It seems the attacker is diversifying now. More ASN’s involved. All of this is now stopped by the FW so all they are seeing is 403’s. This is now really an attack on CF as this doesn’t reach my Workers anymore.
I wish I understood the ‘Why’ of this all…
