There are two circumstances where it will appear that Cloudflare is attacking you, when Cloudflare
would not be sending any attack traffic at all.
1. You're a Cloudflare customer with a domain on Cloudflare. Since we are a reverse proxy for sites
using our service, our IPs are going to show in your server logs until you install something on your
server to restore original visitor IP (mod_cloudflare for Apache servers, for example).
Solutions for Apache, Nginx & other servers.
2. You're getting attacks from Cloudflare's IPs because they are being spoofed. Cloudflare does not
send traffic over anything other than http:// (ports 80 and443), so getting attacked by UDP requests
means you probably have an open recursor on your DNS server that is helping with a DNS amplification
attack. You should secure your server to prevent these DNS attacks.
How DNS Amplification Attacks Work
If your situation does not fit any of the circumstances listed above, please provide the information
requested below and we can provide solutions for handling an issue that looks like an attack from us.
Required information to investigate:
* source IP(s) you are seeing the traffic from
* destination IP(s) on their side
* IP packet contents
* (if possible) tcpdump output in -vvv -s0 -n format
If you have additional questions, contact your recursive DNS provider (i.e. OpenDNS or Google DNS). If you
are not sure who your recursive DNS provider is then it is most likely your ISP providing recursive DNS services.