I need support; Cloudflare mitigating legitimate traffic

We have approximately 30k endpoints trying to communicate with a SaaS platform that appears to be behind MagicTransit. We identified the problem (high percentage of aged-out traffic to a specific IP) about 6 weeks ago, we have been back and forth with the SaaS provider, and with our firewall vendor. The SaaS vendor is adamant that the issue is on our end, however…

  • Their engineers didn’t seem to realize that their IP blocks were advertised via Cloudflare
  • They could only identify (successful) traffic from us because they could see the uuid in the front-end logs, they saw no failed connection attempts
  • The source port on those ‘successful’ connections does not match the source port leaving our perimeter
  • All of the ‘successful’ connections have a source port in the 30k range

We believe a large percentage of our traffic is being actively mitigated; Cloudflare is sending Challenge-ACKs responses to our attempts to initiate a TCP session (SYN).

We need assistance from Cloudflare.

Hi there,

This behavior is likely intended by the customer.
If it’s not intended, your SaaS provider - who I assume is a Cloudflare customer or a customer of a customer - should be the ones contacting us.

Unfortunately we are unable to analyze it any further without our customer reaching out to us directly.

Take care.

My theory is that during active mitigation Cloudflare is performing some type of proxying of the traffic, which is why the source port has changed by the time the packets reach the SaaS platform, and that when no mitigation is being applied, the traffic is simply routed to the destination. Is that accurate?

No. If you see Cloudflare IPs returned when you query a hostname, your traffic will be proxied.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.