Questionable traffic from non-USA cloudflare locations

Hi Cloudflare Community,

For the past couple of months, there has been Cloudflare traffic from foreign countries hitting my network that I cannot identify. All of my public-facing domains are proxied through Cloudflare, utilizing their firewall filters to deny most foreign countries. However, I am seeing a lot of traffic on my NGFW periodically throughout the day from dozens of countries.

The port forward rule on the router allows only traffic originating from cloudflare IP addresses. I have a firewall rule also on the NGFW to deny most foreign countries, which is where I am seeing the alerts. It seems as though there may be servers hosted on Cloudflare hitting my public IP address directly. The connections come in waves from approximately 3 minutes to over an hour in duration, however those waves can happen anywhere from a few minutes to 12 hours or so apart.

Is it possible to determine if this is malicious traffic, and if there is a way to go about preventing it? My concern is that the traffic is getting in by means of a country I have whitelisted, and it is nearly impossible to differentiate the legitimate CF traffic from the potentially malicious CF traffic.

Below is a batch of related events (this is a less severe example; some instances can happen multiple times per second for over an hour). Thanks in advance for any help and advice.

session_id	time_stamp	protocol	c_client_addr	c_client_port	s_server_addr	s_server_port	client_country
106454462504828	2021-09-27 03:45:27.381	6	172.69.161.70	62397	10.10.10.10	4443	MG
106454462504825	2021-09-27 03:45:26.479	6	172.69.161.70	41517	10.10.10.10	4443	MG
106454462504819	2021-09-27 03:45:25.581	6	172.69.161.70	45557	10.10.10.10	4443	MG
106454462504809	2021-09-27 03:45:24.655	6	172.69.161.70	41633	10.10.10.10	4443	MG
106454462504800	2021-09-27 03:45:23.769	6	172.69.161.70	28841	10.10.10.10	4443	MG
106454462503403	2021-09-27 03:40:32.844	6	172.68.99.69	60589	10.10.10.10	4443	PA
106454462503400	2021-09-27 03:40:31.938	6	172.68.99.69	11693	10.10.10.10	4443	PA
106454462503399	2021-09-27 03:40:31.031	6	172.68.99.69	64425	10.10.10.10	4443	PA
106454462503393	2021-09-27 03:40:30.126	6	172.68.99.69	36407	10.10.10.10	4443	PA
106454462503389	2021-09-27 03:40:29.22	6	172.68.99.69	31263	10.10.10.10	4443	PA
106454462503153	2021-09-27 03:39:59.664	6	172.69.78.70	60053	10.10.10.10	4443	NP
106454462503149	2021-09-27 03:39:58.756	6	172.69.78.70	30825	10.10.10.10	4443	NP
106454462503148	2021-09-27 03:39:57.851	6	172.69.78.70	38129	10.10.10.10	4443	NP
106454462503144	2021-09-27 03:39:56.943	6	172.69.78.70	45871	10.10.10.10	4443	NP
106454462503141	2021-09-27 03:39:56.038	6	172.69.78.70	56909	10.10.10.10	4443	NP
106454462502859	2021-09-27 03:39:06.185	6	172.69.46.71	41865	10.10.10.10	4443	TZ
106454462502858	2021-09-27 03:39:06.101	6	172.69.103.70	62759	10.10.10.10	4443	IQ
106454462502856	2021-09-27 03:39:05.28	6	172.69.46.71	48449	10.10.10.10	4443	TZ
106454462502855	2021-09-27 03:39:05.196	6	172.69.103.70	62991	10.10.10.10	4443	IQ
106454462502849	2021-09-27 03:39:04.373	6	172.69.46.71	21365	10.10.10.10	4443	TZ
106454462502847	2021-09-27 03:39:04.291	6	172.69.103.70	32605	10.10.10.10	4443	IQ
106454462502839	2021-09-27 03:39:03.468	6	172.69.46.71	16831	10.10.10.10	4443	TZ
106454462502835	2021-09-27 03:39:03.386	6	172.69.103.70	32959	10.10.10.10	4443	IQ
106454462502831	2021-09-27 03:39:02.562	6	172.69.46.71	13435	10.10.10.10	4443	TZ
106454462502830	2021-09-27 03:39:02.481	6	172.69.103.70	64409	10.10.10.10	4443	IQ
106454462502796	2021-09-27 03:38:45.407	6	162.158.147.73	49363	10.10.10.10	4443	PY
106454462502794	2021-09-27 03:38:44.502	6	162.158.147.73	45701	10.10.10.10	4443	PY
106454462502789	2021-09-27 03:38:43.593	6	162.158.147.73	28447	10.10.10.10	4443	PY
106454462502788	2021-09-27 03:38:42.689	6	162.158.147.73	14751	10.10.10.10	4443	PY
106454462502783	2021-09-27 03:38:41.78	6	162.158.147.73	40515	10.10.10.10	4443	PY
106454462502526	2021-09-27 03:38:07.104	6	172.69.158.70	51345	10.10.10.10	4443	VN
106454462502520	2021-09-27 03:38:06.198	6	172.69.158.70	30705	10.10.10.10	4443	VN
106454462502516	2021-09-27 03:38:05.291	6	172.69.158.70	20773	10.10.10.10	4443	VN
106454462502513	2021-09-27 03:38:04.384	6	172.69.158.70	16683	10.10.10.10	4443	VN
106454462502500	2021-09-27 03:38:03.479	6	172.69.158.70	30085	10.10.10.10	4443	VN
106454462502492	2021-09-27 03:38:00.423	6	172.68.201.69	52939	10.10.10.10	4443	LK
106454462502491	2021-09-27 03:38:00.349	6	172.69.101.70	16855	10.10.10.10	4443	IQ
106454462502482	2021-09-27 03:37:59.517	6	172.68.201.69	13947	10.10.10.10	4443	LK
106454462502481	2021-09-27 03:37:59.441	6	172.69.101.70	52727	10.10.10.10	4443	IQ
106454462502473	2021-09-27 03:37:58.603	6	172.68.201.69	62511	10.10.10.10	4443	LK
106454462502472	2021-09-27 03:37:58.537	6	172.69.101.70	36993	10.10.10.10	4443	IQ
106454462502470	2021-09-27 03:37:57.702	6	172.68.201.69	48457	10.10.10.10	4443	LK
106454462502469	2021-09-27 03:37:57.63	6	172.69.101.70	49575	10.10.10.10	4443	IQ
106454462502458	2021-09-27 03:37:56.797	6	172.68.201.69	28637	10.10.10.10	4443	LK
106454462502457	2021-09-27 03:37:56.725	6	172.69.101.70	51309	10.10.10.10	4443	IQ
106454462499515	2021-09-27 03:27:40.539	6	172.69.16.70	10733	10.10.10.10	4443	HN
106454462499511	2021-09-27 03:27:39.63	6	172.69.16.70	36839	10.10.10.10	4443	HN
106454462499507	2021-09-27 03:27:38.726	6	172.69.16.70	50123	10.10.10.10	4443	HN
106454462499506	2021-09-27 03:27:37.819	6	172.69.16.70	13545	10.10.10.10	4443	HN
106454462499498	2021-09-27 03:27:36.911	6	172.69.16.70	25347	10.10.10.10	4443	HN

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.