My guess: exit nodes are responsible for a number of attacks against CloudFlare-protected sites so it makes sense to question each visit from those IPs.