Why are we being DDoSed by Cloudflare?
162.158.202.23 - - [01/Dec/2023:23:30:02 -0500] "GET / HTTP/1.1" 301 244
162.158.202.23 - - [01/Dec/2023:23:30:02 -0500] "GET / HTTP/1.1" 301 244
172.69.90.116 - - [01/Dec/2023:23:30:02 -0500] "GET / HTTP/1.1" 301 244
108.162.221.143 - - [01/Dec/2023:23:30:02 -0500] "GET / HTTP/1.1" 301 244
162.158.235.85 - - [01/Dec/2023:23:30:02 -0500] "GET / HTTP/1.1" 301 244
162.158.110.143 - - [01/Dec/2023:23:30:02 -0500] "GET / HTTP/1.1" 301 244
162.158.110.142 - - [01/Dec/2023:23:30:02 -0500] "GET / HTTP/1.1" 301 244
162.158.202.23 - - [01/Dec/2023:23:30:02 -0500] "GET / HTTP/1.1" 301 244
162.158.202.22 - - [01/Dec/2023:23:30:02 -0500] "GET / HTTP/1.1" 301 244
162.158.202.23 - - [01/Dec/2023:23:30:02 -0500] "GET / HTTP/1.1" 301 244
(it was around 5800 requests per second to a site that normally gets 1 request per second or less at this time of day, and lasted 21.5 minutes).
As it is http, I don't think it could have been spoofed. I tried contacting cloudflare, but they are impossible to contact unless you are a customer. All their social media chat just uses bots and it is impossible to connect to a human if you're not a customer. I tried calling their emergency DDoS line, but the person just said that cloudflare doesn't DDoS people (even though I explained that the attack definitely came from their network, and someone was likely using their service to DDoS us). They simply refused to direct me to anyone else in their company. The phone number is just for people looking to purchase DDoS protection, and they don't have any other method of contacting them.
So, can someone explain why Cloudflare seems to be DDoSing us, and exactly how it happened?
There is no way to report abuse to Cloudflare unless it is a cloudflare website. (I tried, and it refuses to submit the report). I suspect it may be someone abusing their WARP VPN service, but there doesn't seem to be any way of reporting abuse about it.
52 comments
[ 5.3 ms ] story [ 130 ms ] threadIt could be VPN originating or maybe Worker originating maybe?
Don’t they have a security.txt and security@ email address?
Looks like posting to social media the full analysis of the attack is the sensible thing to do.
Yes, but it just covers bug bounties and also links to the abuse page (which only accepts websites hosted on cloudflare).
A lot of hacking groups, terror organizations and other malicious actors have been using cloud flare for a while without them doing shit about it.
It's their business model. More DDoS means more cloudflare customers, yaaay.
A guy ran a DNS and logged all the suspicious domains linking to cloud flare (e.g. cname entries etc): he eventually gave up cause he was sued into oblivion (he was a Swiss guy operating from Switzerland).
http://web.archive.org/web/20210826102143/http://www.crimefl...
And this kinda speaks for itself:
http://web.archive.org/web/20210826102230/http://www.crimefl...
It's a tricky situation, and whether or not Cloudflare endorses, facilitates, or turns a blind eye to DDoS attacks shouldn't matter as much as it currently does.
If they want to be a neutral public utility, they can rearrange their business to that effect.
i.e. unless they want to host in a lawless foreign data-center begging for scrip-coin they should care.
=)
Anecdotal forest city / woodlands in Malaysia / Singapore note. The territorial dispute led to most organizations there doing shady business online, as nobody is ruling these lands, effectively.
i.e. if you aren't careful and someone drops a pill in your luggage, they do shoot people without trial on the following Tuesday.
And yes, having stuff reverse engineered at the local university care of an unscrupulous US company is common. One really can't take it personally, as it is legal there. =)
I'm not disagreeing with you, or trying to defend Cloudflare – I just see a very complicated situation, especially when you consider the DNS ecosystem, which in itself is extremely shady. You also run the risk of DMCA-style procedures that would require equal application across service providers and would undoubtedly be abused by bad actors.
All that delicious data to snoop at and share with the government, or possibly UK in order to avoid legal problems.
It would be difficult to build a better listening station for the Internet.
Given that Google,FB,etc are all open silos for the spooks as well.
The government has even declared that the US near monopoly is of vital national security importance.
(This was in regard to stop the administration from pushing for a breakup of the internet giants).
I agree, we need strong legislation to cut down on Cloudflare's activity.
Cut down a further 23% of traffic annoyances, and booted many VPN users who never seemed to participate in a constructive manner anyway.
Play possum with a temporary route ban, it is usually the only way they will move on to find other targets. If the server appears already down for days, they will get bored. =)
I'm really not sure what you thought those links proved.
1. Pick any domain from the website
2. dig A <thedomain>
3. dig CNAME <thedomain>
4. ???
6. Proof
You know, it's not like how to DNS is a secret or something. You can easily confirm this yourself whether or not the author of said article told the truth or not.
[0] https://web.archive.org/web/20210826103144/http://www.crimef...
That's just a list of URLs with the substring "hack" in them.
URLs like ryansugarshack.com (Ryan's Sugar Shack: Taste of New Hampshire).
OP you should try it and see what happens. It's only like $20 for the basic plan, and then you can ask their support once you log all the attacks coming from themselves to themselves...
I've done my share of nasty DNS hacks to make a customer happy; even without hacks you do want some order in your setup so you'll end up with a huge piece of Terraform or a glued-together Python script. Changing DNS providers can be extremely painful.
I am curious if you were able to capture the headers at all. The 'Host' header would allow you to figure out the site these people were actually trying to hit. I'm fairly confident it was not your domain. You may want to to put the Host header in your access logs. This may also explain why everyone got a 301 and using http.
No matter what you should be able to see this header 'Cf-Connecting-Ip' to know the true source.
While cloudflare is somewhat masking the origin IPs, a similar mistake without cloudflare would send at least the amount of traffic towards you.
And if all requests are from the homepage, why not adding a header to ask Cloudflare to cache it for 1 day?
If you find out the hostname used you could try contacting the website owner and check with them, bypasing Cloudflare (assuming you could either load the site and use a contact form, or find registrant's information).
That said, it is a pretty attractive platform if you want to build a scraper that operates either at no cost, or very low cost. Especially if you can aggregate multiple free level accounts without Cloudflare catching on. And it's pretty easy to write a bad scraper that handles things like redirects poorly, and becomes an unintentional DDOS machine.
Dumping the headers of some of the requests could help narrow down which type of Cloudflare service is hitting you.
All the other suggestions of malice are rather inefficient, especially considering the net value is lower than the cost to push those malicious actions.
As for the reporting: yeah, it seems rather dumb there is no easy to reach form for this, but you can message their abuse address and NOC which are listed in the WHOIS you probably queried anyway to find out Cloudflare owns those addresses:
A phone call might be quicker if you're really curious about what is happening.I tried emailing the abuse address, but I get an automated reply saying to report it using the online form (which won't let you report anything not hosted on a cloudflare website).
I also emailed their noc address and haven't had an automated reply yet, so perhaps that will actually reach a human.
Wouldn't be surprised it they do some sort of CLIP filtering/routing, or if they no longer use humans on the front lines, it's the way of the enterprise once they exist long enough :-(
Not really possible to get any more info after the fact.