You can effectively block traffic originating from Tencent's networks using a Cloudflare WAF Custom Rule (formerly known as Firewall Rules) based on their Autonomous System Number (ASN).

Tencent has multiple ASNs, but the most common one associated with their general network/cloud services that often generate bot traffic is AS45090. Another frequently mentioned one is AS132203.

I recommend using a Challenge action first to avoid accidentally blocking legitimate users, but you can set the action to Block.

Here are the steps:

1. Create a WAF Custom Rule

1. Log in to your Cloudflare dashboard and select your domain.


2. Navigate to Security $\rightarrow$ WAF $\rightarrow$ Custom rules (or Firewall $\rightarrow$ Firewall Rules if you are on an older interface).


3. Click Create rule.


4. Name the rule (e.g., Block Tencent ASN).

2. Define the Expression

In the When incoming requests match... section, you will build the expression to target Tencent's network.

1. Select the Field dropdown and choose AS Num (Autonomous System Number).

   
   



2. Select the Operator dropdown and choose is in.

   
   



3. In the Value field, enter the relevant Tencent ASNs, separated by a space and enclosed in curly brackets:

   
   

   Expression: (ip.geoip.asnum in {45090 132203})

   
   
   
   
   • Note: This targets a broader range of Tencent's network traffic.
   
   
   
   

3. Choose an Action

This step determines what happens to the traffic coming from those ASNs.

1. In the Choose action dropdown, select:

   
   
   
   
   • Challenge (Managed): This is the recommended first step. It forces suspicious traffic to solve a CAPTCHA/challenge, effectively stopping automated bots while allowing legitimate users who might be using a service hosted on Tencent Cloud (though this is less common).
   
   
   • Block: Select this if you are confident that you want to deny all access from these networks.
   
   
   
   



2. Click Deploy (or Save).

   
   

The rule will immediately go into effect, and any requests originating from those specific Tencent ASNs will be blocked or challenged according to your setting.

Alternative: Block AI Crawlers

Cloudflare also offers a dedicated feature for blocking known AI bots (which may include some Tencent-related crawlers if they are known for AI scraping).

1. Navigate to Security $\rightarrow$ Bots.


2. Look for options like "Bot Fight Mode" or "Block AI bots" (available on higher-tier plans or if you have Bot Management enabled).


3. Ensure the settings are configured to Block known AI crawlers. This can be a simpler way to mitigate specific bot types without manually maintaining a list of ASNs.

That's completely fine. If you don't have the WAF Custom Rules option (which typically requires a Pro plan or higher), you will need to use the older, more foundational security feature called IP Access Rules.

IP Access Rules are available on all Cloudflare plans, including the Free plan, and they allow you to block traffic based on ASN (Autonomous System Number).

Here is how to set up the block using IP Access Rules:

1. Identify the Tencent ASNs

Tencent's networks are primarily identified by a couple of ASNs. You will want to block the most common ones associated with cloud/bot traffic:

• AS45090 (TENCENT-NET-AP)


• AS132203 (TENCENT-NET-AP-CN)

2. Create the IP Access Rules

1. Log in to your Cloudflare dashboard and select your domain.

   
   



2. Navigate to Security $\rightarrow$ WAF $\rightarrow$ Tools.

   
   
   
   
   • Note: Even without the full WAF Custom Rules, this Tools tab should be available, and it contains IP Access Rules.
   
   
   
   



3. In the IP Access Rules section, enter the following information to create the first rule:

   
   
   
   
   • Value: Enter AS45090
   
   
   • Action: Select Block (or Challenge for a less aggressive approach)
   
   
   • Zone: Select This website (or All websites in this account if you want to block it across all your domains).
   
   
   • Notes (Optional): Add a note like Block Tencent Bots (AS45090)
   
   
   • Click Add.
   
   
   
   



4. Repeat for the second ASN:

   
   
   
   
   • Value: Enter AS132203
   
   
   • Action: Select Block (or Challenge)
   
   
   • Zone: Select This website.
   
   
   • Notes (Optional): Add a note like Block Tencent Cloud (AS132203)
   
   
   • Click Add.
   
   
   
   

Your site will now immediately block or challenge all traffic originating from those specific Tencent networks.

