Is Cloudflare abusing my SSH?
Everyone knowns Cloudflare and its DDoS protection service. But recently I have observed strange traffic comming from 8.0.0.0/9 at my endlessh logs.
When looked more closely, I was surprised - all those probes was from AS13335 (Cloudflare, 164 /24 subnets). I could not imagine any legitimate scenarios for such abusive probing (this is not simple SYN scan, but full 3-way handshake and attempt to establish SSH connection, like when bots bruteforcing credentials). I have tried to report abuse to abuse [@] centurylinkservices [.] net and abuse [@] cloudflare [.] com, even via form on their website, but no answer was received besides automatic replies like “Due to the pass-through nature of our services, our IP addresses appear in WHOIS and DNS records for websites using Cloudflare.”
I have sent them multiple pcap dumps and logs from honeypots, including link to the blocklist.de, but they just ignore me. This is why this blog post is being written. Maybe public attention will uncover the truth and desired goals of Cloudflare.
/cloudfront-us-east-2.images.arcpublishing.com/reuters/2UBMMKTOFBNNFL4EGUWTJDSCTU.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24016888/STK093_Google_01.jpg)
