In this week’s edition of the Top Offenders list, there is a new leader in the abuse list: AS13335 – Cloudflare WARP. They have been hitting the site in large bursts for a couple of weeks now, using the anonymity afforded by hiding behind the open VPN Cloudflare provides.

All of the largest surges seen over the last 7 days originate from this single ASN.


Clouflare is in the shield_hyperscaler ruleset that was discussed in the previous Top Offenders post. This traffic is forced into a rate-limiting situation where a flood of traffic automatically triggers a DROP once a set volume is reached. However, even this is challenging as the Cloudflare surges have the largest amount of IP diversity of all those tracked at the firewall.
In order to be more flexible, the shield_hyperscaler ruleset is applied on a /24 network basis. So even if the attacker tries to hide behind a set of IPs, if they come from a small number of /24 networks, they will end up in the DROP bucket.
Leave a Reply