Cloudflare, we've been unable to get that resolved, so we've now implemented our own solution to the root problem we were trying to resolve with the challenge from Cloudflare. That was rolled out a few minutes ago, and the challenge has been disabled. Cloudflare will now only challenge traffic it believes is behaving like a bot.

[+DoctorD Subscriber²]

I had an odd issue with it where I could not access the site until I cleared all the cookies 

[leonsk29]

On 07/02/2026 at 14:33, DaveLegg said:

We've made some changes on our end which now mean we can make the challenge rules on Cloudflare's side less strict. It was never our intention to be challenging users as regularly as you've been experiencing - the setting for that on Cloudflare is set to rechallenge after 30 days. Despite long conversations with support at Cloudflare, we've been unable to get that resolved, so we've now implemented our own solution to the root problem we were trying to resolve with the challenge from Cloudflare. That was rolled out a few minutes ago, and the challenge has been disabled. Cloudflare will now only challenge traffic it believes is behaving like a bot.

Thanks!

[leonsk29]

I can confirm that after a few days of visiting and posting on Neowin, the problem (at least from a visitor's POV) is solved. No more Cloudflare challenges every 10 seconds for me. Thanks again.