Wanted to find out why we see so many hits on www.[domain-name].co.uk.cdn.cloudflare.net?
Was the site working with SSL prior to adding it to Cloudflare?
Yes
What is the current SSL/TLS setting?
Full (strict)
What are the steps to reproduce the issue?
We are getting a lot of hits, sometimes tens of thousands, on www.[domain-name].co.uk.cdn.cloudflare.net
Wanted to find out if anyone has any idea why this is suddenly a common target across all our sites
I’m seeing the hits on both sites that have no caching and sites that are 100% cached
More on one of the non-cached sites, but that gets many more hits anyway
They appear to be 100% attack attempts, based on the ASN sources and the URL’s where they are anything other than root, so no legitimate or existing URL’s, loads of script kiddie non-existent wordpress attack attempts and going to hostname that will only ever returns Error 1000 anyway so completely pointless - which was why I was trying to find out why
E.g lots from AS206216 - ADVIN-AS in Germany, a constant source of script kiddie attack attempts, and permanently blocked, trying to GET www.[domain-name].uk.cdn.cloudflare.net/wp-content/plugins/WordPressCore/include.php
Nearly 200 script kiddie wordpress attack attempts from 52.165.145.197 for example www.[domain -name].co.uk.cdn.cloudflare.net/wp-admin/images/xmrlpc.php
And from many other IP’s, all in perm blocked ASN’s and countries
Seems dumb to attack a URL that will always return an error 1000, or is the idea to try to get some info from the error handling system or some attempts to get around the protection or error handling blocks as its attacks from perm blocked ASN’s and countries?
I don’t see it on any of my domains so it may be that hostname has got on a list somehow (did you ever use it as a CNAME target?) and it is just being used as any other name on the list will be.
It has never been used as a CNAME target as it doesnt exist and never has in any of our domains
I’m suspicious that most of the attempts are from what are classed as high risk or very high risk ASN’s, e.g. AS8075, AS394230, AS10557, AS16276, AS398324, AS8560 and also are almost exclusively script kiddie attack attempts - mainly wordpress attack attempt scripts when none of our sites use wordpress etc
It looks as if its being used as some sort of attempt to get around Cloudflare protection or similar - but thats dumb as it will always return Error 1000
We now have sites where almost 100% of traffic is this type of attack and we are also seeing where the same IP is using the same script against multiple sites but using the *.cdn.cloudflare.net URL on some but not all sites - which again makes me think they think its some way of getting around Cloudflare
Daft thing is they are all permanently blocked ASN’s in permanently blocked countries so its all pointless anyway but I was interested to see what they think they are doing
