Excessive traffic to origin server from within the same cloudflare network

An excessive traffic is reaching my origin server from a specific IP 2a06:98c0:3600::103
The request rate is more than 10 requests per second continuously.

Facts:

  • The geo ip databases connects this particular IP with cloudflare network
  • The user agent associated with all requests coming from this IP are claiming a Googlebot, as i looked the IP, it belongs to cloudflare so for sure this is a FAKE BOT “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”
  • I looked into the cloudflare dashboard to check if this IP has been challenged, or got identified as a fake bot, but it’s not the case, although the IP is sending more than 4 million requests per day with a fake bot agent.

Concerns:

  • Why cloudflare firewall rules has not classified this particularly as a FAKE BOT, although i could see some FAKE BOT classification but not for this IP
  • Does cloudflare offer any services to host applications?, thus someone within the cloudflare network is sending this excessive number of requests for a long period without being stopped or identified. I’m concerned if cloudflare protection isn’t really effective against internal network addresses such as this one.

I appreciate if you could please help me with details to about this IP, as it’s violating the terms of service, and it’s causing damages without being mitigated by cloudflare although i have an active subscription.

Hi @Networker007,

These requests come from Cloudflare Workers. You should be able to block them by creating a firewall rule: when (not cf.worker.upstream_zone in {"" "yourdomain.tld"}) then Block.

From the Cloudflare Workers documentation:

In cross-zone subrequests from one Cloudflare customer zone to another Cloudflare customer zone, the CF-Connecting-IP value will be set to the Worker client IP address '2a06:98c0:3600::103' for security reasons.

1 Like

Hi @albert Thank you for your reply and assistance.
Yes in deed that gives me abilities on controlling the traffic.

Do you have any information how i can escalate this violation for the term of service, as it been harmful to my domain receiving million of requests for a very long period of time from a worker within the same cloudflare network.

As well, I wonder why cloudflare fake bot mitigation has not been triggered for fake agent associated with all those requests. is the internal traffic from cloudflare network whitelisted?

This post was flagged by the community and is temporarily hidden.

Hi @Networker007,

Good to know you’ve successfully mitigated the attack! :slightly_smiling_face:

Could you look through your webserver logs and note the Cf-Worker header in order to identify the zone/domain of the offending worker? If you send the it here, @Walshy can make sure it gets escalated to the proper team.

Requests made by Cloudflare Workers might be treated differently, which is why proper firewall rules are important, but it could also be that Cloudflare didn’t see it as an attack. Even though 10 requests/second might harm a site it can hardly be considered a DDoS attack.

@albert Thank you so much.
Any mean to send you the details privately?

This post was flagged by the community and is temporarily hidden.

@albert Thank you so much. Kindly note I’ve sent you the details to the email address.

It’s been forwarded! :slightly_smiling_face: