This was almost certainly a DNS reflection attack — or attempted attack.
https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/
As in, someone actually trying to attack Cloudflare. We didn’t originate the traffic.
Likely just someone using a custom tool or using curl to test stuff.
You can set whatever UA you want in a curl like so:
curl https://www.cloudflare.com -H "User-Agent: You are really courageous."
that will then show up in your logs, and Cloudflare logs, with what you see there. You may want to work with the Cloudflare support team to see if they can look into other internal instances of this UA popping up which might lead them to finding some type of malicious service doing generic scanning, and they may be willing to add this to a black list if it looks shady enough.
I also believe you can create a user agent rule (depending on your plan) and block that specific user agent if it seems to be doing weird stuff based on your logs.
Cloudflare doesn't have bandwidth limits, unless you're using another service of theirs such as Argo Routing or Stream. This is because of their limitations of non-html traffic. As long as your traffic is primarily and explicitly used for web pages/web services, you should be okay. Things that aren't okay are running Plex media servers, serving as a large file hosting site, etc.
This is stated in their ToS, located at https://www.cloudflare.com/terms/, section 2.8.
As far as I know they use the edge network with the best speed to you. That could be in your country or not. If a edge network is overloaded they can redirect your traffic through another edge network.
Here is a list of them
Cloudflare's network currently has 67Tbps of capacity and utilizes an anycast network which intelligently routes traffic to the client's closest node, and can redirect traffic to other nodes if the closest one is getting saturated. There is no worry of bandwidth limitation or throttling. Even on the free plan, you have access to the entire network capacity. I also have servers that each constantly utilize hundreds of Mbps of traffic, there is no issue. Keep in mind, the free plan has POST requests limited to 100MB. If you plan to upload files over 100MB, you'll need to break it up into multiple requests.
It’s available in Cloudflare for Teams in the free package. Do you have your office set as a location and your home computer setup as a device in the Teams dash?
https://www.dnsperf.com has some great benchmarks. It’s almost guaranteed that google or Cloudflare’s DNS is going to be faster than your ISP.
You can test lots of different dns servers locally using https://www.grc.com/dns/benchmark.htm.
stream does more than just caching, it encodes your videos in to multiple formats supports adoptive bitstreams and so on.
https://www.cloudflare.com/en-gb/products/cloudflare-stream/
If you encode multiple videos a day in to many different formats stream has a great pricing model, otherwise the free tier should be sufficient
Cloudflare has a pretty informative "Learning Center" you can read up on for the basics: https://www.cloudflare.com/learning/
Other than that, for each product you should definitely be asking a few questions to your team internally: For CDN: - What's your asset cache-to-hit ratio? - Where is your traffic coming from? - When looking at CDNs, understand their network size and the type of technology.
For China Network: - Have you applied for your own ICP License yet? - When looking at CDNs, how many PoPs are actually located within China?
For DDoS mitigation: - When looking at providers, how does the provider actually mitigate an attack? (for Cloudflare look up how an Anycast Infrastructure works) - How does the cost structure work? Does it cost more when you see an attack?
DM me if you have any specific questions about Cloudflare. Happy to help.
One interesting thing I've noticed is 1.1.1.2 with TLS auth name set to cloudflare-dns.com works (on Stubby) - as per https://www.cloudflare.com/ssl/encrypted-sni/, it just seems to not be filtering anything (acting same as 1.1.1.1). Test page: https://phishing.testcategory.com/
I would recommend running this excellent DNS benchmarking app. It will perform a real-world DNS test on a list of servers to tell you how they perform. You can add your ISP servers to the list and see how they compare. This will give you a more accurate view than just latency (ping) between you and the server.
The best way to handle this is to whitelist the Cloudflare IPs at your webserver. If you're behind Cloudflare, the traffic your server sees should only be coming from Cloudflare anyway. You can find the IPs here: https://www.cloudflare.com/ips/
Another thing to add to the "Security" section of the article would be that Amazon's services have a large number of compliance certifications, listed at https://aws.amazon.com/compliance/ These range to various standards organizations, various government regulations, and various industry groups.
Ok, so some interesting results.
Using IPVanish's WireGuard DID help me with my upload problem, but i couldn't play with it.
