Hi, my website is showing a blank white page, the source code shows the aes.js browser challenge
website: lovebyte.eu.org
ip: 185.27.134.112
volume: vol9_5
subdomain: epizy.com
user: epiz_31611668
— edit — added ip address
7 Likes
You’re not the only one - I’m angry
6 Likes
Ifastnet is probably testing something with the ?i=1 suffix. If you had anything related to aes.js in your Cloudflare page rules, it will affect it. I had the same issue, i fixed it by removing a page rule in the Cloudflare dashboard that was rewriting aes.js file.
7 Likes
You are a genius 
I had forgotten that I had tested an experiment adding a rule to display an image when somebody tried to view the aes.js, I forgot to remove it
Thanks 
7 Likes
anyway IFN should not challenge CF
5 Likes
Yeah i’m stuck with that pesky ?i=1 now 
6 Likes
this topic is probably related - only IFN is to blame
7 Likes
Not only that, but for every custom rule you have on CF,
for example, allow this or that bot, AI bot, etc. now it makes no sense and even worse…it contradicts your rules because they are all under the aes.js challenge
6 Likes
Yeah that it bad news
6 Likes
It does appear that iFastNet changed how the testcookie system interacts when using Cloudflare. IIRC they were incompatible before, so iFastNet made an exception for Cloudflare so it would bypass the testcookie check.
But it appears that iFastNet has now removed this exception and instead fixed the testcookie check so it works with Cloudflare.
iFastNet didn’t communicate about this, so right now we can only speculate why they did this. But I can personally attest that Cloudflare can be astonishingly ineffective at detecting and stopping HTTP floods. It seems likely that iFastNet saw the load that this caused and decided to fix it.
You have to understand that while Cloudflare can be configured to block bots quite effectively, I’m pretty sure the overwhelming majority of users don’t go through the trouble of fine tuning that. Meaning their websites are more susceptible to attack with Cloudflare than without.
I can see how this is bad for you guys because of how fine tuned your setup is. But know that you are the exception, and there are probably good reasons for this change that do not include bullying you personally.
8 Likes
Same here. Their DDoS tool seems to be built to on a delay (I know that’s not true, but it seems like it), hundreds of thousands of requests can go though it before it catches and triggers, this happened on my CF setup with TH awhile back and caused such a spike my hosting provider reached out and essentially asked what the f was going on.
Cloudflare is a good CDN / firewall provider in general, but I think their default DDoS solution needs work (But then again, I know absolutely nothing about its backend so maybe it is the best it can be).
Very annoying that the i GET parameter is back though, would be interested to know if there is a way to bypass it with CF reliably.
5 Likes
I’ve experienced brute force/DDoS attacks where a small number of IPs generated like 1000 times as much traffic as usual. And Cloudflare, even after the fact, said that there was no attack.
Cloudflare’s “DDoS protection” in my experience works best against attacks which are not HTTP, since there is just no way to forward such attacks to the backend server to begin with.
5 Likes
I’ve had success with large amounts from the same IP or ASN getting blocked, but wide-scale attacks from thousands of IPs seems to get detected far to late for it to really be useful.
Of course CF will send me an email every couple of months claiming to have blocked a couple thousand attacks and asking for money, makes me wonder why they can supposedly block small ones but not large ones.
5 Likes
Did you actually purchased Cloudflare Pro and hosted your site on InfinityFree? I’m curious 
I’ve got a strange thing going on with my website now that has never happened before
I have cloudflare ddos protection enabled and the usual behavior is that when I visit my site I sometimes have to tick the I am human box (usually if I hard refresh the page) and this worked on my laptop and mobile phone
But now I find that on the mobile phone I’m in a continuous loop of ticking the box followed by the page reloading the verify I’m human page over and over with my website never appearing
Something is broken 
6 Likes
Yep, this have happened to me before (a lot of times!)
For me, this happens whenever I got slow Internet. I don’t know why this is relevant but switching network works for me
5 Likes
I will try the phone on wifi, thanks
4 Likes
Me too. Yesterday, AES.JS display on my site with few IP but…other is not. I don’t know what’s happening ! I googled about aes.js and found may be there are a guy trying decrypt or encrypt something ? Maybe bitcoin mining ???
Actually the aes.js is used by the servers powering infinityfree as part of their security system to ensure that only web browsers (capable of running javascript and setting cookies) can access the website so its nothing to worry about
I’m using cloudflare protection on my website which was originally exempt from the security test but recently the servers have changed their behavior and with a silly rule I had on cloudflare during testing these two things combined resulting in the aes.js being displayed (in my case)
I have since remove the test code on my cloudflare which has fixed the issue for me
8 Likes
ok now things just got weird
I was looking at my blank template test page on my website and found that the css wasn’t loading
So I pressed ctrl shift r to hard refresh the page but still the css is missing
Next I go to cloudflare dashboard and purge everything in the cache, ctrl shift r the test page but still the css isnt loading
Finally I open the css file in the browser and guess what I see … aes.js !!!
5 Likes