IP 2a06:98c0:3600::103 (Cloudflare IP) Able to bypass WAF

What is the name of the domain?

example.com

What is the issue you’re encountering

This IP has managed to bypass my WAF and continues to flood my site with requests. It appears to be attempting a full site leech while disguising itself as GoogleBot. I suspect it may be using techniques similar to those outlined in this article: How to bypass CloudFlare bot protection ? | by jychp | Medium I’ve configured a WAF rule to block the IP directly and am also using a managed rule designed to block fake GoogleBot attempts. Despite this, the attacker seems to bypass both protections. Here’s the user agent in question: Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.116 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) I’ve added the IP to my nginx deny list, which is now returning a 403 error. Additionally, I’ve configured iptables to drop connections from this address. However, I’m concerned that the attacker may switch to a new IP soon. Does anyone have suggestions on more robust ways to detect and defend against this kind of attack?

What steps have you taken to resolve the issue?

block the ip in WAF

What is the current SSL/TLS setting?

Off

What are the steps to reproduce the issue?

This IP address is that used by Cloudflare Workers when accessing a zone that is also under Cloudflare.

Also reported when Signed Exchanges are enabled…

1 Like

Let me read over that thread, thanks for the heads up, lots of info there it seems.

2 Likes

It seems the fix there was removing the Automatic Signed Exchange (SXG) feature, but I don’t use that. Yet I’m thinking it may be related to something I am using that is causing the same thing to happen. I wish CF would create some documentation on this somewhere so we know what’s going on. I’m still not sure if I should continue to try and block it or not.

1 Like

It’s mentioned here…

3 Likes

I guess the issue becomes how do I know if it’s a legitimate request from Google since they hide the origin IP or is it a non legitimate request from a worker someone on cloudflare has made to scrape my site? Attempts to scrape my site are pretty common. I’m just not sure why Google would need to go through the 2a06:98c0:3600::103 IP address as I get all sorts of GoogleBot hits that show up via normal Google IP’s.

1 Like

That’s how you know. The request only bypasses WAF because it is used for a Cloudflare feature that you have enabled in your settings. If you block the IP, you will notice that it does block requests from other Workers.

1 Like