On call of duty with WARP, i could enter a match IF i made an exception via tunneling to the match's IP address. With IPVanish, i can't even connect to the pre-game lobby. Unfortunately, i can't find a way to add exceptions on IPVanish.
OpenVPN over tcp port 443 also HELPED with my upload problem, but with much slower speeds. It also could not connect me to the pre-game lobby.
I did try other OpenVPN ports and with UDP, but the same thing happens.
I know it's call of duty blocking my connection because i'm on a VPN. But god, i just wished it was as simple as choosing an .exe and boom! No VPN with that software.
Oh, i did NOT know that. Ok so the wireguard option on IPVanish DID help with my upload problem. Not as much as WARP does, but it did. I'm assuming you're right that my ISP is not throttling wireguard connections.
I'll test if i'm able to connect to those games using IPVanish's WireGuard and reply back. Crossing my fingers
I'll also try the openvpn option with port you said if the games does not work with wireguard
You can follow the other comment's thread to know more about this, but a TL;DR is that you need an vpn with wireguard or openvpn (openvpn have slower connections, at least for me)
Mullvad can work, but it's paid. Nordvpn and ipvanish didn't work for me. Hopefully you can find another VPN provider that can work.
I googled it and found this answer: https://www.quora.com/How-can-CloudFlare-make-money-for-its-free-services
While I think that might be a bit exaggerated it might be that offering a free limited service converts enough paying customers so that CF is profitable.
I have not found anything in the TOS that says they sell the info, but I do not speak legalese either.
If you don't need to stream, Mullvad is great because they have a 5 EUR flatrate (so no 3 year contracts) and all their code is open source. They also have portforwarding for P2P I believe, not a lot of VPNs do.
If you need something cheaper, Surfshark is great on Android but the Windows version is increasingly unstable (randomly logging out). Great support though. They do have a great GUI for Linux, one of the few VPNs.
PIA is worth a look too nowadays because their apps are all open source and they have become really cheap and they have a Linux GUI too. They are based in the US which is definitely bad but atleast their court case tracker shows they didn't have any logs thus far.
If you have a lot of money then IVPN, because their entire infrastructure is owned by them and they are open source. It's a fair price for what it is but expensive regardless.
Proper VPN starts from $3 a month on Windscribe build a plan with no long-term commitment, while Mullvad is only 5€. If you can afford the time to consume your torrent, you can afford to subscribe to a VPN.
Is she using a VPN on her laptop? Is it an apple laptop? Is she using some sort of Proxy/Anonymizer? All can have issues because there are single exit IP’s for a lot of traffic.
If it’s a Mac - disable iCloud Private Relay.
In general, CloudFlare doesn’t keep blocks in place for more than a few hours to days. So whatever the block is is probably due to repeated “offenses”.
The weird part is that the issues are network independent, whether it's my home or mobile network (which used to work better). But using Wireguard's own application, without changing any MTU settings, things just work. I also have no problems using other VPN solutions, such as ProtonVPN, too bad the price is unfeasible in my country.
Cloudflare proxy’s traffic through their servers to yours. It does not act as a reverse proxy in the same way that NGINX does. Depending on how you are using NGINX, you might be able to use Spectrum:
https://www.cloudflare.com/en-gb/products/cloudflare-spectrum/
I can recommend simplelogin.io which I set up on a subdomain of my domain, so I get aliases like [email protected], [email protected] etc. which will be redirected to my main email address.
You can set your custom domain up during the 14 day pro trial. Your custom domain and all your created aliases will persist even after your pro trial lapses, but you can only create up to 10 (IIRC) aliases in the free tier.
Question is a bit off-topic, but does CF retain your IP data for 24 hours or not?
They say "we may retain.." in 2.2 Operational Data section.
https://www.cloudflare.com/application/privacypolicy/
Does this mean they retain my data by law enforcement request and doesn't retain it at all otherwise?
Not in all of the cases websites will know your real IP.
Those that don't run CF service are usually unable to recover your real IP.
I worte a php script that extracts all headers of visitor. Only the CF colo's public IP is there, not user's real IP.
However, if I use
$.get('https://www.cloudflare.com/cdn-cgi/trace', function(data) {
...}
first and pass data to php, I can get the real IP too.
