DDoS flom Cloudflare IP's

I have a DDoS flom cloudflare IP’s. Until some time, all bad traffic was displayed in my account and blocked by the Cloudflare. But now it seems as if there is no attack in the account, and millions of requests are received on my server. How is this possible?

162.158.155.201 - - [23/May/2021:10:24:04 +0300] “POST / HTTP/1.1” 302 20 “-” “Mozilla/5.0 (Windows NT 10.0; rv:88.0) Gecko/20100101 Firefox/88.0”
162.158.155.201 - - [23/May/2021:10:24:04 +0300] “POST / HTTP/1.1” 302 20 “-” “Mozilla/5.0 (Windows NT 10.0; rv:88.0) Gecko/20100101 Firefox/88.0”
162.158.158.234 - - [23/May/2021:10:24:04 +0300] “POST / HTTP/1.1” 302 20 “-” “Mozilla/5.0 (Windows NT 10.0; rv:88.0) Gecko/20100101 Firefox/88.0”
162.158.155.201 - - [23/May/2021:10:24:04 +0300] “POST / HTTP/1.1” 500 192 “-” “Mozilla/5.0 (Windows NT 10.0; rv:88.0) Gecko/20100101 Firefox/88.0”
141.101.98.57 - - [23/May/2021:10:24:04 +0300] “POST / HTTP/1.1” 302 20 “-” “Mozilla/5.0 (Windows NT 10.0; rv:88.0) Gecko/20100101 Firefox/88.0”
141.101.98.57 - - [23/May/2021:10:24:04 +0300] “POST / HTTP/1.1” 302 20 “-” “Mozilla/5.0 (Windows NT 10.0; rv:88.0) Gecko/20100101 Firefox/88.0”
141.101.98.225 - - [23/May/2021:10:24:04 +0300] “POST / HTTP/1.1” 302 20 “-” “Mozilla/5.0 (Windows NT 10.0; rv:88.0) Gecko/20100101 Firefox/88.0”
141.101.98.209 - - [23/May/2021:10:24:04 +0300] “POST / HTTP/1.1” 302 20 “-” “Mozilla/5.0 (Windows NT 10.0; rv:88.0) Gecko/20100101 Firefox/88.0”
162.158.159.25 - - [23/May/2021:10:24:04 +0300] “POST / HTTP/1.1” 302 20 “-” “Mozilla/5.0 (Windows NT 10.0; rv:88.0) Gecko/20100101 Firefox/88.0”
162.158.154.212 - - [23/May/2021:10:24:04 +0300] “POST / HTTP/1.1” 302 20 “-” “Mozilla/5.0 (Windows NT 10.0; rv:88.0) Gecko/20100101 Firefox/88.0”
162.158.158.206 - - [23/May/2021:10:24:04 +0300] “POST / HTTP/1.1” 500 192 “-” “Mozilla/5.0 (Windows NT 10.0; rv:88.0) Gecko/20100101 Firefox/88.0”
141.101.98.225 - - [23/May/2021:10:24:04 +0300] “POST / HTTP/1.1” 500 192 “-” “Mozilla/5.0 (Windows NT 10.0; rv:88.0) Gecko/20100101 Firefox/88.0”
162.158.159.25 - - [23/May/2021:10:24:04 +0300] “POST / HTTP/1.1” 302 20 “-” “Mozilla/5.0 (Windows NT 10.0; rv:88.0) Gecko/20100101 Firefox/88.0”
141.101.98.97 - - [23/May/2021:10:24:04 +0300] “POST / HTTP/1.1” 302 20 “-” “Mozilla/5.0 (Windows NT 10.0; rv:88.0) Gecko/20100101 Firefox/88.0”
162.158.155.201 - - [23/May/2021:10:24:04 +0300] “POST / HTTP/1.1” 500 192 “-” “Mozilla/5.0 (Windows NT 10.0; rv:88.0) Gecko/20100101 Firefox/88.0”
162.158.158.234 - - [23/May/2021:10:24:04 +0300] “POST / HTTP/1.1” 302 20 “-” “Mozilla/5.0 (Windows NT 10.0; rv:88.0) Gecko/20100101 Firefox/88.0”

Those are Cloudflare IP address, because the traffic has to be routed to Cloudflare before they reach your server.

You need to read this in order to restore the visitor IP address:

1 Like

That’s good. We’ve configured nginx and now we can see original IP addresses. E.g.
35.214.64.219 - - [23/May/2021:19:09:22 +0300] “POST / HTTP/1.1” 503 212 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko”
35.214.64.219 - - [23/May/2021:19:09:22 +0300] “POST / HTTP/1.1” 503 212 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko”
35.214.64.219 - - [23/May/2021:19:09:22 +0300] “POST / HTTP/1.1” 503 212 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko”
35.214.64.219 - - [23/May/2021:19:09:22 +0300] “POST / HTTP/1.1” 503 212 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko”
35.214.64.219 - - [23/May/2021:19:09:22 +0300] “POST / HTTP/1.1” 503 212 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko”
35.214.64.219 - - [23/May/2021:19:09:22 +0300] “POST / HTTP/1.1” 503 212 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko”
35.214.64.219 - - [23/May/2021:19:09:22 +0300] “POST / HTTP/1.1” 503 212 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko”
35.214.64.219 - - [23/May/2021:19:09:22 +0300] “POST / HTTP/1.1” 503 212 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko”
35.214.64.219 - - [23/May/2021:19:09:22 +0300] “POST / HTTP/1.1” 503 212 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko”
35.214.64.219 - - [23/May/2021:19:09:22 +0300] “POST / HTTP/1.1” 503 212 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko”
35.214.64.219 - - [23/May/2021:19:09:22 +0300] “POST / HTTP/1.1” 503 212 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko”
35.214.64.219 - - [23/May/2021:19:09:22 +0300] “POST / HTTP/1.1” 503 212 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko”
35.214.64.219 - - [23/May/2021:19:09:22 +0300] “POST / HTTP/1.1” 503 212 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko”

At the same time we have TCP connections only from cloudflare.
ss | awk ‘{print $5}’ | cut -d ‘:’ -f 1 | grep -v 127.0.0.1 | sort -u
108.162.245.131
108.162.245.39
162.158.107.188
162.158.107.222
162.158.88.103
162.158.88.163
162.158.88.185
162.158.88.205
162.158.88.251
162.158.88.55
162.158.90.247
162.158.90.43
162.158.90.55
162.158.91.18
162.158.91.234
162.158.91.24
162.158.93.34
162.158.94.103
162.158.94.125
162.158.94.195
172.68.11.18
172.68.11.84
172.68.244.115
172.68.244.151
172.68.244.57
172.68.246.63
172.68.246.81
172.68.65.85
172.70.100.49

But IP address 35.214.64.219 in cloudflare admin panel already blocked.

What should I do?

Are you still seeing this IP in the firewall events?

Thing is, I do not see this IP in firewall events. But traffic was coming through cloudflare

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.