Hosting & cloud providers / Cloudflare

Cloudflare IP ranges & what they mean for fraud

Cloudflare publishes the egress ranges of its CDN and WARP infrastructure. Most traffic you see *through* Cloudflare carries the visitor’s real IP in headers — these ranges matter when a request *originates* from Cloudflare infrastructure itself.

22published prefixes tracked (15 IPv4, 7 IPv6)
~1.5 millionIPv4 addresses covered (published lists may overlap)
16 July 2026feed snapshot date — refreshed continuously in production

How Sentinel uses these ranges

Because Cloudflare is a CDN, the useful distinction is traffic originating from these ranges versus traffic merely served through them — Sentinel's signal applies to the former. The numbers above come from Cloudflare's own published range feed — the same feed Sentinel's verdict pipeline refreshes continuously, so a new range is scored within hours of publication, not whenever a static database ships.

Range data adds a signal; it never overrides deeper network detection. VPN exits live in datacenters, so a range hit doesn't short-circuit tunnel analysis — an IP in Cloudflare's ranges that is also a VPN exit gets both signals, and your policy sees the full picture in the reasons array.

Should you block Cloudflare traffic?

A request originating from CDN infrastructure (rather than being proxied through it for a website) is unusual for a human visitor — commonly a Worker, a WARP exit, or automation.

The honest answer is: it depends on the surface. A datacenter IP on a signup, login, or checkout is a strong review signal — humans overwhelmingly arrive from residential and mobile networks. The same IP calling your API is often just a legitimate backend. Sentinel returns the raw signal so you can apply exactly that asymmetric policy instead of a blanket block.

Check any IP right now with the free IP lookup — no account needed — or exercise the full verdict from your terminal:
curl -X POST https://sntlhq.com/v1/evaluate \
  -H "Authorization: Bearer sk_test_sandbox" \
  -H "Content-Type: application/json" \
  -d '{"token":"test_datacenter"}'

The sandbox key returns the documented datacenter-verdict shape (decision, risk_score, network.datacenter) — no signup required. Details in the API docs.

Score every request against live Cloudflare ranges.
Free tier: 1,000 requests/hour. No card, no expiry.
Get a free API key
AWS Microsoft Azure Google Cloud Oracle Cloud DigitalOcean Linode/Akamai Vultr Fastly