Find IP of User that Doesn't Reach My Server?

Performance
#1

I have a user that is repeatedly requesting one of my pages, I have implented a Rate Limit and a Javascript Challenge to try and stop it but still it is requesting the page.

The Cloudflare cache is taking care of it and I do not see the user hit my server at all. But I would still like to stop this unwanted requests.

All are from Australia and I am sure a simple IP block would do the trick, but how do I find the IP when they dont actually hit my server?

From the pic you can see just how often this user is requesting the page:

aussie req
aussie req944Ă—597 38.7 KB

#2

It should be in the firewall events / activity logs, you can filter by “Country = Austrialia”

#3

That’s the problem, those 1.2 million requests are not appearing in my Firewall log, only in the image I posted above.

My Firewall looks like this:

firewall fine
firewall fine1004Ă—700 32.9 KB

#4

No replies for a couple of days so bumping this to avoid it being auto-closed.

I am still having this issue

#5

The rate limited traffic should show up in firewall events and you’ll be able to see its IP address.

Here’s an example:

image
image973Ă—501 18.4 KB

#6

This is what I mean though, it is not showing up anywhere other than in Requests.

Not in Firewall Logs

Not in Rate Limit Logs

It’s baffling!

#7

Ok, that’s interesting.

There’s a trick that you can try:

Create an Allow rule which matches traffic from Australia, and place the firewall rule at the last position.

You should be able to get a list of “allowed” traffic under firewall events" but in fact we are just logging the traffic (I assume that you are not on Enterprise plan, so you do not have access to the Log action).

2 Likes
#8

Great I’ll try that

Yea just on Pro Plan with the domain in question

1 Like
#9

Rate limit events (requests which trigger rate limiting rules) show up under the firewall events tab.

#10

Yea they are not being rate limited, they appear to be being given cached responses (they never hit my server and I dont see their IP as a result)

#11

If the requests are flying under your predefined rate limit threshold, then yes they won’t be rate limited nor will they show up in firewall events.

#12

They arent hitting my server at all.

They are only appearing in requests and not any of the logs at all.

They are far far more than my rate limit of 10 hits per min (more like 10’000 hits per min).

#13

If I’m not mistaken, you can actually rate limit cached assets:

image

#14

I’m not overly worried because it isnt hitting my server, I just can’t work out why I can’t find any info on what the IP is.

It’s almost like “if it hits the CF cache you can’t see who or what is visiting your site”

I know that isn’t the case, but I just cant seem to find who (or more likely what) is pinging it all the time.

So far have tried:
Rate Limit
JS Challenge
Captcha Challenge

All fail to stop the Requests and fail to show in the Firewall Log

:man_shrugging:

#15

Did you rate limit cached assets?

#16

Not yet, will that affect the entire site and all visitors?

This is purely coming from Australia

#17

Yes.

But I believe only users making too much requests will get rate limited, like what you mentioned - they are all coming from Australia.

Anyway, if you worry that you will affect other users, try use “simulate” instead of “block” action under the rate limiting rule.

#18

One of the Challenges has thrown up this UserAgent:

Dalvik/2.1.0 (Linux; U; Android 11; SM-G973F Build/RP1A.200720.012)

and this ASN:

133612

But with only approx 700 attempts (all Australia), but the 1.2 million requests are still coming.

I’m going to challenge those directly as well see if it has any impact

#19

It might be distributed - a lot of Australia IP address making requests to your website.

#20

yes agree
it’s just so baffling that I cant find the IPs