cloudflare-traffic-investigator
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseInvestigating Traffic on Cloudflare-Protected Domains
受Cloudflare保护的域名流量排查
Arguments
参数
| Argument | Description |
|---|---|
| Cloudflare-protected domain to investigate (e.g., |
| Cloudflare zone ID for the domain (e.g., |
| (optional) Time range to investigate (e.g., |
If domain or zone ID is not provided, ask the user via . Time range is collected in Step 1 if not passed here.
AskUserQuestionInvestigate unusual traffic patterns on Cloudflare-protected domains that cause downstream service failures (e.g., service overload, database saturation, API rate limiting). This skill walks through a structured investigation from confirming the spike through to a full incident report.
| 参数 | 说明 |
|---|---|
| 要排查的受Cloudflare保护的域名(例如 |
| 对应域名的Cloudflare区域ID(例如 |
| (可选) 排查的时间范围(例如 |
如果未提供域名或区域ID,请通过询问用户。如果此处未传入时间范围,将在步骤1中收集。
AskUserQuestion用于排查受Cloudflare保护的域名上导致下游服务故障(例如服务过载、数据库饱和、API速率限制)的异常流量模式。该技能提供了结构化的排查流程,从确认流量突增到生成完整的事件报告。
Investigation Workflow
排查工作流
Follow these steps in order. Each step file contains detailed instructions and example Cloudflare GraphQL queries.
- Get parameters — Collect time range and zone info
- Confirm spike — Query hourly traffic to verify the anomaly
- Minute-level detail — Narrow to exact spike timing
- Identify culprit JA4 — Find JA4 fingerprints with highest request counts
- Analyze traffic — For top JA4s, identify paths, user IDs, ASNs
- Verify legitimacy — Check bot scores, WAF scores, User-Agent
- Extract top users — Find which users made the most requests
- Synthesize & report — Combine findings into an incident report
请按顺序执行以下步骤。每个步骤文件都包含详细说明和Cloudflare GraphQL查询示例。
- 获取参数 — 收集时间范围和区域信息
- 确认流量突增 — 查询每小时流量以验证异常
- 分钟级明细排查 — 缩小范围定位流量突增的准确时间
- 识别异常JA4指纹 — 查找请求量最高的JA4指纹
- 流量分析 — 针对Top JA4指纹,识别请求路径、用户ID、ASN
- 合法性校验 — 检查爬虫评分、WAF评分、User-Agent
- 提取Top用户 — 查找发起请求最多的用户
- 结果汇总与报告 — 将所有发现整合为事件报告
Cloudflare API MCP
Cloudflare API MCP
All Cloudflare interactions use two tools:
- — Discover API endpoints by searching the OpenAPI spec
mcp__cloudflare-api__search - — Execute API calls via
mcp__cloudflare-api__execute(GraphQL analytics via POST tocloudflare.request(), Radar via REST, zone operations via/graphql)/zones
See Cloudflare API MCP Reference for query patterns and examples.
所有Cloudflare交互使用两个工具:
- — 通过搜索OpenAPI规范查找API端点
mcp__cloudflare-api__search - — 通过
mcp__cloudflare-api__execute执行API调用(GraphQL分析通过POST请求发送到cloudflare.request(),Radar相关调用走REST,区域操作通过/graphql接口)/zones
查看 Cloudflare API MCP参考文档 了解查询模式和示例。
JA4 TLS Fingerprints
JA4 TLS指纹
- Format:
t13d311200_e8f1e7e78f70_d339722ba4af - A single fingerprint across millions of requests indicates backend service configuration, not individual users
- Useful for identifying automated/service-to-service traffic
- Cross-reference with Known Fingerprints before flagging as unknown
- 格式:
t13d311200_e8f1e7e78f70_d339722ba4af - 数百万请求共享同一个指纹代表的是后端服务配置,而非单个用户
- 可用于识别自动化/服务间流量
- 标记为未知指纹前,请先对照已知指纹库进行交叉校验
Cloudflare Sampled Data
Cloudflare采样数据
Firewall events use adaptive sampling. Numbers are sampled counts, not actual totals. Use them for pattern identification and relative comparisons — top users in sample likely represent top users overall. Always note this in reports.
