My website is not even setup yet: 522, but got 90k requests in past 30 days?!
Was just checking my domain on Cloudflare and it says I got 90k requests in the past 30 days? I am assuming this is all probably bot traffic. its a made up word domain that doesn't mean anything at the moment, but going to be used as a SaaS.
Is there any way to mitigate this? I am just thinking when I do get my service up and have Cloudflare CDN Cloudflare R2 for images on the website. Wouldn't this wipe nearly all free tier?
I don't want to pay for traffic from all these bots.
2 Replies
Wouldn't this wipe nearly all free tier?R2 on a custom domain benefits from caching, any cache hit won't cost you a class B. There is 10 million class Bs included in free tier, 90k is 0.9% of your included tier, assuming there's no cache hits at all (unlikely) 90k rather high though. I'd expect 5-10k max. There's specific mitigations you can tweak like blocking AI Bots, but if you have nothing on there right now, I'd probably turn on Under Attack Mode (right side of Overview), wait a few hours and check under Security -> Analytics and see where the traffic is coming from
There are always bots lurking around in the web. They knock on every domain, IP address, and port constantly looking for security holes.
Most of them are rudimentary and try all exploits randomly, including ones for applications unrelated to your project, such as Wordpress or PHP.
These bots learn about your domains (including
.workers.dev and .pages.dev) near-instantly using Certificate Transparency logs, which cannot be disabled and are always issued (even on non-Cloudflare platforms).
Some options to help reduce the noise from these bots:
- Disable .workers.dev
- Redirect .pages.dev
- Enable Managed Rulesets (requires Pro plan or above)