High traffic from Cloudflare IP (DDoS Attack?!)

Hi everyone,

I’ve been using Cloudflare for a while and I was really satisfied by mid-June. Now I have a problem that I hope someone of you can explain to me:

I have a small server running at a local data center. I have several IPs which I use for accessing the server. For a better understanding lets say that I have three IPs A: 100.100.100.101 B: 100.100.100.102 and C: 100.100.100.103.

The IP A I only use to access the server via SSH and is not used elsewhere. The IPs B and C are used for a web- and mailserver that are running on the server.

Since the mid of June I receive a high traffic load from a Cloudflare IP (162.158.90.74) in between 600–1000 Mbit/s. The only thing I can do is to restart the server to stop the “attack”. Sometimes it stays on a normal traffic level for two to three days, sometimes the traffic goes back to 600 MBit or more right five minutes after restarting the server.
I searched for the IP which I found here and it seems that this specific IP is used to perform DDoS Malware Attacks.

My big question is: Is there a possibility that Cloudflare IPs are used to perform DDoS attacks and if so, why is Cloudflare not doing something against it? Or is there another reason why this can happen?

Thanks for your help!

My big question is: Is there a possibility that Cloudflare IPs are used to perform DDoS attacks?

Not at all. Understanding Cloudflare DDoS protection – Cloudflare Help Center Is Cloudflare attacking me? Section explains what’s happening.

Regarding the report that you posted, there is not much to comment on other than the fact that some ““system administrator”” wasn’t careful enough to recover the IPs from the web server logs and is likely generating thousands of false reports.

Hi, I am currently using iftop and what I can see is, that the reported IP from Cloudflare is infect the reason where the high traffic is coming from.

Not at all. Understanding Cloudflare DDoS protection – Cloudflare Help Center Is Cloudflare attacking me? Section explains what’s happening.

On behalf of the link you posted, I can confirm, that I am recovering the visitor IP addresses. So it must has something to do with IP spoofing?! But how can I figure out if this is really the case? And if someone is really spoofing, how can I prevent my server from downloading tons of useless zeros…?

Just a quick addition:
The IP A is only used for accessing the server over SSH.
The IPs B and C are in Cloudflare DNS App and are both using Cloudflare Proxy.

Cloudflare is a proxy between clients and your server. You will only see Cloudflare IP address unless you follow these instructions Restoring original visitor IPs – Cloudflare Help Center

You should read the link posted before as it explains how it works.

1 Like

Hi freitasmn,

thanks for your comment. I am already using the declarations from the link you posted. Still, I receive Cloudflare IPs producing high traffic.

If the logs you are reading show the CF Ip, then at some point the ips aren’t being restored properly, you can’t spoof a HTTP request, it wouldn’t get established.

Port scanning and bruteforcing also arent prone to spoof, only DDoS attacks are. If you are getting DDoS attacked then its on your hosting to fix that.

1 Like