Website being blocked from Zscaler IPs

[returnZero]

Our organization uses Zscaler as its web security platform, but recently it seems the filezilla-project.org website server is blocking requests coming from zscaler proxies.
Note, accessing the website outside of zscaler appears fine. I have been in contact with zscaler support and they confirm that it appears filezilla is blocking their IP ranges. I assume this is likely due to a false positive on the website's bot protection.

Zscaler IP ranges can be found here https://config.zscaler.com/zscaler.net/cenr - but specifically we are being blocked from the Melbourne, Sydney and Canberra data centers.

Can we please review and see if we can get this blocking removed. As we are unable to access the site.

If not, can you advise the best way to for Zscaler to contact the filezilla team to look into this?

Cheers.

[botg]

Due to extreme amount of malicious traffic coming through their proxies, their entire address ranges needed to be blocked.

I wonder, they advertise with zero trust on their website. Zero trust stands for don't trust, verify. Yet their proxies relay traffic without verifying its legitimacy. Very peculiar.


I believe that legitimate organizations does not have to hide behind a proxy, they can and should access filezilla-project.org directly.

[returnZero]

Hi, thanks for the reply.

I am somewhat surprised at the 'extreme' amount of malicious traffic coming for their IPs. Is this quantified in anyway and to what you label as malicious?

Zscaler is a key security control for our organization and many organizations within our region, including our largest banks etc.
We are not 'hiding' behind a proxy as per say, this service provides various web fliting and security controls.

We have not run into this issue with any other websites. While it is technically possible to bypass Zscaler for this domain, it would be removing a key security control for us which is not feasible.
I am working with Zscaler support on this. Is there an avenue for Zscaler to contact the FileZilla team to discuss possible options?

Or can you recommend any mirrors that can be used?

Cheers.

[botg]

Is this quantified in anyway and to what you label as malicious?

Thousands of IP addresses nonstop connecting to our webserver, that all start a TLS handshake, but which then are not actually making a request, blocking resources until eventually the connection times out.

[returnZero]

I can only assume there are other Zscaler customers are causing that - as it is a shared cloud service. By blocking Zscaler, you are blocking all legitimate users/customers.

As mentioned, we have not come across other websites doing this.

Can you advise of any mirrors / github etc, not on the filezilla domain that we could possibly utilize?
I cant seem to find any.

Cheers.

[botg]

The solution is simple, just get a new IP address range assigned to you and you alone, one that has never been used before and is not shared with other customers. Thanks to IPv6 you can even have a whole /64

[M009]

zscaler is not free service so any traffic coming from them would be coming from legitimate businesses.

[returnZero]

That is not really a simple solution for us. We don't have centralized infrastructure. Our entire workforce are remote road warriors. Zscaler is a single point control for secure web access.

While they do have a service called IP source anchoring, it would require a license uplift - which is not feasible for this one use case.

We may just have to choose a different client.

The only thing I guess I could request as a feature, is if you're unwilling to unblock zscaler IP ranges, is to then host your builds on mirrors with infrastructure that can better handle enterprise traffic - something like github or similar - as to help keep filzilla to remain free and open - and not to block legitimate users.

[botg]

This "Enterprise traffic" is still malicious.