CF and New Relic reporting very different ASN values for the same traffic

user6454 · March 3, 2021, 12:58pm

Hello!

Not new to CF, but new to trying to engage with it actively.

We’ve been experiencing some anomalous, periodic, sudden, abusive spikes in traffic on our site (Heroku-hosted) that cause a bunch of problems for us, especially if they’re not caught quickly (cascading timeouts, etc). We’re working on shoring up the site performance-wise to better handle these spikes, but in the meantime I’ve been digging into New Relic to try to identify the source of the traffic so that we can maybe prevent them from happening in the first place using CF.

What I was able to discover in New Relic is that a certain ASN – let’s call it ASN 71 – is causing most if not all of our problems. So I made a simple Firewall Rule in CF to challenge traffic from ASN 71 and waited to see what happened.

Except nothing happened. The spikes kept coming, and the Firewall didn’t notice.

At first I thought maybe the traffic I was seeing in NR wasn’t going through CF, but then I learned that I could stop these spikes dead in their tracks using “Under Attack” mode, which seemed to indicate that they were being routed through CF.

After a bunch of experimenting and comparing of logs, I was able to determine that what New Relic is assigning to ASN 71 is assigned to ASN 16509 in Cloudflare. Same traffic from the same location hitting the same URLs – just a different ASN in the two different tools.

Am I misunderstanding something about what ASNs are? Is this a known thing I just haven’t heard about?

Any insight would be appreciated!

soldier_21 · March 3, 2021, 1:22pm

Are you able to find an example IP address where they differ in ASNs?

You can look up the ip address here https://dnslytics.com/ - which is likely up-to-date

eva2000 · March 3, 2021, 1:26pm

You can also test IP at https://www.iplocation.net/ which will show results from several common geolocation databases

user6454 · March 3, 2021, 2:06pm

Yes, I have lots of IPs to work with.

https://dnslytics.com/ reports – perhaps unsurprisingly – the same ASN as CF for the IP addresses I’ve checked there so far.

So maybe this is something I need to reach out to New Relic about to see where and how they’re getting their ASN info.

Also worrying that one of the ASNs I added a challenge to is Amazon AWS which…doesn’t seem like a specific enough challenge.

Thanks for the tip!

user6454 · March 3, 2021, 2:08pm

Now, this is interesting!

So I guess what I’m seeing here is that different authorities might have different ideas about a given IP address, so depending on who CF and New Relic get their info from, there might be discrepancies in what they hear.

Does that sound like a reasonable summary?

Interestingly, none of the IP addresses I’ve checked so far have a clear connection to the ASN New Relic was reporting. I’ll have to reach out to them!

Thank you!

soldier_21 · March 3, 2021, 6:01pm

The IP addresses could’ve previously belonged to another ASN. IP blocks get sold and traded all the time so I wouldn’t be surprised if New Relic had somewhat outdated information

system · March 6, 2021, 2:43pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.