I got under attack from CloudFlare IP addresses

Recently my internet is slow so I can’t access some sites, so I tried to use CloudFlare DNS WARP+ on my iOS. Today when I checked my router log, I found that over 200 IPs from CF tried to access my router by port scanner. So I end up blocked the whole IP subnet before it exhausted my router firewall. What should I do now?

Which subnet was it? CF has two separate types of IP ranges they reserve (well 3 including the DNS for Gateway) - CF’s main proxy service (often 104.x.x.x) and CF’s Warp service (8.x.x.x).

Yeah, the Warp service (8.x.x.x)

The warp service very well could be used to port scans, but due to how close together the two events are (your firewall being hit and deciding to use Warp) it sounds like your router might be trying to block the legitimate traffic that’s used for communication with Warp.

Warp is built on Wireguard, which is a fairly new VPN protocol with uses UDP instead of TCP and will (in my experience) always use ports in the dynamic port range https://en.wikipedia.org/wiki/Ephemeral_port#Range. Since it’s UDP, there isn’t any concept of forming a connection with the remote computer, there’s only sending and receiving packets, so your router very well could see these UDP frames as “incoming connections”.

So my question would probably be, if you have logs, what ports is it trying to scan? Anything coming directly from the IPs for regular ports is probably not normal.

I opened port 55xxx, TCP to allow access from internet for my management. And those IPs only scanning this port and use TCP. If it fail the login 3 times, it get blocked. Since over 200 IPs get blocked by only this port. This is abnormal.

It would only be doing anything over UDP to my knowledge so I would bet your router doesn’t distinguish between udp and tcp. If that’s not the case then i’m not sure why it would be doing that.

I think I’m really under attack from CF’s Warp user. I’m using mikrotik so that is not the case of udp and tcp.

By the way, I inspect some of my clients use Warp+ tried to get free data by sharing their IDs. They access a site to get free 1GB every minute and so on. As I inspect that an ID of a user maybe an attacker.

ID: e8e03d8f-fce6-47db-a48a-1982558191aa