I'm sure many of you use CloudFlare. One of my websites have been over-crawled and the traffic is coming from IP 2a06:98c0:3600::103 which belongs to CloudFlare. The user agent resembles a Google Bot, but that could easily be spoofed, and I guess Google isn't using CF.
My issue is that the traffic continues even if I try blocking that IP address at CF level. Note - I've blocked it at Nginx level; yet's that's hundreds of requests per second of rejects (if not more).
If anybody has resolved this issue in the past, sharing your experience is greatly appreciated. Thanks!
ip -6 route add blackhole 2a06:98c0:3600::103
When reporting this to Cloudflare make sure you have NTP set up on your web server so that your access logs can line up with proxy/app logs on their side to make it easier for them to correlate. A couple lines of the traffic from tcpdump using -vv to get packet details may also be useful to them.
tcpdump -p -NNnnvv -s0 -c2 host 2a06:98c0:3600::103imho. this sounds like a ddos...
maybe the ip address(es) of the requests are spoofed!?
this could be given you mentioned, that the request didn't stop after you blocked them at nginx/ipt/... level for this ip/ip-range!?
idk ... set up nginx's rate-limiting?
* https://www.nginx.com/blog/rate-limiting-nginx/
which OS do you use? if its linux and you are able to access the OS itself, (additionally) setup a rate-limit at ip-level for the machine?
* https://www.baeldung.com/linux/iptables-packet-rate-limit
or even ask your upstream-provider to help/configure its ddos-protection properly!?
just my 0.02€