How can I block 2a06:98c0:3600::103 at WAF level

One of my websites is being (sort of) DDoS-ed by thousands of request per minute coming from “2a06:98c0:3600::103” and a User-Agent equal to that of Google’s bot. I can’t block it based on User-Agent due to that.

Also the website is Proxied behind Cloudflare. So I can’t use block it through iptables or routing to the blackhole.

I tried blocking it by WAF rules matching the IP. e.g. (ip.src eq 2a06:98c0:3600::103) or (http.x_forwarded_for eq "2a06:98c0:3600::103")

Unfortunately, that’s not working. My server is still receiving all the abusive traffic. Any idea how I could block all traffic from that IP?

That IP is in the Cloudflare proxy range 2a06:98c0::/29. Are you restoring visitor IPs?

Yes, I’m at Nginx level (using set_real_ip_from). E.g. set_real_ip_from 2a06:98c0::/29;

All requests come with this User Agent: (Linux; Android 6.0.1; Nexus 5X Build/MMB29P). If I filter the logs by that UserAgent, I can see traffic from Google’s IPs.

This IP is used by outbound fetch requests from Workers. You can block these requests by leveraging cf.worker.upstream_zone dynamic field in WAF.

2 Likes

Thanks @ncano!

I’ve tried the following rule (ip.src eq 2a06:98c0:3600::103) or (http.x_forwarded_for eq "2a06:98c0:3600::103") or (cf.worker.upstream_zone ne "") - i.e. catch all traffic that’s coming from a worker.upstream_zone; however, that has no effect. The aggressive crawler (or whatsoever) is still hitting hard my website.

Is there a more specific rule that I can use to block all traffic from workers (given that I’m not using them)?

Hey @ncano, could you please be more specific how I can block that ip by using cf.worker.upstream_zone. As I shared earlier, I tried with cf.worker.upstream_zone ne "" (with the idea to block ALL worker zones); however, that doesn’t have any effect.

I would suggest ditching ip.src and all the other conditions and block based on a filter similar to this instead:
(cf.worker.upstream_zone == "" or cf.worker.upstream_zone != "[MYZONENAME.COM]")

1 Like