Not new to CF, but new to trying to engage with it actively.
We’ve been experiencing some anomalous, periodic, sudden, abusive spikes in traffic on our site (Heroku-hosted) that cause a bunch of problems for us, especially if they’re not caught quickly (cascading timeouts, etc). We’re working on shoring up the site performance-wise to better handle these spikes, but in the meantime I’ve been digging into New Relic to try to identify the source of the traffic so that we can maybe prevent them from happening in the first place using CF.
What I was able to discover in New Relic is that a certain ASN – let’s call it ASN 71 – is causing most if not all of our problems. So I made a simple Firewall Rule in CF to challenge traffic from ASN 71 and waited to see what happened.
Except nothing happened. The spikes kept coming, and the Firewall didn’t notice.
At first I thought maybe the traffic I was seeing in NR wasn’t going through CF, but then I learned that I could stop these spikes dead in their tracks using “Under Attack” mode, which seemed to indicate that they were being routed through CF.
After a bunch of experimenting and comparing of logs, I was able to determine that what New Relic is assigning to ASN 71 is assigned to ASN 16509 in Cloudflare. Same traffic from the same location hitting the same URLs – just a different ASN in the two different tools.
Am I misunderstanding something about what ASNs are? Is this a known thing I just haven’t heard about?
Any insight would be appreciated!