How-to

The IPs Page

See which client IPs are sending the most traffic, drill into any IP for its behaviour, and escalate to a forensic sample when needed.

3 min readLast updated 26 April 2026
Jump to section

What the IPs page is for

The IPs page sits alongside the existing Offenders (ASN) and Paths pages as a first-class surface for the third important dimension: who, at the IP level, is sending us traffic?

ASN tells you "which network." Path tells you "which endpoint." IP tells you "which individual client." Combined with ASN and path, it's the answer to "is this one bot or many humans?".

How the list is built

IPs are captured on a separate Analytics Engine dataset (edge_request_ips) with a minimal 6-blob schema: tenant, source, IP, ASN, country, top path. The dataset exists separately from the main rollup because IP cardinality (thousands per 5-minute batch) would blow the main dataset's write budget.

Only the top IPs per batch are captured — typically the top 24 per source. The long tail of single-request visitors aggregates into an *other catch-all, so totals stay accurate even though individual visitors disappear. For deeper investigation, use the forensic IP sampling tool at /admin/ip-discovery — see the Forensic IP sampling article.

Columns

  • IP — the client IP (IPv4 or IPv6)
  • ASN — the autonomous system this IP belongs to, with the friendly name and country flag where known
  • Country — client country from Cloudflare's geo-IP (not the ASN headquarters)
  • Top path — the path this IP is most frequently hitting in the current range (argMax over request count)
  • Requests / Share / Bytes — standard volume metrics

Typical workflows

  • "Who is hitting this path?" — open Path detail → "Investigate IPs" button → prefilled forensic window. Or scroll the Path detail page to the Top IPs card (continuous top-N).
  • "Who is this single IP?" — click any IP in the list → IP detail page → see all paths this IP has touched, request timeseries, ASN/country.
  • "Which IPs does this ASN have?" — open ASN detail → Top IPs in this ASN card. Cross-drill from the ASN side back to individual offenders.
  • "Copy a blocklist" — from the IPs page, use the Copy blocklist button to get all visible IPs, one per line, formatted for Cloudflare IP list import.

Pin and ignore

Same pattern as the ASN and Path pages:

  • Pin — float this IP to the top of the list. Use for IPs you're actively watching.
  • Ignore — hide this IP by default. Use for known-good egress IPs (payment gateway webhooks, health check pings) so they stop appearing in your ranked list.

Both are per-tenant and persist in local storage.

Forensic escalation

The continuous IPs page shows the top-N. When you need the full tuple list for a specific path — every IP that hit it over a short window — click Investigate IPs on any Path detail page. This opens a time-boxed sampler that captures 2,000+ unique (path, IP) tuples to KV for up to an hour, then auto-expires after 24 hours. See the Forensic IP sampling article for the full workflow.

Still stuck? Email support or open the support widget in the bottom-right.