Why are we being DDoSed by Cloudflare?

118 点作者 cpncrunch超过 1 年前

Earlier today we experienced a DDoS HTTP attack, which was automatically mitigated by OVH, so only caused minimal disruption. However it's concerning that it happened at all, as all the ips were Cloudflare ips, e.g.:162.158.202.23 - - [01/Dec/2023:23:30:02 -0500] "GET / HTTP/1.1" 301 244162.158.202.23 - - [01/Dec/2023:23:30:02 -0500] "GET / HTTP/1.1" 301 244172.69.90.116 - - [01/Dec/2023:23:30:02 -0500] "GET / HTTP/1.1" 301 244108.162.221.143 - - [01/Dec/2023:23:30:02 -0500] "GET / HTTP/1.1" 301 244162.158.235.85 - - [01/Dec/2023:23:30:02 -0500] "GET / HTTP/1.1" 301 244162.158.110.143 - - [01/Dec/2023:23:30:02 -0500] "GET / HTTP/1.1" 301 244162.158.110.142 - - [01/Dec/2023:23:30:02 -0500] "GET / HTTP/1.1" 301 244162.158.202.23 - - [01/Dec/2023:23:30:02 -0500] "GET / HTTP/1.1" 301 244162.158.202.22 - - [01/Dec/2023:23:30:02 -0500] "GET / HTTP/1.1" 301 244162.158.202.23 - - [01/Dec/2023:23:30:02 -0500] "GET / HTTP/1.1" 301 244(it was around 5800 requests per second to a site that normally gets 1 request per second or less at this time of day, and lasted 21.5 minutes).As it is http, I don't think it could have been spoofed. I tried contacting cloudflare, but they are impossible to contact unless you are a customer. All their social media chat just uses bots and it is impossible to connect to a human if you're not a customer. I tried calling their emergency DDoS line, but the person just said that cloudflare doesn't DDoS people (even though I explained that the attack definitely came from their network, and someone was likely using their service to DDoS us). They simply refused to direct me to anyone else in their company. The phone number is just for people looking to purchase DDoS protection, and they don't have any other method of contacting them.So, can someone explain why Cloudflare seems to be DDoSing us, and exactly how it happened?There is no way to report abuse to Cloudflare unless it is a cloudflare website. (I tried, and it refuses to submit the report). I suspect it may be someone abusing their WARP VPN service, but there doesn't seem to be any way of reporting abuse about it.

15 条评论

georgyo超过 1 年前

More than likely someone with a high traffic site fat fingered an IP address and sent all the traffic to you.I am curious if you were able to capture the headers at all. The 'Host' header would allow you to figure out the site these people were actually trying to hit. I'm fairly confident it was not your domain. You may want to to put the Host header in your access logs. This may also explain why everyone got a 301 and using http.No matter what you should be able to see this header 'Cf-Connecting-Ip' to know the true source.While cloudflare is somewhat masking the origin IPs, a similar mistake without cloudflare would send at least the amount of traffic towards you.

评论 #38499383 未加载

评论 #38502204 未加载

cookiengineer超过 1 年前

Check out the crimeflare project (not the firewall thing).A lot of hacking groups, terror organizations and other malicious actors have been using cloud flare for a while without them doing shit about it.It's their business model. More DDoS means more cloudflare customers, yaaay.A guy ran a DNS and logged all the suspicious domains linking to cloud flare (e.g. cname entries etc): he eventually gave up cause he was sued into oblivion (he was a Swiss guy operating from Switzerland).<a href="http://web.archive.org/web/20210826102143/http://www.crimeflare.org:82/" rel="nofollow noreferrer">http://web.archive.org/web/20210826102143/http://www.crimefl...</a>And this kinda speaks for itself:<a href="http://web.archive.org/web/20210826102230/http://www.crimeflare.org:82/cfsites.html" rel="nofollow noreferrer">http://web.archive.org/web/20210826102230/http://www.crimefl...</a>

