I just wanted to inform cloudflare security team and everyone else. Currently some people are bypassing the entire cloudflare layer 7 protection. Below are the logs from the nginx and attack. The server is trusted to cloudflare ips only(IP Ranges | Cloudflare) with iptables + datacenter firewall and the domain is proxied by cloudflare for sure. So there is no way to access to server with an IP address without domain hosted in cloudflare. This has been tested already before I report here. Unless they are spoofing cloudflare ips which I dont think ?
126.96.36.199 - - [29/May/2021:23:45:56 +0200] “GET /clients.php HTTP/1.1” 200 “https://www.domain.com/clients.php” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36” “188.8.131.52, 184.108.40.206,220.127.116.11”
Above nginx log clearly shows the request made over cloudflare with cloudflare IP 18.104.22.168 and the attacker layer 7 bot ips are in x_forwarded_for are below
Above is just one log line, there are over 100.000 records with million different ips, even the 22.214.171.124 is not assigned to any network or country. All requests are coming over cloudflare with various cloudflare ips. I dont know how but they simply found a way to bypass cloudflare, it looks like a very recent bypass and coming hard to every other website if the cloudflare does not take any action before it happens.
The log clearly shows the connections are made over cloudflare proxy and those bot ips are passing the cloudflare servers now. I recommend the cloudflare network team to watch the entire network and connections.