I don’t think Argo Tunnel requires Argo Smart Routing. See if you can set it up without enabling Argo Smart Routing, as I don’t see how they’d be able to bill you for traffic if you’re not using the smart routing subscription.
Workers run on Cloudflare’s side and the idea - as @cs-cf elaborated - would be to add a header for you to check for on the server, but you could achieve the same without Workers and client certificate authentication (Cloudflare calls it Origin pulls).
But all of that won’t really help in your situation as the issue does not involve Cloudflare in the first place.
Argo is a service that uses optimized routes across the Cloudflare network to deliver responses to your users more quickly, reliably, and securely.
Enabling Argo activates Argo Smart Routing and Tiered Caching, reducing Internet latency on average by more than 30% and connection errors by 27%.
Argo Tunnel is also available upon activation. Use of Tunnel is optional; it protects servers from IP address exposure and attack. View the developer documentation to learn more.
This feature is a usage-based product. Learn more about how billing works for Argo.
It looks like I’d need to use Smart Routing before I can use the Argo Tunnel, so I’d be paying for it.
Yeah, at the moment I’m in “I’m Under Attack” mode, which isn’t doing anything because as you say, they’re just going for the origin, and the act of blocking all these requests is just overloading the NIC.
Here’s the DNS for my site, is there anything here that jumps out to you as a misconfiguration?