Sometimes I get requests with private IP in the CF_CONNECTING_IP connecting headers. This requests are coming from CF’s IP (sites are not accessible outside those addresses anyway). Looking at the rest of the headers, looks like the requests are trying to exploit some bugs in UserAgent string parsing.
As far as I am aware, spoofing of the real address should not be possible. Should I contact someone from CF about this?