XMLRPC - DOS - on site (logs included)

Why would they be doing this? - I should have blocked initially. CPU hit, causing site degradation. What makes it more interesting is that it’s an Android phone?

Log x 100’s - 10-12 POSTS per/min - for 30+ minutes

logName: “projects/xxxxxxxxx/logs/apache-access”
receiveTimestamp: “2020-02-10T15:08:42.378966487Z”
resource: {
labels: {…}
type: “gce_instance”
}
textPayload: "162.158.107.120 - - [10/Feb/2020:15:08:36 +0000] “POST /xmlrpc.php HTTP/1.1” 200 3772 “-” “Mozilla/5.0 (Linux; Android 9; SM-N950F Build/PPR1.180610.011; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/80.0.3987.87 Mobile Safari/537.36 wp-android/14.0"”
timestamp: “2020-02-10T15:08:37.227472604Z”

Source: whois.arin.net
IP Address: 162.158.107.120
Name: CLOUDFLARENET
Handle: NET-162-158-0-0-1
Registration Date: 5/23/13
Range: 162.158.0.0-162.159.255.255

Org: Cloudflare, Inc.
Org Handle: CLOUD14
Address: 101 Townsend Street
City: San Francisco
State/Province: CA
Postal Code: 94107
Country: United States

Who? Cloudflare? Thats not them, you most likely are not rewriting IP addresses, hence the proxy addresses show up in your log.