Why does Cloudflare Attacking Me?
There are two circumstances where it will appear that Cloudflare is attacking you, when Cloudflare would not be sending any attack traffic at all.
1. You’re a Cloudflare customer with a domain on Cloudflare. Since we are a reverse proxy for sites using our service, our IPs are going to show in your server logs until you install something on your server to restore original visitor IP (mod_cloudflare for Apache servers, for example).
Solutions for Apache, Nginx & other servers.
2. You’re getting attacks from Cloudflare’s IPs because they are being spoofed. Cloudflare does not send traffic over anything other than http:// (ports 80 and443), so getting attacked by UDP requests means you probably have an open recursor on your DNS server that is helping with a DNS amplification attack. You should secure your server to prevent these DNS attacks.
How DNS Amplification Attacks Work
If your situation does not fit any of the circumstances listed above, please provide the information requested below and we can provide solutions for handling an issue that looks like an attack from us.
Required information to investigate:
source IP(s) you are seeing the traffic from
destination IP(s) on their side
IP packet contents
(if possible) tcpdump output in -vvv -s0 -n format
If you have additional questions, contact your recursive DNS provider (i.e. OpenDNS or Google DNS). If you are not sure who your recursive DNS provider is then it is most likely your ISP providing recursive DNS services.