Have you configured your server to only accept connections from Cloudflare IP addresses?

Everything is as it should be, as far as I know.

I've had blocks on half of Europe since the GDPR went into effect and have had no issues with that. Now that it's come up, I realize I don't recall getting any Adsense clicks from any of those countries.

My question is if your server responds only to requests coming from these IP addresses [cloudflare.com...]

People could be bypassing Cloudflare altogether if your server accepts connections from everyone.

I've had blocks on half of Europe since the GDPR went into effect

Why "half" ?

Freitasm, my nameservers are pointing to Cloudflare.

Is that not how it works? I mean, in order to make use of Cloudflare.

'or am I missing something?

Dmitri, it's not literal.

I'm blocking the 20 some odd countries affected by it, along with a dozen trouble-making other countries who are always trying to cause trouble with my site(s).

Most Counties provide a fraction of a percentile of traffic for me.

@PickWick

If you want protection in addition to performance, there are more things to do than simply use the Cloudflare DNS. Anyone who knows your server IP address can connect directly to it - that's how name resolution works.

For effective protection, you would complete some tasks on your side:

1. Network firewall would allow only incoming traffic from the Cloudflare IP addresses to go through
2. Your server configuration would only accept incoming connections from Cloudflare IP addresses, thus making it invisible to direct connections
3. Use the authenticated origin pull option and only accept connections from Cloudflare servers who present you a specific security certificate.

These are listed in order of difficulty to implement but they guarantee only Cloudflare servers will access your content and proxy it, preventing direct access via IP address to your server.

Obligatory question since this is the Adsense subforum: Sure, your sites are on cloudflare. But do the ads themselves also live on cloudflare's servers? Don’t they typically live elsewhere? (Think, by analogy, of GA reporting visits from IPs that are in fact blocked from your server. They’re not visiting you; they’re visiting GA.)

@Freitasm

If that be the case then I might as well simply cut to the chase and outright block that particular country through my server's firewall.

I'll reach out to the Support right this moment to see their take on all of this. I DO appreciate the enlightenment !

I'll post back. Thanks.

@Freitasm,

Just to append my latest response. I've got numerous firewall rules (not by my own original hand) which I guess implies that no, CloudFlare doesn't have full control then. Many for the sake of preventing all the numerous sorts of attacks one might be susceptible to. But then, at the same time, I've got Wordfence working as well to do much of the same thing, I guess.

Which ones might be redundant doesn't bother me too much since I've done quite well with loads and such.

Waiting right now on a response from Support regarding that other item.

@ lucy24,

But wouldn't that then bring up my question about the ads.txt issue?

Is that methodology susceptible to abuse? I mean, can someone then use my code elsewhere, nonetheless?

While blocking these at the firewall might work ok, using Cloudflare is one piece of the puzzle - the main reasons are to speed up things and to protect your site. Firewalls are ok but some don't do really well in terms of determining location (I am sure the support folks are good but firewalls don't tend to be updated as quickly as Cloudflare and geolocation is a finicky thing that most firewalls don't do well).

The easiest way is to block countries in Cloudflare and make sure your server only responds to Cloudflare. This means a lot of extra configuration is redundant from this point. Always strive to make things simpler.

If someone copies your pages including the ad code and hosts it at a separate location and then points to it with your domainname through a local DNS server, the ads will be recognized by Google as being at your domain and any clicks on those ads (both valid and invalid) will be counted towards your AdSense account. This is because Google serves ads based on the domain name, not on the IP address of the server.

@Freitasm,

Yeah, you're right. Just mentioned the redundancy part to Support and the server load. That is, after he mentioned how the csf wasn't locked down to only let Cloudflare ips through the firewall.

Not that I'm technologically savvy where these things are concerned...still a neubie after all these years.

BUT, your input's helped me greatly today. Will do a test run with these settings. Somehow, I think it'll work out with your suggestions. Makes sense now.

Thank you.

Good luck.

Not sure how your website is setup but if the pages are dynamic you can always use the geolocation item in the request headers coming into your server to conditionally show your ad code - this is what I do on my site (this way I still serve pages everywhere but only allowed countries can see the ads).

More details about CF-IPCountry and how to use it here [support.cloudflare.com...]

@PickWick ... if not obvious above, we are so happy to have you join Webmasterworld!

Thanks again Freitasm, will look into that. :-)

'and thank you Tangor.

Question, is it possible for a country to show up through an IP here in the states?

Sorry, I'll try to explain better.

For testing purposes, Overnight, I whitelisted some IP ranges that I blocked the other day. I suspected (and pretty convinced) these IPs as being the source of my invalid Adsense activity. These IP groups are through/from Go-Daddy (not that it would mean anything, or does it?)

This morning I see that country once again with 2 clicks. No earnings this time, but the fact they're there is maddening.

Any thoughts?

Geolocation is quite an "art" because IP addresses are allocated by region, country and companies. Some companies buy these IP addresses to use in specific areas, depending on their network configuration. Companies can have a presence in many different countries. Even if it's just a company within a single country, some might have IP addresses allocated to their address, not necessarily the city/region it is being used. All this makes geolocation quite hard but accurate enough for some usage - of course, modern browsers can use the devices' own location sensors - GPS for mobile devices or the OS might present location based on router/gateway/WiFi (when you drive around with your phone it will log WiFi access points MAC addresses and use the GPS to map them - that's then used through APIs to determine a rough location if GPS is not available - and that's how websites on desktops can get location even with no GPS).

However, in your specific case you previously mentioned you block countries and now say you blocked IP addresses - was this in addition to countries?

Yes, it's possible for attacks to come from any IP addresses. Sometimes these attackers will use bots planted in compromised computers. These botnets could be anywhere in the world. So it all depends on how these "attacks" are being done and who is doing it.

Cloudflare gives an option to block malicious bots and browsers. Use that option. In the Firewall section of Cloudflare, you will see recent events and you can filter them, so you can have a good idea if this is localised or spread. Cloudflare also has an option called Server Side Excludes. Just add a tag before and after the AdSense code - if a browser or computer is suspicious, Cloudflare will not send the HTML/code between those tags. Check this page for details [support.cloudflare.com...]

Yeah, I was familiar with the Firewall Events section, but had no idea about the filters. Cool!

Yet, is it possible for a country to register in Adsense metrics even though they may be going through another local IP Address?

As for the Server Side Excludes, I had it turned on but never delved into what it meant. Dang, that's great! Will be trying that out today. That would help big time if it actually works well.

Will temporarily let those IPs through after employing the SSE method to see.

Thank you again Freitasm!

Yes, someone in a country could show up with another country's IP address but this would involve using a proxy or VPN ending on this other country.

In this case, blocking the original country would have no effect at all as for all effects, the endpoint IP address is the one visiting your site.

Aaaaaah!

I'm guessing then that the reverse is possible as well? Local operators pretending to be from other countries?

But yes, they're likely getting in through those IP ranges I blocked. Looking back at the past few years' stats, without all that fake traffic I'd be exactly where I should be with visits, impressions and clicks. So there's no skin off my back.

BTW, just in case anyone's curious about why this subject's such a big issue for me:

Gotten loads of invalid traffic over the past few months.
For January I got 500% of the norm for that month in Adsense revenue.
80% of that was marked as invalid.