Is now call Cloudflare Gateway DNS & can controls Cloudflare Gateway DNS custom filtering for free under Cloudflare for Teams Dashboard. I already use 2 years Cloudflare Gateway to filter all my network DNS for home, mobile or even my laptop office. Just visit here & register accountunder free plan: https://www.cloudflare.com/teams/gateway/
That's a very good question. You can che K out the bandwidth alliance. https://www.cloudflare.com/en-au/bandwidth-alliance/
But you would need to reach out to Cloudflare for the exact list. I would suggest Twitter or a general inquiry support ticket.
In the article it says Cloudflare never supported HTTP Server Push - even though I have used it for quite some time, and https://www.cloudflare.com/website-optimization/http2/serverpush/ clearly says that Server Push automatically works for all websites if you add Link headers. So currently, adding too many Link headers for Early Hints should lead to Cloudflare pushing all the assets on each request, which would be very inefficient. Is there a way to disable HTTP Server Push, or how to use Early Hints without Server Push?
CloudFlare just publish their ranges, they don’t seem to distinguish and say “this range is responsible for this” etc
https://www.cloudflare.com/en-gb/ips/
Maybe some products specify what ones they use, but I’ve yet to see this
+1 to the u/woodside3501's comment about Magic Transit.
Another option might be to use Cloudflare Tunels. Instead of opening firewall ports for anything you want behind Cloudflare, you run the tunnel daemon locally and it's locked to your account so other Cloudflare accounts can't access your system, and doesn't require you to open up any ports. So you could block all incoming
Suggest spending some time going over their data privacy and compliance information: https://www.cloudflare.com/en-gb/privacy-and-compliance/ to make sure they meet the requirements of your business/industry.
It happens to a number of sites so I don't really think contacting any of them will help. My ISP said it's outside their network and seemed to suggest they don't contact Cloudflare which I thought was weird, but seems to be their policy. For the record I get the same packet loss as the crypto sites that seem to all get it when I ping https://www.cloudflare.com/ Since it goes through that same IP. Also yeah, when I use a VPN it doesn't seem to hit that particular IP and there's no packet loss, but obviously still a little delayed vs if I could solve this issue and not have to use a VPN just to avoid packet loss.
Not sure when they started using LetsEncrypt but I do see they use four different SSL providers:
https://developers.cloudflare.com/ssl/ssl-tls/certificate-authorities
The let’s encrypt roots are available for download here and could be manually installed or pushed via a device management server (Intune, Jamf, etc) https://letsencrypt.org/certificates/
VPN is the best way. Anonymous proxies are an option, but not a great one. You could stand up a virtual private server on AWS or Digital Ocean and run a VPN on it if you don't like the idea of using a paid VPN provider like NordVPN.
It’s possible that they encrypted the key and this method may not work anymore. An idea would be to try with an older version of the APK from here: https://apkpure.com/1-1-1-1-faster-safer-internet/com.cloudflare.onedotonedotonedotone/versions
FWIW, I get 700+ Mbs down and up with my ISP. When I turn on 1.1.1.1 with Warp I get 100 down and about 80 up.
I know CloudFlare claims it is much faster to use it but you probably should test it. I used both fast.com and speed.cloudflare.com to test. Not sure why Warp is so slow.
Allow only cloudflare ip address list and restrict access to everything else.
https://www.cloudflare.com/ips/
https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-debian-9
Digital ocean isn't state owned as far as I know but they are also not part of the bandwidth alliance.
https://www.cloudflare.com/en-au/bandwidth-alliance/
So no direct connection to CloudFlare's network.
I confess I'm not familiar enough with AWS to give a concrete answer. You might be able to use AWS Firewall to configure your VPC and have a script use AWS credentials to update that rule with Cloduflare IPs on a schedule.
