← back home

Solving the Multi-Location IP Mystery: Cloudflare, Bots, and Your Website Logs

January 24, 2026
Cloudflare Bot Management Reverse Proxy Ip Addresses Http Headers Anycast Cdn Website Logs Traffic Analysis Cybersecurity
View original discussion on Hacker News

Many website operators face the challenge of identifying and managing bot traffic. A common scenario involves seeing a single IP address appearing to originate from multiple, geographically diverse locations, leading to confusion and concern about unusual bot activity. This often points to a misunderstanding of how network infrastructure, particularly reverse proxies and Content Delivery Networks (CDNs) like Cloudflare, handle traffic.

The Cloudflare Proxy Effect

When a website uses a service like Cloudflare, Cloudflare acts as a reverse proxy, sitting between the website's origin server and the internet. All incoming traffic from users or bots first hits Cloudflare's global network of edge servers (Points of Presence or PoPs). Cloudflare then forwards these requests to the origin server. Consequently, the origin server's logs will show Cloudflare's IP addresses as the source of the requests, not the actual client's IP address.

The example IP 173.245.58.0 is indeed owned by Cloudflare. The observation of this single IP appearing to request from various data centers (like Chicago, San Jose, Singapore) is a natural consequence of Cloudflare's architecture. Different user requests, coming from different parts of the world, are routed to the nearest Cloudflare PoP. These different PoPs then proxy the requests to the origin, potentially using an IP from the same Cloudflare IP range, leading the origin server to see requests from what appears to be "one IP" across many locations.

Retrieving the Real Visitor IP

To accurately identify the true source of traffic, website operators must inspect the HTTP headers added by Cloudflare. The crucial headers are:

  • X-Forwarded-For: A standard header often used by proxies to indicate the original client IP address.
  • CF-Connecting-IP: A Cloudflare-specific header that provides the client's IP address.

Many web server configurations and application frameworks can be configured to correctly log these headers. For instance, users of WordPress with the WordFence plugin can select the appropriate header source. Utilizing Cloudflare's own analytics tools is also highly recommended, as they offer rich insights into traffic patterns, including bot management features.

Understanding Anycast Routing

The phenomenon of a single IP address appearing to originate from multiple physical locations is explained by Anycast routing. Cloudflare extensively uses Anycast for its ingress network, meaning when a client tries to connect to a Cloudflare-protected website, the DNS resolution and BGP routing direct that client's traffic to the geographically closest Cloudflare PoP advertising that IP. This optimizes latency and helps distribute load. While there are nuances about Cloudflare's egress Anycast (/24 vs /32 routing), the primary takeaway for this specific issue is that different Cloudflare PoPs, geographically distributed and using Anycast, are handling traffic and forwarding it to the origin, leading to the observed multi-location effect.

Legitimate Traffic that Looks Like Bots

Not all traffic from Cloudflare or similar large networks is malicious. For example, Apple's iCloud Private Relay uses Cloudflare and Akamai infrastructure to anonymize user traffic. Legitimate users with this feature enabled will appear to originate from Cloudflare (or Akamai) IPs, potentially across different regions as their traffic exits through various relay points. Website owners can reference published lists of iCloud Private Relay egress IP ranges to differentiate this traffic.

When to Worry About Bot Traffic (and When Not To)

A crucial point is the scale of the "bot problem." Hundreds of requests per day, even from an unknown source, might be considered normal background noise for a public website. Modern web servers and hosting environments are typically robust enough to handle this level of traffic without significant performance or cost implications. Excessive focus on low-volume bot activity can be more detrimental than the bots themselves.

However, if bot traffic becomes truly disruptive—reaching hundreds of thousands of requests per day, targeting database-intensive operations, or actively seeking vulnerabilities—then action is warranted.

Strategies for Managing Unwanted Traffic

For genuinely problematic bot traffic, several strategies can be employed:

  • Utilize Cloudflare's security features: Cloudflare offers robust bot management, WAF rules, and rate limiting capabilities.
  • Block at the ASN level: If a specific Autonomous System Number (ASN) is consistently associated with malicious bot activity (e.g., from known scraping data centers), blocking at the ASN level can be effective. However, this must be done cautiously, as blocking an entire ASN or geographical region can inadvertently block legitimate users. The impact on legitimate users should be carefully weighed against the benefits of blocking.
  • Implement server-side tools: Tools like fail2ban can automatically block IPs that exhibit suspicious behavior (e.g., too many failed login attempts, excessive requests).
  • Monitor user agents: Analyze user-agent strings in logs to identify common bot patterns.
  • Advanced IP analysis: For deep dives, resources like Regional Internet Registry (RIR) whois/peering databases (ARIN, RIPE NCC, APNIC, LACNIC, AFRINIC) and delegation files can provide detailed information about IP blocks and their owners, allowing for more informed blocking decisions.

By understanding the underlying network mechanisms and leveraging available tools, website operators can effectively distinguish between benign network phenomena and genuinely harmful bot traffic, ensuring a healthy online presence without unduly impacting legitimate users.

Get the most insightful discussions and trending stories delivered to your inbox, every Wednesday.