I’m seeing numerous SYNFLOOD Blocked message in my server that are coming from Cloudflare IP addresses.
Why is this happening? How can I stop them?
All of the packets are coming from 172.71.0.0/16 addresses.
These are almost certainly spoofed / forged packets. Are you a Cloudflare customer?
Yes, that’s why I’m wondering why I would be getting them.
Spoofed/ forged packets directly to an origin server IP wouldn’t involve Cloudlare. Depending on your setup you could use Cloudflare tunnels and accept no connection from the internet.
If that’s the case, I’ll just block that network in iptables on the server.
Blocking that network at the server using iptables could block your site’s Cloudflare proxied traffic.
172.71.0.0/16 is part of 172.64.0.0/13
1 Like
So is it spoofed traffic or an issue in Cloudflare?
One of my servers too. I’m showing around 130 Cloudflare connections and multi connects from 172.69.22.*
Its a pain, cache fills and ads fail to serve.
Even though iptables can drop or reject packets at the kernel level, the server will still receive the packet, leading to potential performance problems where the port can be easily overwhelmed.
If your port is being overwhelmed, a stateful firewall that prevents spoofed packets from reaching your servers is needed.
If your problem relies at Layer7, iptables might be enough.