评论 #38497894 未加载

评论 #38500843 未加载

评论 #38497981 未加载

评论 #38498452 未加载

评论 #38498944 未加载

oneplane超过 1 年前

Hanlon's razor suggests either human error (someone putting in the wrong DNS entry on their end) or someone abusing a cloudflare service.All the other suggestions of malice are rather inefficient, especially considering the net value is lower than the cost to push those malicious actions.As for the reporting: yeah, it seems rather dumb there is no easy to reach form for this, but you can message their abuse address and NOC which are listed in the WHOIS you probably queried anyway to find out Cloudflare owns those addresses:<pre><code> RNOCHandle: NOC11962-ARIN RNOCName: NOC RNOCPhone: +1-650-319-8930 RNOCEmail: noc@cloudflare.com RNOCRef: https://rdap.arin.net/registry/entity/NOC11962-ARIN RAbuseHandle: ABUSE2916-ARIN RAbuseName: Abuse RAbusePhone: +1-650-319-8930 RAbuseEmail: abuse@cloudflare.com RAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN </code></pre> A phone call might be quicker if you're really curious about what is happening.

评论 #38498467 未加载

tyingq超过 1 年前

The other posts may be correct in that someone with a cloudflare account accidentally pointed a service at your host.That said, it is a pretty attractive platform if you want to build a scraper that operates either at no cost, or very low cost. Especially if you can aggregate multiple free level accounts without Cloudflare catching on. And it's pretty easy to write a bad scraper that handles things like redirects poorly, and becomes an unintentional DDOS machine.Dumping the headers of some of the requests could help narrow down which type of Cloudflare service is hitting you.

评论 #38499286 未加载

buggeryorkshire超过 1 年前

At a previous role we had our origin servers attacked by Cloudflare IP ranges even though we were locked down behind them. Seemed at the time anybody could spin up a CF worker and bypass origin restrictions.

philprx超过 1 年前

Well they certainly can’t feel good about not detecting egress DDoS from their customer usage.It could be VPN originating or maybe Worker originating maybe?Don’t they have a security.txt and security@ email address?Looks like posting to social media the full analysis of the attack is the sensible thing to do.

评论 #38496630 未加载

jdefr89超过 1 年前

Security Researcher here. There could be lots of reasons for this. Do you have any more header information? It is hard to tell with what you have provided. Either way I would still report it to them so they can take a closer look.

评论 #38499270 未加载

solardev超过 1 年前

If you put your own website behind Cloudflare while it's under attack from Cloudflare... does the internet explode?OP you should try it and see what happens. It's only like $20 for the basic plan, and then you can ask their support once you log all the attacks coming from themselves to themselves...

评论 #38497783 未加载

评论 #38497008 未加载

评论 #38497124 未加载

injeolmi_love超过 1 年前

This is one of Cloudflares well documented tactics to force people to purchase their subscription services. I suspect but have no proof that it is overlooked by the authorities because an internet centralized under Cloudflare is easier to censor.

评论 #38498550 未加载

quags超过 1 年前

2-3 years ago in a support role I would get requests about domains masked cloudflare pointing to someone’s site. So the other domain would show the content of the other site and be masked by cloudflare. Dumping all the $server variables would pinpoint better where it was coming from and it could be blocked.

评论 #38501409 未加载

r1ch超过 1 年前

Is your DNS on Cloudflare? Their network will proxy requests to your domain even if you don't use their proxy service. You have to add a WAF rule to prevent this (I also got DDoSed this way).

评论 #38499254 未加载

relatedtitle超过 1 年前

Are you sure this is not from their Cloudflare Warp service (VPN)? If it is, and you are a CF customer, you can see the real user's IP from a header.

neurostimulant超过 1 年前

Is it possible to abuse Cloudflare Workers to perform ddos on the cheap?

Am4TIfIsER0ppos超过 1 年前

How do you think they get people to sign up for their services?

ravenstine超过 1 年前

Yes, we are being Dados attacked by Cloudflare due to how they've made over half the web impossible to use without enabling browser anti-features to support fingerprinting and telemetry.