Alternatively you could use Argo Tunnel from Cloudflare's side and block all ports incoming traffic on your EC2 instances and let Argo handle it.
https://www.cloudflare.com/terms/
>2.8 Limitation on Serving Non-HTML Content
>
>The Services are offered primarily as a platform to cache and serve web pages and websites. Unless explicitly included as part of a Paid Service purchased by you, you agree to use the Services solely for the purpose of (i) serving web pages as viewed through a web browser or other functionally equivalent applications, including rendering Hypertext Markup Language (HTML) or other functional equivalents, and (ii) serving web APIs subject to the restrictions set forth in this Section 2.8. Use of the Services for serving video or a disproportionate percentage of pictures, audio files, or other non-HTML content is prohibited, unless purchased separately as part of a Paid Service or expressly allowed under our Supplemental Terms for a specific Service. If we determine you have breached this Section 2.8, we may immediately suspend or restrict your use of the Services, or limit End User access to certain of your resources through the Services.
https://www.cloudflare.com/terms/
2.8 Limitation on Serving Non-HTML Content
The Services are offered primarily as a platform to cache and serve web pages and websites. Unless explicitly included as part of a Paid Service purchased by you, you agree to use the Services solely for the purpose of (i) serving web pages as viewed through a web browser or other functionally equivalent applications, including rendering Hypertext Markup Language (HTML) or other functional equivalents, and (ii) serving web APIs subject to the restrictions set forth in this Section 2.8. Use of the Services for serving video or a disproportionate percentage of pictures, audio files, or other non-HTML content is prohibited, unless purchased separately as part of a Paid Service or expressly allowed under our Supplemental Terms for a specific Service. If we determine you have breached this Section 2.8, we may immediately suspend or restrict your use of the Services, or limit End User access to certain of your resources through the Services.
https://www.cloudflare.com/terms/
2.8 Limitation on Serving Non-HTML Content
The Services are offered primarily as a platform to cache and serve web pages and websites. Unless explicitly included as part of a Paid Service purchased by you, you agree to use the Services solely for the purpose of (i) serving web pages as viewed through a web browser or other functionally equivalent applications, including rendering Hypertext Markup Language (HTML) or other functional equivalents, and (ii) serving web APIs subject to the restrictions set forth in this Section 2.8. Use of the Services for serving video or a disproportionate percentage of pictures, audio files, or other non-HTML content is prohibited, unless purchased separately as part of a Paid Service or expressly allowed under our Supplemental Terms for a specific Service. If we determine you have breached this Section 2.8, we may immediately suspend or restrict your use of the Services, or limit End User access to certain of your resources through the Services.
Yeah this list https://www.cloudflare.com/ips/ is the best source and offered as a txt list for use. I’d recommend build alerting or automation around this if you are using it in any fashion as you don’t have control over their IPs and if you are worried it’s clearly a integration point.
i dont know about warp but DoH (DNS over HTTPS) uses the https port (443) and is undetected because all https traffic uses this port and noone can tell if you are just going on an website or making a dns request, DoT (DNS over TLS) on the other hand uses it's own port (853) and can be blocked more easily because if someone uses this port you can be sure he uses DoT
that was the biggest difference, there are some minor ones too but i don't know about those
tl;dr use DoH for more privacy because it stays undetected and use DoT for a little more security (admins can monitor DoT and identify and stop malicious traffic)
you can read more here: https://cloudflare.com/learning/dns/dns-over-tls/
sry for my english
https://www.cloudflare.com/cdn-cgi/trace
it worked for me too as a warp+ user. what do you see on the last line? i used to get warp=plus but it's only warp=on now
Be design the main Cloudflare service only works for HTTP(s) services. However there is also Cloudflare Spectrum which supports other protocols, however is not available on the free tier.
As an SE, I've actually recommended this script one time to a customer. It's really easy to utilize. You can find the urls forboth IPv4's and IPv6's in his script, but if you wanted to view them more easily: https://www.cloudflare.com/ips/
Cloudflare's Spectrum is unique, that's for sure.
What baffles me, I guess, is them specifically marketing it for Minecraft at $1/Gb. How many Minecraft servers would derive value from it at those prices? Does Hypixel, or are they getting special prices?
I mean, looking at it, they offer SSH and Minecraft at the Pro level, Business adds RDP, everything else requires Enterprise. It implies that someone willing to pay $25/month would derive value from this, for Minecraft. But then, another $25 gets you 25GB which a small server goes through in a couple of hours?
I can understand the value proposition for SSH (also RDP, wish it was available at the Pro level, would use it for sure). Minecraft I don't.