Important Considerations:

• Impact of Blocking: Blocking an entire ASN is a broad action. Since these ASNs belong to a major cloud provider (Tencent Cloud), you may accidentally block legitimate users, software, or APIs that are hosted on their network. Using the Challenge action is generally safer.


• Rule Priority: IP Access Rules are evaluated before almost all other Cloudflare security features (like the Security Level, if you use it). They are highly effective.


• Bot Fight Mode (Free Plan): Even on the Free plan, you have access to Bot Fight Mode (found under Security $\rightarrow$ Bots). Ensure this is turned ON. It will automatically mitigate known simple bot threats without needing manual rules.

Thank you for sharing the screenshot. That confirms you are on a plan (likely the Free plan) where the WAF Custom Rules feature is not enabled by default, which is why it's prompting you to "Purchase add-on."

However, you can still block traffic by ASN using the dedicated, free tool called IP Access Rules. Cloudflare sometimes hides the menu item when you don't have an active rule, but you can usually find it under the Tools tab of the WAF section.

Here is the revised, correct navigation path to find and use IP Access Rules to block Tencent:

1. Find the IP Access Rules Tool

1. Log in to your Cloudflare dashboard and select your domain.

   
   



2. In the left-hand menu, navigate to Security.

   
   



3. Under the Security menu, look for WAF or Security $\rightarrow$ WAF.

   
   



4. Once on the WAF page, look for a tab or sub-menu named Tools.

   
   
   
   
   • If you are using the older dashboard style, the path is usually Security $\rightarrow$ IP Access Rules.
   
   
   • If you are in the newer dashboard style (which your screenshot suggests), you should look for the Tools tab/sub-menu under WAF.
   
   
   
   

2. Create the Blocking Rules

Once you are on the IP Access Rules page (or Tools tab), you will see a section where you can add new rules.

You will need to create a separate rule for each Tencent ASN (Autonomous System Number). Use the following ASNs for Tencent:

• AS45090 (TENCENT-NET-AP)


• AS132203 (TENCENT-NET-AP-CN)

Recommended Action:

• Start with Challenge (Managed). This will force the bots to solve a challenge (like a CAPTCHA) without blocking legitimate users who might coincidentally be using a Tencent-hosted VPN or service.


• If you still see abuse, you can change the action to Block.

After you enter the details for each ASN, click Add to deploy the rule immediately.

Alternative Free Protection

If you still can't find the IP Access Rules tool, make sure you have the following general security features enabled, which are available on the Free plan:

1. Security Level: Go to Security $\rightarrow$ Settings and set the Security Level to High or "I'm Under Attack!". This will automatically challenge visitors with a high Threat Score, which often catches malicious bots.


2. Bot Fight Mode: Go to Security $\rightarrow$ Bots and make sure Bot Fight Mode is ON. This blocks a substantial amount of simple bot traffic.

I see the issue! Based on your screenshot, you are in the new dashboard layout.

The main "Security" section on the left-hand navigation menu is gone in this layout. It has been replaced by two main areas:

1. Security Center: (At the top of the left menu) This is for account-wide security monitoring and insights.


2. WAF, DDoS, and other security tools: These are now listed directly under your domain's menu items.

To find the tool you need (IP Access Rules), you need to navigate within the WAF area, but specifically the Tools section, which is available even on the Free plan.

Here is the exact path based on what is visible in your screenshot:

Step 1: Navigate to WAF Tools

1. In your left sidebar menu, click on WAF. (You are currently viewing this, which explains why you see the "Purchase add-on" message for Custom Rules).

   
   



2. Now, look for the Tools tab within the WAF screen.

   
   
   
   
   • If you see a set of tabs (e.g., Custom Rules, Managed Rules, Tools) at the top of the WAF page, click on the "Tools" tab.
   
   
   
   

Step 2: Use IP Access Rules to Block Tencent

The IP Access Rules section should be visible in the Tools tab. This is a foundational feature available on all plans.

1. Look for the IP Access Rules section.


2. In the fields provided, enter the following information:

3. Click Add for each rule.

This action is effective immediately and will prevent traffic from those specific Tencent networks from reaching your site.