Cloudflare-Radar-Scanner
Scanner User-Agent:cloudflare-radar-scanner
⚠️ Overview
Cloudflare-Radar-Scanner is a legitimate web crawler operated by Cloudflare, Inc. as part of its Cloudflare Radar service, designed to collect internet-wide data on technology adoption, security protocols, and performance metrics according to Cloudflare’s official documentation at developers.cloudflare.com/radar. However, threat actors frequently spoof this User-Agent string to evade detection by security tools that whitelist Cloudflare’s traffic, making the impersonated version a confirmed malicious bot when used for unauthorized reconnaissance or attacks.
🔧 Technical Capabilities
The genuine Cloudflare Radar Scanner performs non‑destructive HTTP requests to gather information such as HTTP headers, TLS configurations, and web framework signatures. Malicious impersonators leverage the same User‑Agent to conduct stealthy port scanning, directory brute‑forcing, and vulnerability probing against web applications. They may execute SQL injection attempts, cross‑site scripting (XSS) probes, or credential stuffing, all while appearing as legitimate cloud infrastructure traffic. The bot typically targets login pages, admin panels, and API endpoints to enumerate technologies and discover weaknesses. Unlike the real scanner which respects robots.txt and uses fixed IP ranges published by Cloudflare, malicious versions ignore crawl rules and may originate from residential proxies or compromised servers.
📜 History & Notable Incidents
Abuse of the Cloudflare-Radar-Scanner User‑Agent was first widely reported in 2020 when security researchers at SANS ISC observed fake scanner traffic correlating with automated exploit attempts against WordPress plugins. In 2022, a campaign tracked by Unit 42 used this impersonation to bypass web application firewalls (WAFs) that trusted Cloudflare’s ASNs, leading to successful compromises of e‑commerce sites. No CVEs are directly associated with the impersonator, but the technique is documented in multiple threat intelligence reports as a social‑engineering vector against IP‑based allowlists.
🔍 Detection Indicators
The legitimate User‑Agent string is Mozilla/5.0 (compatible; Cloudflare-Radar-Scanner/1.0; +https://developers.cloudflare.com/radar/). Behavioral fingerprints include unusually high request rates (≥100 queries per second), requests to non‑standard ports (e.g., 8080, 8443), and failure to parse robots.txt entries. Malicious versions often omit the “compatible” token or alter the version number. Traffic analysis should flag requests from IPs outside Cloudflare’s published IP ranges (e.g., 173.245.48.0/20) or lacking the common TLS fingerprint of Cloudflare’s edge servers.
☠️ Risk & Impact
A successful attack using a spoofed Cloudflare-Radar-Scanner can lead to full disclosure of application architecture, exposure of sensitive configuration files, extraction of user credentials, or database exfiltration. Because the bot mimics a trusted source, security teams may overlook early‑stage reconnaissance, allowing attackers to escalate privileges before detection.
🛡️ Mitigation
This bot is blocked immediately on detection because its User‑Agent can be trivially falsified; relying on it for allowlisting creates a critical bypass. Organizations must instead validate the source IP against Cloudflare’s official IP lists and implement rate‑limiting, challenge‑based defenses (e.g., CAPTCHA), and behavioral anomaly detection to distinguish the real scanner from malicious impostors.
Similar Threats
🛡️
Stop Bots. Save Bandwidth. Protect Revenue.
Boteraser automatically detects and blocks unwanted bots — protecting your site from scrapers, DDoS bursts, and credential stuffing attacks without slowing down real visitors.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.