URGENT: Malicious requests coming from Cloudflare Workers (2a06:98c0:3600::103)

Application Security SSL / TLS
, ,
1

What is the name of the domain?

workers.dev

What is the issue you’re encountering

For many days, someone has been abusing Cloudflare Workers to send malicious requests from the IP address 2a06:98c0:3600::103. Our server uses NGINX to properly forward the client’s real IP address from the CF-Connecting-IP header. Even though we forward it, this IP address has time and time again shown up in our logs. It always sends requests to odd/unrelated paths, searching for vulnerabilities. It appears that someone has managed to use the fetch() command in Cloudflare Workers to target Cloudflare-protected websites. Because of this, we are also unable to block requests coming from it as it’s allowlisted by Cloudflare. Many users have reported issues with this IP address in recent years and we need a permanent fix. According to Cloudflare’s own documentation, this IP address belongs to Cloudflare Workers. We have enabled logging of the CF-Worker header and it is always a bunch of random, such as cigocy.workers.dev and hezareju.workers.dev.

What steps have you taken to resolve the issue?

We have enabled mTLS (Authenticated Origin Pulls) in hopes of it resolving the issue, but that did not work. We’ve tried blocking the IP address in WAF and it did also not work. The only thing we are able to do is to block it on the server level, inside NGINX, but it’s not a fix - it’s problematic to keep continue receiving requests from this Cloudflare IP address and then having to block it on server level. It causes performance issues.

We need Cloudflare to take action against the abuse that’s happening in Cloudflare Workers. We need a way to properly block this. And we need clarification regarding whether or not our site ratings (SEO) will be affected by blocking this IP address. We need to know if this IP address is only used by Cloudflare Workers or if it also is used to direct traffic. The documentation I linked above does not answer that question.

I’ve made a post on the r/Cloudflare subreddit yesterday with more information. The link can be found here: https://www.reddit.com/r/CloudFlare/comments/1lehg3l/one_of_cloudflares_ip_addresses_is_abusively/

Previous topics regarding this IP address exists and it seems nothing has changed over the years. This is now an urgent matter and we need someone at Cloudflare to look into it as soon as possible.

It is a major issue that people are able to abuse Cloudflare Workers to send malicious requests from Cloudflare’s own IP address.

Below are two sample log messages (Please have a look at them):

Jun 18 17:41:17 LB2 nginx[8826]: lb2 nginx: {"source": "nginx", "timestamp": "2025-06-18T17:41:17+02:00", "ip": "2a06:98c0:3600::103", "country": "SE", "scheme": "https", "method": "GET", "uri": "/wordpress/wp-admin/setup-config.php", "status": "404", "referrer": "", "protocol": "HTTP/2.0", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36", "bytesReceived": "452", "bytesResponded": "84", "duration": "0.000", "contentType": "", "host": "xxxxx.com", "httpHost": "xxxxx.com", "serverName": "xxxxx.com", "cfWorker": "cigocy.workers.dev", "xForwardedFor": "2a06:98c0:3600::103"}

Jun 19 04:38:11 LB1 nginx[10941]: lb1 nginx: {"source": "nginx", "timestamp": "2025-06-19T04:38:11+02:00", "ip": "2a06:98c0:3600::103", "country": "DE", "scheme": "https", "method": "GET", "uri": "/wordpress/wp-admin/setup-config.php", "status": "404", "referrer": "", "protocol": "HTTP/2.0", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36", "bytesReceived": "454", "bytesResponded": "84", "duration": "0.000", "contentType": "", "host": "xxxxx.com", "httpHost": "xxxxx.com", "serverName": "xxxxx.com", "cfWorker": "hezareju.workers.dev", "xForwardedFor": "2a06:98c0:3600::103"}

If someone at Cloudflare reads this, please contact me via e-mail or in this thread. If someone is able to notify Cloudflare, please do so and help not just us, but others as well, who receive malicious requests from this IP address.

2a06:98c0:3600::103
2a06:98c0:3600:0000:0000:0000:0000:0103

Thank you in advance.

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Strict (SSL-Only Origin Pull)

What are the steps to reproduce the issue?

2

Can you share your domain privately so I can test if my Worker is being blocked by your rule?

In the past, whenever that IP bypassed WAF rules, it turned out to be because the requests were made by Cloudflare for something the user had activated in their account, like the Signed Exchanges you mentioned.

Did you try a WAF rule using the field I recommended on Reddit?

2 Likes
3

Hello! How can I write to your privately on this forum? Otherwise, feel free to also reach out to me via Reddit (chat message): u/Hexsudo

Regarding cf.worker.upstream_zone: I have never used Cloudflare Workers so I don’t know what these “zones” are. You mean I should block the name of the worker in CF-Worker header or something else? They seem to be using different worker names all the time.

I have no use for anything Worker related, so if there’s a way to block everything coming in from Workers, that would be great.

4

A WAF rule like this:

IMG_2786
IMG_2786750×1334 97 KB

1 Like
5

Thank you! And I just replied to you on Reddit, but no need to reply there as I just saw your response here :slight_smile:

Have you tested sending any requests from your worker? So far I don’t see anything in the logs. And would you like me to apply the WAF rule now or after you’ve tested?

6

I’ll need a few minutes as I’m on my phone^^

And you can create the rule niw.

7

I’ve deployed the rule in WAF :slight_smile:

1 Like
8

I’ve made some requests now and they were all challenged.

10

Yes I can see they were blocked. I got nothing in my nginx logs from them, which is nice.

However, it does not seem like the “Worker” CF rule I setup blocked. Instead it was a “Managed Challenge” that blocked them because I have another custom rule that blocks countries outside EU. The requests you sent came from Brazil and was picked up by it.

Screenshot from 2025-06-19 14-03-32
Screenshot from 2025-06-19 14-03-32903×572 83.5 KB

Do you want me to switch the order of the WAF rules and place the “Worker” rule at top and you can try a few more requests - so we can see which rule blocked it?

11

WAF rules:

Screenshot from 2025-06-19 14-06-17
Screenshot from 2025-06-19 14-06-17935×308 29.8 KB

I have now moved the Worker to the top instead. Would it be possible for you to try a few more requests, so I can see if the “Worker” rule now blocks it instead of the “Region Challenge”?

12

This time it was blocked.

13

Works great! This time the Worker rule blocked it. And it came from the 2a06:98c0:3600::103 IP address. Woohoo! I’ll consider this a solution to the issue. Thank you so much!

Do you recommend I keep this rule at the top?

Currently I have the following rules:

  1. Worker (the one we setup)
  2. Block HTTP 1.0 protocol
  3. Block certain countries
  4. Challenge countries outside EU

I think this order of rules is the most optimal because I want to do the blocks as early as possible.

Screenshot from 2025-06-19 14-15-26
Screenshot from 2025-06-19 14-15-26943×307 30.1 KB

Thank you so much, Laudian! I’ll mark your response as the solution. The WAF rule works wonders. I will keep an eye on the logs though and see if the site gets targetted again by those Workers.

14

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.