And my relay went down again. Folks are using Cloudflare Workers to perform attacks and scrape the heck out of websites (not new or Nostr-specific, they just hit my relay hard this weekend). If you don't use Cloudflare Workers, do yourself a favour and deny all traffic from 2a06:98c0:3600::103.
Discussion
nostr:nprofile1qqsw9n8heusyq0el9f99tveg7r0rhcu9tznatuekxt764m78ymqu36cpr3mhxue69uhhyetvv9ujucnfw33k76twwpshy6ewvdhk6tcpzdmhxue69uhhwmm59e6hg7r09ehkuef0qy2hwumn8ghj7un9d3shjtn4w3ux7tn0dejj7ne6u4e, nostr:nprofile1qqst6jhruelzn9jdf9qhyfsac3fetjyld0fwwary9cmxzfchrhacragppemhxue69uhkummn9ekx7mp0qy2hwumn8ghj76n9d3k8jenfwd5zumrpdejz7yj9f6t just giving you both a heads up. Over 500k requests from this ip in the 24 hours prior my relay crashing.
you should fill an abuse form with them describing the incident. they must have something of the kind.
I've opened an abuse ticket. Their forums are filled with folks facing the same issue. Cloudflare customer support only starts caring when your company is spending over $10K USD per month with them (speaking from experience, I got the VIP treatment while working at "too big to fail inc", but also had to deal with them on a $20/month plan. I’ve already shared a few horror stories with you, like the time they just decided to block all videos on my Mastodom server).
In short, they’re aware of it:
- https://community.cloudflare.com/t/how-can-i-block-2a063600-103-at-waf-level/651073/40 (2024)
- https://community.cloudflare.com/t/is-it-safe-to-block-2a063600-103/321899 (2021)
I don’t like blocking useful services like this, as folks on Nostr might be building legitimate stuff using Cloudflare Workers. But at this point, it’s really the lesser of two evils. Even though my firewall detected the abuse and was returning 429s to all requests, the sheer volume of requests was still enough to take everything down.
I have a recurring issue with routing to Cloudflare addresses that they consistently refuse to address. Every Wednesday, from approximately 10 p.m. to 4 a.m., there is no route from major Brazilian ISPs to any of my sites behind Cloudflare. I’m on the free plan, so I can open tickets, but it makes no difference. There are dozens of reports on their community forums—many from other countries—describing the same problem, and Cloudflare does nothing about it.
Sorry, didn't get a notification because... Well, my relay was down again, lol. Yeah, Cloudflare is sorta like Google, anything bellow $10k billing a month and you are a cost center, not a client. I'm trying to reach out to some of my former colleagues to see if I can get an abuse report sent by "Too Big to Fail Inc." instead of Anthony Accioly.
And I don't doubt that your routing issue is due to Cloudflare’s own internal automation. Have you tried to install warp and go through Cloudflare own infrastructure during outage periods just to confirm?
Kind regards,
That's what I usually do - route through Warp - but that doesn't help my customers. I'm still effectively out of service for about six hours. Fortunately, it happens during a period of low traffic.
Thanks for sharing, same here. 525k requests in 24 hours
And it's getting worse. Even pFSense was struggling to keep up. If you are not on the free plan here's a way to block it in WaF:
Or if you want to be less draconian, e.g., allow Semisol workers above, apparently this is the correct WAF incantation:
https://community.cloudflare.com/t/how-can-i-block-2a063600-103-at-waf-level/651073/15
Try looking at the Cf-Worker header and blocking based off of that. Need an entirely new account or a name change (not sure if it is rate-limited) to bypass it.
My services have `noswhere.workers.dev`, let me know if you experience any issues.
Bots are unfortunately using all sorts of Cf-Worker headers. This looks like a majour global attack at this point and even my fireweall is struggling to keep up. And I'm surprised that Cloudflare hasn't mitigated it yet. Once things calm down a bit I'll whitelist your stuff for sure (and if anyone else on Nostr is using Cloudflare workers for legitimate purposes please ping me your Cf-Worker header and I'll whitelist it as well).
I figured out i would need the same. my haven relay was overloading. I used Cloudflare WAF to block all the connections from this IP. In less than a minute after blocking, i already have 517 log events in this rule alone. Whatever is happening with this worker, that's not normal.
added all my other relays to te lot (wot.girino.org, nostr.girino.org, memrelay.girino.org). All of them were suffering attacks from this address. Cloudflare is very good at blocking external attacks, but not so much for internal ones.
Yeah. This is a bizarre one. And it has increased substantially. I had like 500k hits the very first day. Yesterday it was over 10m.
If you can keep a list of CF-Worker headers, the more people reporting the script kiddies the better. Some traffic may be legitimate like Semisol stuff above. But on my relay the vast majority of traffic are WordPress, router and admin panel attack attempts. The more people reporting those folks the better. At some point CF will have to connect the dots.
GM folks. Just sharing this again for Nostr operators in the European time zone.
It is getting worse. I had over 10 million requests on my personal relay yesterday. Several other folks operating Nostr infrastructure have confirmed their servers getting hammered. Coincidentally or not, I’ve been seeing both clients and relays going on and off over the past few days.
Cloudflare seems to be doing jack squat to mitigate the attack so far. So, if you haven’t blocked Cloudflare Workers from reaching your relay yet, I sincerely recommend you do. Also, if possible, keep a list of Workers hitting your infrastructure, remove legitimate traffic as best as you can, and keep reporting it to Cloudflare. At some point, they’ll have to do something about it.
#devstr #cloudflareWorkers #botsBeBotting