Machines connecting to a malicious CloudFlare IP (104.21.69.79)

Good day,

I have a client that is having several alerts indicating connections attempts to the IP 104.21.69.79, that as far as I have investigated, is a CloudFlare IP that was used by Ransomware group Darkside.

The IP is not blacklisted because of it is malicious by itself, but because of it is the “entry point” to a malicious domain/IP that is hosted behind the IP.

The problem we are facing is that we are unable to found what is the exact URL or IP, as this IP (104.21.69.79) may have a huge amount of URLs and IPs hosted behind. We face the same problem with AWS IPs.

It will be possible to have a list of the domains (or at least, the suspicious domains) hosted behind this IP? Having the IP in the blacklist stops all the requests. This include legit requests that are performed against a legit URL/IP hosted behind this IP.

We want to avoid having this IP in the blacklist as blocked legit connections are affecting our users. But we don’t want to unblock the IP until we are 100% sure that no one of the hosted domains are unsafe.

Can you please help us with this case?
Thanks in advance.

If you are seeing a lot of suspicious activity from one Cloudflare IP, you can report them to us through this form: Abuse form | Cloudflare | The web performance & security company - probably the best category to use would be malware & phishing

Looking at what you’ve written here:

If you haven’t yet - I will recommend you restore original visitor IPs as this may give you a better insight into the traffic you are seeing.

Good day Weronika, thank you very much for your quick answer. Note that the IP is probably safe but the URL hosted behind is the real malicious one.

Detections come from our EDR, as IP is in the blacklist any conections made against it will be blocked and generate an alert. CloudFlare is not installed in our envirenment.

Regards.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.