Over the last server days our website has been getting flooded with what appear to be normal website requests that have CF IPs. Tens of thousands of requests a day. Our bandwidth usage has gone from normal 4-5GB a day to 60+.
We paused CF and disabled workers but the traffic is still coming from CF IPs so it does not appear to be originating from our CF account. Nothing has changed in the account. Configuration has not been touched in months.
Same user agent for all requests, all requests are to legit pages.
“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36”
Obviously we can’t block the IPs because that would disable our custom caching workers.
How can we figure out the source of these and block them?
Feel free to share more details, but if all of the requests are coming in with the same user agent, you can make a rule in the Sscurity → WAF tab to block all requests with specific user agents. Additionally, I believe Cloudflare lets everyone use 1 free rate limiting rule, but I may be wrong.
I’m not entirely sure, but it looks like someone might be hiding behind Cloudflare Warp, which is a service similar to a VPN. You can try blocking Cloudflare’s ASN number or a specific range of IPs that Cloudflare uses for warp.
I know that Apple also offers something called private relay, and I’m pretty sure they are partnered with Cloudflare, Fastly and maybe another CDN. It’s like a proxy/vpn but it only works in safari. The requests sound like they’re real and the agent might confirm that it’s coming from an Apple device, possibly using private relay to disguise themselves.
Edit: I searched the list of IPs Apple provided for private relay and didn’t find the IPs you provided. I used SecurityTrails and Censys for a reverse IP lookup, and I didn’t find any history for the IPs, so unless your origin server logs show those IPs are the IPs Cloudflare is using to communicate with your origin, it’s likely safe to block them, even if temporarily.
What are the request headers? Specifically “Host” header? It is possible that someone might have pointed their own cloudflare domain to your IP address, and configured their WAF to bypass all rules to essentially “use cloudflare against your server”.
Also, are you sure visitor IPs are read correctly? Maybe they could be spoofing X-Forwarded-For.
I recommend you create a block rule based on “Host” header (to allow your own host value only), or ratelimit the malicious requests based on their “CF-Connecting-IP” header in the requests in your reverse proxy configuration.
Shoot, looks like it stopped before I had a chance to enable forensic log for apache to see request headers. It’s possible someone is routing crawling through CF.
This wasn’t the first time it has happened. Last month we had a similar thing, we didn’t notice it until we got our AWS bill and saw a big spike in outbound bandwidth cost.