Cloudflare as a source of harmful traffic

What is the name of the domain?

deref.se

What is the issue you’re encountering

Overloading of hosting account

What steps have you taken to resolve the issue?

Block via Rewrite rule in .htaccess

1 Like

In short: why do we see Cloudflare IPs making requests against some web sites that don’t use Cloudflare? Is the absense of information regarding a source IP “behind” Cloudflare a clue about why the request was made?

We have seen quite a lot of traffic from Cloudflare IP:s affecting certain web sites of late and where they have no clear connection to Cloudflare. Most recently a site was hit last week where a .htaccess-rule blocking all calls from the subnet 104.28.0.0/16 was used to keep the site working properly. If we filter out only that subnet we can see the volume of requests:

All requests was for the root resource /

Normally traffic from Cloudflare doesn’t show the Cloudflare IP because they are treated as proxies and it is the IP for which they are doing the forwarding that gets logged. The web site above used Cloudflare briefly a few months ago but does not do that now.

Another web site for which we don’t have graphics had quite a few Cloudflare IP:s earlier last month. They usually have 55 000 to 60 000 HTTP-calls per day but on August 10th they had just over 1 million. Only 26 000 came from Cloudflare IP but the web site is not using Cloudflare so it’s not clear why there are any accesses:

11785 104.28.31.63
8352 104.28.31.64
1350 104.28.31.65
780 104.28.31.66
548 104.28.45.54
453 104.28.45.52
366 104.28.64.59
226 104.28.45.55
224 104.28.31.61
222 104.28.105.34
210 104.28.105.33
196 104.28.45.51
158 104.28.148.56
145 104.28.31.62
140 104.28.148.53
127 104.28.148.57
101 104.28.105.31
99 104.28.87.87
86 104.28.150.40
83 104.28.64.58
82 104.28.129.57
78 104.28.45.53
73 104.28.148.51
67 104.28.148.54
66 104.28.148.52
66 104.28.131.25
66 104.28.105.30
64 104.28.40.69
63 104.28.105.24
58 104.28.129.55
57 104.28.105.32
48 104.28.64.61
40 104.28.148.55
38 104.28.147.218
17 104.28.148.48
14 104.28.129.58
13 104.28.148.46
10 104.28.87.88
10 104.28.148.28
6 104.28.147.216
3 104.28.64.60
3 104.28.148.29
3 104.28.139.212
2 104.28.45.50
2 104.28.148.47
2 104.28.105.25

I thought this was the work of Cloudflare Workers but after testing it I couldn’t make it log the Cloudflare IP, the worker seems to use the connecting IP with X-Forwarded-For as is proper(Personally Identifiable Information has been deleted):

  Connection: Keep-Alive
  accept-encoding: gzip
  X-Forwarded-For: --------------
  CF-RAY: 8c05d1d614a15c85-FRA
  X-Forwarded-Proto: http
  CF-Visitor: {"scheme":"http"}
  CF-EW-Via: 15
  CDN-Loop: cloudflare; loops=1; subreqs=1
  Accept-Language: en-US,en;q=0.5
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  User-Agent: Mozilla/5.0 Firefox
  CF-Connecting-IP:  --------------
  priority: u=1
  sec-fetch-dest: document
  sec-fetch-mode: navigate
  sec-fetch-site: none
  sec-fetch-user: ?1
  upgrade-insecure-requests: 1
  cf-worker: ------------------

So the question in is: why are these requests made? The VPN service looks like a reasonable source but some amount of rate-limiting would be appropriate. In the first case Cloudflare seemed like the source of enough traffic against certain web sites to make it unavailable. In the second case the requests don’t seem malicious but it’s still not clear why the requests are being made.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.