#New wave of bot(s) getting through security rules/WAF

It seems some new bot(s) is/are able to get through security rules/WAF, bypassing any accessible prompt 'Action', including 'Managed Challenge', 'JS Challenge', and 'Interactive Challenge'. Most bots outside of the US are still being properly blocked, but the new wave of incoming bot connections seem to all/mostly be coming from US IP addresses. The agent string is always something generic like:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36

With the only variation being in the 'Chrome/' value, ranging from '139.0.0.0' to '142.0.0.0'. Everything else in the string remains exactly the same. They are hitting servers in bursts of about 40-50 every 20 minutes, up from around 10-20 over the last week or so. The rate seems to be increasing as whatever this bot is seems to be getting rolled out more broadly. Here is a sample of about 40 IP addresses for reference taken this morning, if helpful:

12.75.179.87
50.219.95.210
38.158.37.102
68.81.86.54
47.220.61.84
52.124.35.17
24.151.139.89
35.149.234.97
24.217.138.49
24.23.206.149
38.158.56.78
50.43.48.186
24.193.82.123
67.83.135.91
12.74.103.80
35.145.96.73
99.11.181.95
12.74.244.95
47.223.175.24
35.149.142.138
35.150.205.9
47.225.83.206
47.153.81.123
24.252.141.155
24.107.164.50
24.3.57.152
68.204.16.149
32.219.42.175
35.146.195.20
24.162.179.156
64.33.178.56
69.253.248.27
24.88.10.24
50.91.234.108
23.28.197.2
67.145.225.167
64.121.230.39
45.26.8.121

With the only variation being in the 'Chrome/' value, ranging from '139.0.0.0' to '142.0.0.0'
Yeah that's how user agents look. Every windows 10 or 11 user on Chrome will look like that.

this is just attackers using residential proxies and actual browsers

congrats, you made it

I guess my concern/point is not that this wave of bot traffic is 'every Windows 10 or 11 user' or that the attackers are using 'residential proxies and actual browsers', it's that they are able to bypass the CF security rule verification automatically somehow. I doubt the legit users whose systems have been compromised are physically clicking the checkbox or somehow otherwise validating the security check. But it sounds like you are saying if this approach is used in an attack, nothing can be done about it and there might as well be no security in place at all because it can never be effective at all against something like this?

browsers are heavily sandboxed, they can't tell if someone physically pressed a button or a program moved the mouse

the most you can expect from a browser challenge is to force attackers to use an actual browser, not a simple HTTP library

running browsers are 10000x more expensive than a simple python script

residential proxies are 10x more expensive than datacenter proxies and infinitely more expensive than not using proxies

"perfect security" does not exist, but you can throw hurdles in the way

Ok, what hurdles against this? If CF can't protect against it at all, then I guess they've found the golden ticket to attack anything at any time with zero defense...

residential proxies and browsers doesn't scale

they neither found a "golden ticket" nor are there "zero defenses", they are just bruteforcing their way through

a police officer won't be able to help you against a tank steam rolling at him, but that doesn't make him useless

Against a tank it does.

not every criminal has a tank

I'm pointing at one that does with your analogy.

then you add another police officer with anti-tank weapons, e.g. hcaptcha

Fair enough, it's good to at least know what CF can and can't do against 'tank' threats.

there is more you can do on enterprise (bot management, turnstile ephemeral ids etc)