I figured out i would need the same. my haven relay was overloading. I used Cloudflare WAF to block all the connections from this IP. In less than a minute after blocking, i already have 517 log events in this rule alone. Whatever is happening with this worker, that's not normal.
Discussion
added all my other relays to te lot (wot.girino.org, nostr.girino.org, memrelay.girino.org). All of them were suffering attacks from this address. Cloudflare is very good at blocking external attacks, but not so much for internal ones.
Yeah. This is a bizarre one. And it has increased substantially. I had like 500k hits the very first day. Yesterday it was over 10m.
If you can keep a list of CF-Worker headers, the more people reporting the script kiddies the better. Some traffic may be legitimate like Semisol stuff above. But on my relay the vast majority of traffic are WordPress, router and admin panel attack attempts. The more people reporting those folks the better. At some point CF will have to connect the dots.