Enterprise Shield – Top Offenders – 2026-07-13

Written by

in

In this week’s edition of the Top Offenders list, there is a new leader in the abuse list: AS13335 – Cloudflare WARP. They have been hitting the site in large bursts for a couple of weeks now, using the anonymity afforded by hiding behind the open VPN Cloudflare provides.

Top ASNs – 7 Days

All of the largest surges seen over the last 7 days originate from this single ASN.

Firewall Hits by Hour – Last 7 Days
Distinct IPs by Hour – Last 7 Days

Clouflare is in the shield_hyperscaler ruleset that was discussed in the previous Top Offenders post. This traffic is forced into a rate-limiting situation where a flood of traffic automatically triggers a DROP once a set volume is reached. However, even this is challenging as the Cloudflare surges have the largest amount of IP diversity of all those tracked at the firewall.

In order to be more flexible, the shield_hyperscaler ruleset is applied on a /24 network basis. So even if the attacker tries to hide behind a set of IPs, if they come from a small number of /24 networks, they will end up in the DROP bucket.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *