My forum is being swarmed by bots with Cloudflare IP addresses, according to ARIN. I’d like to block them, but I’m unsure of what will happen if I block a Cloudflare address range. Has anyone else experienced this and, if so, what did you do?
Do you currently use Cloudflare in any capacity, or do you just see CF IPs hitting your services? And what are the IPs? (some IPs are for the ‘Warp’ VPN, some are for the main proxy service).
I am on the Cloudflare business plan. Here are some of the ip addresses:
220.127.116.11 (and others in this range)
18.104.22.168 (and others in this range)
22.214.171.124 (and others in this range)
There are two circumstances where it might appear that Cloudflare is attacking your site.
You’re a Cloudflare customer for your website(s). Since CloudFlare is a reverse proxy for our customers’ sites, Cloudflare IPs are going to show in your server logs until you install something on your server to restore original visitor IP, such as mod_cloudflare for Apache servers. Solutions for seeing original visitor IP for Apache, nginx and other servers and applications are listed here: Restoring Visitor IPs – Cloudflare Help Center
You’re getting attacks from Cloudflare’s IPs because they are being spoofed. By default, Cloudflare does not send traffic over anything other than http:// (ports 80 and 443), so getting attacked by UDP requests means you are likely seeing a DNS amplification attack, see this article for more information.
If your situation does not fit any of the circumstances listed above, please provide the information requested below and we can provide solutions for handling an issue that looks like an attack from us.
Required information to investigate:
- source IP(s) you are seeing the traffic from
- destination IP(s) on your side
- IP packet contents
- (if possible) tcpdump output in -vvv -s0 -n format
Thanks! I just switched servers a month ago and probably don’t have mod_cloudflare installed on the new one. I’ll start there and check out the article as well.
I just checked and I have mod_remoteip enabled. I’ll get cloudflare support the information you listed.
Wouldn’t Workers also come under this?
Warp or Workers to blame, most probably.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.