Our site was DDoSed from cloudflare ips

We had an incident yesterday where our site was DDoSed for 30 mins from various cloudflare ips. We are not a cloudflare customer, and there doesn’t seem to be anywhere to report this abuse. The online abuse form only allows abuse to be reported for sites hosted on cloudflare, and there is no way to speak to a human on the phone. The DDoS was through HTTP, so couldn’t have been spoofed. There were thousands of requests per second to get the homepage of our website. Here is an example of some of the ips:

108.162.241.219 - - [01/Dec/2023:23:31:50 -0500] “GET / HTTP/1.1” 301 244
162.158.178.48 - - [01/Dec/2023:23:31:50 -0500] “GET / HTTP/1.1” 301 244
172.69.223.114 - - [01/Dec/2023:23:31:50 -0500] “GET / HTTP/1.1” 301 244
172.64.236.94 - - [01/Dec/2023:23:31:50 -0500] “GET / HTTP/1.1” 301 244

Either you are not restoring visitors IP addresses and thus the logs look like CF was DDoS’ing you, or, somebody setup a dummy CF zone that points to your backend and attacked that.

Use mtls (Authenticated Origin Pulls (mTLS) · Cloudflare SSL/TLS docs) and double check that you are restoring visitors ips.

As mentioned in the original post, we are not a cloudflare customer, and we don’t use cloudflare on any of our sites. The DDoS definitely came from cloudflare.

I see; the odds are that somebody has a zone pointing to your origin ip and are ddosing that zone to attack your site through cloudflare. What does the host header look like for those requests?

Did you manage to capture the host header in the requests? That would help identify the Cloudflare account if it they were all the same.

It’s possible this was targetted, by deliberately setting your IP address for a host. Or it could have been an error by a user who entered the wrong IP address and then noticed half an hour later.

You can try to report to [email protected].

Unfortunately it isn’t possible to get the headers after the fact. The only logs are the ssl access.log, which I pasted 4 lines of in my original post.

The [email protected] address just sends an automated reply saying to use the online form (which can’t be used for this type of abuse).

I’m not familiar with cloudflare, but given that the log only shows the 301 redirect (which goes to a different part of our site), but there is never any request for the redirected page, makes me think it wasn’t simply someone using cloudflare to redirect a site to our ip. Could it have been a cloudflare worker, or the WARP VPN? And how do we report abuse for these?

Now that you mentioned it, it might have been WARP as well. Somebody sets up the VPN and floods a website, making it appear like its coming from CF IPs.

I don’t know what is the best way to report those, does the abuse email reject all your contact attempts?

Yes, that was posted to HN by me.

Here is the reply from the [email protected] email:

(It won’t let me post it all here, but I’ve included the important bits):

Thank you for your report.
To ensure the prompt processing of your abuse report we request that you please

submit your abuse report through Cloudflare’s abuse reporting web form at:

Yeah, that can be frustrating; I will see if we can get the attention of the right people to look into this.

I see that the biggest stresser/booter site is using cloudflare to proxy their site, and they are also boasting about taking down cloudflare enterprise customers like bet365.

https://imgur.com/a/wN18Kse

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.