Questionable HTTP requests via Cloudflare with arbitrary hostname logged on my web server

This is an interesting puzzle.
I am seeing HTTP requests logged on my production web server for a hostname/domain that is not ours.
e.g.33-44-55-66.dns.okay.blue
The IP encoded in the hostname is one of the IPs of our AWS ELB for the origin server.
I know the request went through Cloudflare because we log the Ray ID in our web logs.
Cloudflare (1st level support) says that the domain “okay.blue” is not in their system.
And I can’t find any record of any hostnames ending in “okay.blue” in the Analytics dashboard. (Enterprise account)
We block access to our origin servers except for the Cloudflare IP ranges via AWS security group on the ELB.
When I try to access the special hostname using a browser it is blocked as expected.
Except one time I did get through and got to the default vhost on the web server and it was logged with a Ray ID.
As far as I can determine, the domain “okay.blue” is using sslip.io as their DNS server.
Otherwise I’m stumped as to how these requests are getting to our web server.
And if this poses some kind of threat.

okay.blue is a domain on Cloudflare.
https://cf.sjr.org.uk/tools/check?c0a7b537873a4a21ae75ddaab8dc4bb4

It could be a scan, for benign or bad reasons, trying to find out if an IP address points to a server behind Cloudflare.

You can block Cloudflare from connecting to your origin for domains not in your account by using authenticated origin pulls with your own certificate.

3 Likes

Thanks for the info, @sjr.
I was pretty sure that okay.blue was on Cloudflare but the extra DNS info confirms it.
Also it seems that the maker of sslip.io is behind this as the nameservers for the special hostname are in his domain.
I’m still waiting for a follow up response from Cloudflare Support.
In the meantime I will simply be restricting access to our default vhost.
Access to any of our real vhosts is by hostname so this scan method should not be able to access them.
Setting up Authenticated Origin Pulls would take a little more effort and collaboration in my org than I have time for at the moment.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.