Getting bunch of requests from Cloudflare IPs

I have an AWS EC2 instance running Ubuntu, Nginx & PHP FPM serving multiple Wordpress websites for my clients. All websites are using Cloudflare.

Every now and then, CPU utilization peaks and when I check Nginx access log file I see requests similar to the following:

162.158.111.169 - - [14/Apr/2021:16:12:08 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
141.101.105.32 - - [14/Apr/2021:16:12:09 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
141.101.76.154 - - [14/Apr/2021:16:12:09 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
141.101.99.179 - - [14/Apr/2021:16:12:09 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
162.158.111.79 - - [14/Apr/2021:16:12:09 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
108.162.229.194 - - [14/Apr/2021:16:12:09 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
141.101.76.244 - - [14/Apr/2021:16:12:10 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
162.158.155.44 - - [14/Apr/2021:16:12:10 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
141.101.105.32 - - [14/Apr/2021:16:12:10 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
141.101.98.92 - - [14/Apr/2021:16:12:10 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
172.69.54.93 - - [14/Apr/2021:16:12:10 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
108.162.229.68 - - [14/Apr/2021:16:12:11 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
172.69.55.204 - - [14/Apr/2021:16:12:11 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
162.158.155.44 - - [14/Apr/2021:16:12:11 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
141.101.76.244 - - [14/Apr/2021:16:12:11 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
162.158.158.223 - - [14/Apr/2021:16:12:11 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
141.101.76.38 - - [14/Apr/2021:16:12:12 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
141.101.98.178 - - [14/Apr/2021:16:12:12 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
172.69.54.93 - - [14/Apr/2021:16:12:12 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"

I checked some of these IP addresses and they all came back as Cloudflare. These requests don’t have any domain information so I cannot know if they are coming for a specific website or not. I’m not sure if this is a bot, a hacker or Cloudflare itself.

Any ideas or past experiences that can help me understand what these are?

Thanks in advance.

That certainly explains why all IP addresses come from Cloudflare.

And it sounds like you haven’t done this:

1 Like

Thanks for the info. I have the ngx_http_realip_module module installed and the following in my nginx.conf file:

set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;

Still getting the following requests and no domain is present in the header, only “-” - If only I could see a domain, I’d take that particular website in under attack mode.

141.101.68.34 - - [14/Apr/2021:17:12:40 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
141.101.105.62 - - [14/Apr/2021:17:12:40 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
172.69.54.93 - - [14/Apr/2021:17:12:41 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
162.158.111.79 - - [14/Apr/2021:17:12:41 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
172.69.54.93 - - [14/Apr/2021:17:12:41 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
141.101.105.32 - - [14/Apr/2021:17:12:42 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
172.69.55.204 - - [14/Apr/2021:17:12:42 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
141.101.107.54 - - [14/Apr/2021:17:12:42 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
141.101.69.221 - - [14/Apr/2021:17:12:42 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
141.101.105.108 - - [14/Apr/2021:17:12:42 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
108.162.229.68 - - [14/Apr/2021:17:12:42 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
141.101.105.34 - - [14/Apr/2021:17:12:42 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
162.158.111.79 - - [14/Apr/2021:17:12:43 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
172.69.54.232 - - [14/Apr/2021:17:12:43 +0000] "GET / HTTP/1.1" 301 11 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"

Something is still wrong with your NGINX config if it’s not pulling the visitor IP from the headers.
Did you add this to the end of that conf file?

real_ip_header X-Forwarded-For;

1 Like

You were right, I added those and now I see the IP address for those requests are coming from:

130.61.147.61

Since I’m using Cloudflare, I can’t simply add “deny 130.61.147.61” to my nginx.conf so I think I’ll have to add this IP address to every single website on Cloudflare to block, right?

For now, you can add it in Firewall → Tools and apply it to All websites.

2 Likes

That worked like a charm. Thanks for your help @sdayman

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.