Cloudflare has access to the Bandwidth Alliance which means they get a chunk of bandwidth for free, reducing costs. They have also prided themselves for years on advertising that bandwidth is unlimited: “sites should not have to pay more when they’re under attack”.
But I agree that if there is some kind of soft limit at which point they encourage users to upgrade, then they should publish what that is.
https://www.cloudflare.com/plans/pro/
No performance is really unlocked, other than being slightly prioritized when a CF data center is under heavy load, as well as your cached files not being evicted as often.
pcusers can just use the totally privacy foccused, not at all a total ramhog of a browser that is firefox, which gives u mozilla's privacypolicy(better or worse?)
They use their backbone to route traffic more efficiently. There is a cost associated with that. They charge their WAF customers for it also, it's called Argo. It works especially well if users are in countries with poor overall connectivity or are far from the destination server. It would also work well if your ISP has oversubscribed or congested transit links.
Here is a page on how it works, both for WAF customers and for Warp: https://www.cloudflare.com/products/argo-smart-routing/
Not exactly what you're looking for but the way I do it is with different subdomains. e.g. MYDOMAIN.COM is proxied through Cloudflare but ssh.MYDOMAIN.COM is not. So I always SSH through the ssh subdomain.
Otherwise Spectrum as /u/CherryJimbo mentioned is the only way I'm aware of.
As far as I know, this isn't possible. You could use Spectrum, which allows the proxying of any TCP/UDP service on any port, though this is an enterprise feature.
I'm not an American, but something something First Amendment. Cloudflare just masks 8chan's server IPs, they don't host the content on their hardware. The content transits through their network. CloudFlare is all about privacy and protection. They will co-operate with the law enforcement, if all the laws have been met.
They have a transparency report: https://www.cloudflare.com/transparency/
ESNI Checker https://www.cloudflare.com/ssl/encrypted-sni/
Not sure why my connection wouldn't be secure, this test was done on my home network – it's not like I'm on a public open Wi-Fi.
With things like Let's Encrypt, anyone can generate a certificate for their site for free - Cloudflare is no different and I don't personally feel they have any liability here. You can always report the sites in question: https://www.cloudflare.com/abuse/
The ads you're seeing aren't from Cloudflare. The sites may be using Cloudflare, but Cloudflare doesn't directly control any of the sites they provide services for.
You can always report the sites if you feel they're breaking Cloudflare's TOS: https://www.cloudflare.com/abuse/form
The easiest way to solve this issue is with Cloudflare's new Argo Tunnel feature - https://www.cloudflare.com/lp/argo-tunnel-ngrok-alternative/?_bt=287611468507&_bk=argo%20tunnel&_bm=e&_bn=g&gclid=EAIaIQobChMIrMul18L33AIV17jACh3wjAJsEAAYASAAEgLvA_D_BwE
It’s an issue on both iOS and Android. The other issue is the app on iOS has a DNS leak. Not sure with Android, to test it go to DNS Leak Test and it’ll be able to tell you.
The instructions for running on Windows are the exact same as Linux. I am in the process of re-coding the tool so it's easier to use. Regarding your issue - wgcf-profile.conf
is indeed the correct WireGuard profile. It seems like you're having problems with WireGuard itself - have you installed the official WireGuard app from https://www.wireguard.com/install/? wgcf-identity.json
is your Cloudflare WARP identity (account). You don't need that to connect to the VPN, only to generate wgcf-profile.conf
.
You can do it right now with their standard services, but it's not free.
​
They seem to be saying this one is based on wireguard so in theory if you ran an openWRT router that supported wireguard vpn protocol it would be possible technically, but no idea policy wise nor any idea if that would be a premium service or not.
super excited. You mentioned that it would work with any db api over http? Can you please confirm if it would work with ArangoDB? And if we could apply for the beta accounts? :) Thank you so much really excited about this.
I've installed ProtonVPN in the past, I don't remember if it had IPv6 support, if it did change something to disable IPv6, do you maybe have a guide that shows how to re-enable that stuff in the registry?
Ok so normal vpn, lets say ExpressVPN, gets mistaken for security software by your average user, however it is more a privacy tool (although that is debatable) so are you saying and from my understanding is that what WARP does is it adds an extra layer of security via a new protocol called WARP which supposedly protects against DNS type exploits you know man in the middle, cache poisoning etc.
