Peculiar access from Cloudflare IPs

Hello all helpful people on this forum,

I have this application that I deployed on Heroku, which is NOT connected to Cloudflare in anyway what so ever.

Today, when I inspect the log in the Heroku control panel, I discovered few weird access attempts:

2019-12-25T06:48:55.460925+00:00 heroku[router]: at=info method=GET path="/-----https:/www.voachinese.com/" host=[reducted].herokuapp.com request_id=27d3aeeb-f7c6-4f52-a426-d264c9d2bf72 fwd="172.69.34.119" dyno=web.1 connect=2ms service=6ms status=404 bytes=1234 protocol=http
2019-12-25T06:48:56.756689+00:00 heroku[router]: at=info method=GET path="/-----https:/www.google.com/" host=[reducted].herokuapp.com request_id=2b14be57-e392-4683-8d83-217500ecbff5 fwd="172.68.143.51" dyno=web.1 connect=0ms service=1ms status=404 bytes=1234 protocol=http
2019-12-25T06:49:04.167481+00:00 heroku[router]: at=info method=GET path="/-----http:/dongtaiwang.com/" host=[reducted].herokuapp.com request_id=f76cd10a-1cc9-46bb-a8f8-cddfe459de2f fwd="172.68.47.53" dyno=web.1 connect=1ms service=1ms status=404 bytes=1234 protocol=http
2019-12-25T07:01:50.011164+00:00 heroku[router]: at=info method=GET path="/-----https:/www.voachinese.com/" host=[reducted].herokuapp.com request_id=3db5e16e-f706-475f-b16e-e62270b0ff86 fwd="172.68.47.48" dyno=web.1 connect=0ms service=1ms status=404 bytes=1234 protocol=http

After I looked up those IP addresses, namely 172.68.47.48, 172.68.47.53, 172.68.143.51 and 172.69.34.119, I found out that all of those are been used (maybe still in use) by Cloudflare.

I’m a Cloudflare user myself. Based on my experience, Cloudflare will never send such request all by itself. So I wonder, could that be some kind of attack or spy-scan? Maybe somebody is abusing Cloudflare to do preform some evil activities?

Perhaps it’s a client using Cloudflare Warp? If so, you may be able to get the actual client’s IP from the “CF-Connecting-IP” HTTP request header. Not sure if Heroku’s logging can be configured to do so though.

1 Like

This topic was automatically closed after 14 days. New replies are no longer allowed.