防火墙事件使用自适应采样。数值为采样计数,而非实际总量。可用于模式识别和相对比较——采样中的Top用户大概率代表整体的Top用户。请务必在报告中注明这一点。
Common Failure Patterns
常见故障模式
Quickly identify root causes using these patterns:
| Pattern | Signal | Resolution |
|---|---|---|
| Circuit Breaker Cascade | 429 → timeout → breaker opens | Scale service or add rate limiting |
| Retry Storm | Error count exceeds initial traffic | Add exponential backoff, client-side circuit breaker |
| Single User Amplification | One user dominates request count | Contact user, fix frontend logic |
| Undersized Service | Normal distribution, fails at <10 req/sec | Scale service capacity urgently |
| Cascading Failure | Multiple services failing sequentially | Isolate fault, restart root service |
| Cache Stampede | Spike after cache expiration | Cache lock, stale-while-revalidate |
Detailed descriptions and resolution steps: Failure Patterns Reference
使用以下模式可快速识别根因:
| 模式 | 信号 | 解决方案 |
|---|---|---|
| 熔断级联 | 429 → 超时 → 熔断器开启 | 扩容服务或新增速率限制 |
| 重试风暴 | 错误量超过初始流量 | 新增指数退避策略、客户端熔断器 |
| 单用户流量放大 | 单个用户占据绝大多数请求量 | 联系用户、修复前端逻辑 |
| 服务容量不足 | 流量分布正常,请求量<10 req/sec时就发生故障 | 紧急扩容服务容量 |
| 级联故障 | 多个服务依次故障 | 隔离故障点、重启根因服务 |
| 缓存雪崩 | 缓存过期后出现流量突增 | 加缓存锁、采用stale-while-revalidate策略 |
详细说明和解决步骤:故障模式参考文档
Escalation Criteria
升级标准
| Priority | Condition |
|---|---|
| P1 — Immediate | Service 429 errors / circuit breaker open, >10% error rate, cascading failures |
| P2 — High | Single user >500 req/hour on critical endpoint, sustained spike >50% above baseline, multiple dependencies affected |
| P3 — Monitor | Moderate increase <50% above baseline, isolated user anomalies |
| 优先级 | 触发条件 |
|---|---|
| P1 — 紧急 | 服务出现429错误/熔断器开启、错误率>10%、发生级联故障 |
| P2 — 高优先级 | 单用户在关键端点请求量>500次/小时、持续流量突增超出基线50%以上、多个依赖服务受影响 |
| P3 — 监控 | 流量小幅上涨低于基线50%、孤立的用户异常 |
Incident Report
事件报告
Document findings using the Incident Report Template covering metrics, timeline, security analysis, root cause, and recommendations.
使用**事件报告模板**记录发现,内容需覆盖指标、时间线、安全分析、根因和建议。
Tips
提示
- Ask for time range first using if not provided
AskUserQuestion - Identify JA4 dynamically — query Cloudflare, don't assume
- Only ask the user about unknown/suspicious User-Agents — skip well-known bots and clearly internal services
- Calculate actual req/sec to understand service load
- Document findings immediately using the incident template
- 如果未提供时间范围,请先通过询问用户
AskUserQuestion - 动态识别JA4指纹——查询Cloudflare数据,不要主观假设
- 仅需要向用户询问未知/可疑的User-Agent——跳过知名爬虫和明确的内部服务
- 计算实际的req/sec数值以了解服务负载
- 立即使用事件模板记录发现
Reference Files
参考文件
Steps
步骤
- Get parameters
- Confirm spike
- Minute-level detail
- Identify culprit JA4
- Analyze traffic
- Verify legitimacy
- Extract top users
- Synthesize & report
- 获取参数
- 确认流量突增
- 分钟级明细排查
- 识别异常JA4指纹
- 流量分析
- 合法性校验
- 提取Top用户
- 结果汇总与报告
References
参考文档
- Cloudflare API MCP
- Known Fingerprints
- Security Scores
- Failure Patterns
- Incident Report Template
- Cloudflare API MCP
- 已知指纹库
- 安全评分
- 故障模式
- 事件报告模板