Warp is Cloudflare's specific implementation of Wireguard with server-side special treatment for traffics to Cloudflare network where the original IP is tacked on in header.
Mozilla VPN runs on top of Mullvad, which does use Wireguard, but otherwise have no other similarity to Warp. The original IP isn't included, and unless the destination site is using Cloudflare, the traffic shouldn't touch Cloudflare network.
Even my own self-hosted VPN won't have any problem with DNS filtering because it got the IP hardcoded into it. I checked Cloudflare Radar, there are ProtonVPN, Surfshark, and Mullvad in P2P categories, you might wanna try to block it and see if their client can still connect. I'm not sure it will work though since even ProtonMail can query multiple DoH if their domain is blocked.
Lots of VPN providers; Windscribe, Express, Private Internet Access... Not sure you will find Singapore in a list of free locations from anyone. Windscribe is a good deal for you, because you can purchase by location(s) if you don't need many, I think $1 per location, per month
NordVPN is VPN as the name says, You can change servers and use servers over world also you can use custom DNS in NordVPN.
Cloudflare WARP + is Not work as VPN, It protect you and give more security and You can't change servers, It will select a Server based on peering of your ISP and with there Anycast network.
Some cases, it will select other country server because of ISP's peering and makes your latency poor a Lot (My experience with Cloudflare WARP +)
Right, but ProtonVPN works for tunneling all data, including DNS requests. So I'd guess that Cloudflare could use that same Personal VPN mechanism for its WARP/WARP+ tunneling, which would permit a different app, like Privacy Pro, modify DNS requests locally before the data gets tunnelled through WARP/WARP+.
Mmm... something is amiss here. I just removed the other 2 countries and now the rule is:
(ip.geoip.country ne "US") - Challenge (captcha)
Yet I am using PrivateVPN and can successfully access my site from Russia, Sweden, wherever. Not sure why this is not working.
Thanks. I guess I will see what is different now. The link provided the following message:
​
You'll receive an update to the 1.1.1.1: Faster & Safer Internet app if you already have it installed on your device.
If you don't have the 1.1.1.1: Faster & Safer Internet app installed, download it on Google Play.
Note: It can take a while for you to receive the update.
You can leave the testing program at any time. You can switch to the public version of the app if that's available.
To switch to the public version:
Note: It can take up to a few hours before you can download the app's public version.
How beneficial is it to use WARP & a VPN? I have ExpressVPN and WARP is always active on my device through the 1.1.1.1 App.
I like the additional speed of 1.1.1.1 and always knew it didn’t hide or change my IP hence why I have the additional layer of ExpressVPN.
It would need to be an additional layer on top of something like PureVPN, it simply doesn't provide ip masking and it routes for speed not privacy. So you cannot dictate what region your requests are going.
Theoretically, maybe it could bypass the regional restrictions, but I expect it'd be easier to find another solution.
They get hot, even the newer 3 B+ which is supposed to have improved thermals. Perhaps it's just the "official" case I'm using, but i've had to remove the top during these warm summer months which has dropped the temperatures from 60+ degrees Celsius to a MUCH more reasonable Temp: 52.6 °C
that's showing today. (https://www.amazon.com/Raspberry-Pi-Foundation-Case-Model/dp/B00ZS26ZJA/)
Otherwise, zero issues and they're incredibly reliable. However, i prefer running the Pi-hole in a little Linux VM (1 vCPU, 1GB RAM) -- that being said, Pi-hole is SUCH a necessity that i've insisted on placing my old RPi 3 B at a family member's house and have OpenVPN servers running on both, in addition to the IPSec site to site VPN i have in place between the two locations, which grants me the ability to take advantage of adblocking as well as secure web browsing while we're out and about. Still can't really get anyone else to understand the importance of using the VPN while going mobile, but the first time they have financial information compromised, I'm certain it'll start to sink in. No amount of having email or social media account passwords compromised has been enough to entice them to utilize it. I think it's a must for any network. Even blocks ads on various smart tvs and every other network attached device. Always a work in progress, but i would HIGHLY encourage it. Get two going, if you have the resources and/or inclination. DNS can be funny sometimes the way it operates.