The 'Workers' feature makes CF's protection useless

Hi,
I think the ‘Workers’ feature has been a threat to those sites using Cloudflare. I found this log in my server:

real_IP:[2a06:98c0:3600::103], proxy_CDN_IP:[2a06:98c0:3600::103] “GET /xxxx HTTP/1.1” 304 0 “-” “Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)” “2a06:98c0:3600::103”

this IP belongs to Cloudflare, but it pretends to a google bot.

if you search this IP in https://www.abuseipdb.com/check/2a06:98c0:3600::103, you will see it has been reported many times.

it has been clawed my site since 19/Oct/2021.

I think there are two security issues in ‘Workers’ feature:

  1. no specific HTTP request header for ‘Workers’ (Am I right?)
  2. no static IP ranges for ‘Workers’

so, event you:
1.enable ‘Full (strict)’ in ’ SSL/TLS’ feature
2.enable server’s iptables and CF’s firewall
you still can’t identify or block those requests coming from ‘Workers’.

I don’t know if this is by design or something. In my opinion, it is a threat to my server. Attackers can use ‘Workers’ to claw your site or they can scan server’s vulnerability without prey computer. I urge CF team to do something to make CF more safe, thank you.

regards

Incorrect.

They are trivially blocked in firewall rules and always carry the CF-Worker header.

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.