We were recently making a modification to our IP Mapping component to support CDN sites such as Cloudflare as a result of a recent forum post, and we discovered the answer to a observation that we had seen a few times that we thought worth sharing.
We occasionally use the Tor browser to access web sites, usually to give us a random set of IP addresses that we can test upon a site, when using IP Mapping. It is a very convenient way in which one can test access to a site, and appear to be coming from somewhere else in the world. We had observed that occasionally we were presented with a captcha page on some sites as shown below:
In the example shown we are accessing the Cloudflare site itself.
We hadn't worked out why this was occurring but now believe that it is something that sites hosted by Cloudflare sometimes display. We think this is Cloudflare itself that is intercepting the IP address that the Tor browser is using, i.e. the specific Onion exit IP point, and that Cloudflare is then deciding to display the captcha. If is probably not that difficult to do, and only requires a mechanism to keep track of all the possible Tor access points, and if the browser is coming from one of these IP locations present the captcha challenge.
Of course this makes some sense since Cloudflare is presumably protecting the sites it is hosting, but to a visitor (using the Tor browser) it is not evident or always known that Cloudflare is hosting the site, so it may come as somewhat of a surprise.
Of course other CDN sites may also be using such a mechanism as well so if you see such a captcha mechanism in place it may not be the site you are accessing that is the source of the captcha but the CDN site itself.
We have only observed this behaviour when using the Tor browser, and note that Cloudflare has a mechanism to let the hosted site decide what action to take when the Tor browser is used. Other CDN based sites and other browsers may exhibit similar ‘opportunities’ but of these we are not (yet) aware.