Suspicious Cloudflare IPv6 addresses

I have a bot problem that I’m working on solving. I currently use a combination of Cloudflare business + WAF rules + Bot Fight Mode + page rules where I enable IUAM for certain pages. With all that, bots still break through.

So I’ve recently implemented a next layer where I exam the incoming IP using a service like

So far it’s worked fairly well however it is flagging Cloudflare IP addresses (AS1333) as being a proxy. An example IP is
2606:54c0:7680:d28::1d3:53 or
2606:54c0:76e0:d28::1d3:6f or

My question is: Why would I be getting incoming traffic from Cloudflare IPs? Before I blocked these I want to make sure I’m not missing some Cloudflare service, etc. The description from says “Cloudflare WARP” … not sure if that is end users masking or hiding themselves perhaps?

Any insight is appreciated … thanks.

Those aren’t listed at

It is.

Interesting and very concerning … thank you @sdayman .

Another question is if these IPs aren’t listed on the official pages, then why do they seem to be registered to Cloudflare when you do a whois lookup against any of these IPs? It’s confusing and concerning, but it seems it’s good that I can block them.

That page isn’t as descriptive as it could be, but its intent is to act as an “Allow List” on what traffic you should let in. Those are the IP addresses of the proxy servers.

Because Cloudflare has many IP addresses that do many things.

Got it, thank you. Does WARP hide the identities of the users, similar to a VPN? So if users (malicious or otherwise) are leveraging it, they could be anonymous?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.