Suspicious Googlebot-like requests from 2a06:98c0:3600::103

Most of Googlebot traffics disappeared since last week, which have been replaced by traffics from this ip address:

2a06:98c0:3600::103

From what I can tell, this ip address is from Cloudflare

Anyone has similar issues?

Some observations:

  • Requests from this IP all have a user-agent “Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36”, which is similar to a legit Googlebot user-agent, but the string doesn’t include the text “Googlebot”.

  • I blocked traffics from this ip, but failed. Traffics are still coming through.

  • I blocked the user-agent from this ip, “Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36”, but failed. Traffics are still coming through.

That’s the IP sent in the CF-Connecting-IP header for cross-zone requests by Cloudflare Workers.

In short, these are Workers requesting your site - usually on the behalf of someone visiting them, but then can also be ran on a schedule.

If you don’t want traffic from Workers, you can use the firewall field cf.worker.upstream_zone to see if it’s a Worker (it’ll include their zone name) and challenge/block those as you see fit.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.