This IP has managed to bypass my WAF and continues to flood my site with requests. It appears to be attempting a full site leech while disguising itself as GoogleBot. I suspect it may be using techniques similar to those outlined in this article: How to bypass CloudFlare bot protection ? | by jychp | Medium I’ve configured a WAF rule to block the IP directly and am also using a managed rule designed to block fake GoogleBot attempts. Despite this, the attacker seems to bypass both protections. Here’s the user agent in question: Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.116 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) I’ve added the IP to my nginx deny list, which is now returning a 403 error. Additionally, I’ve configured iptables to drop connections from this address. However, I’m concerned that the attacker may switch to a new IP soon. Does anyone have suggestions on more robust ways to detect and defend against this kind of attack?
It seems the fix there was removing the Automatic Signed Exchange (SXG) feature, but I don’t use that. Yet I’m thinking it may be related to something I am using that is causing the same thing to happen. I wish CF would create some documentation on this somewhere so we know what’s going on. I’m still not sure if I should continue to try and block it or not.
I guess the issue becomes how do I know if it’s a legitimate request from Google since they hide the origin IP or is it a non legitimate request from a worker someone on cloudflare has made to scrape my site? Attempts to scrape my site are pretty common. I’m just not sure why Google would need to go through the 2a06:98c0:3600::103 IP address as I get all sorts of GoogleBot hits that show up via normal Google IP’s.
That’s how you know. The request only bypasses WAF because it is used for a Cloudflare feature that you have enabled in your settings. If you block the IP, you will notice that it does block requests from other Workers.