How to find which ip is hammering my website?
There is no simple solution to your problem as it is not well defined (particularly with respect of how it reaches your network), however there are a number of tools in your toolbox, including -
Cloudflare passes the CF-Connecting-IP and X-Forwarded-For headers. You should log this information alongside the request - how you do this will depend on your web server. Here is a link on how to do it in Apache.
Once you have the above information you could configure fail2ban to count the number of hits against that log file in a given time and blacklist based on a large volume of hits. Don't underspec this as each element will be recorded in this log file.
Most good web servers will let you handle traffic based on various variables - one to look into is the USER-AGENT string - if this is an off-the-shelf proxy, it will probably set the user-agent string in a way you can pick it up.
Use IPTables - you can limit the maximum number of connections per IP address by using the connlimit module. Look here for an implementation. Unfortunately this won't work too well if you are using cloudflare as all your connections will come from the same IP address.
Banning legitimate users that unknowingly arrive to your website via proxy is a sure way to lose traffic or get a bad reputation. You would do better to attack the proxy via its provider.
An answer on StackOverflow explains in detail a method of using in nginx a combination of headers for serving requests that are only addressed to you via the correct host name. You could adapt this solution for finding out the name of the proxy that was used in the client request, and use this name as described below.
Good advice is provided by this other answer :
Here's a number of strategies you might want to consider:
1. From your server logs, figure out by which means the proxy is downloading your site and selectively change responses for him
e.g. if hes using one specific provider, block or change responses for their address space2. It may be completely sufficient to just informally notify the provider of the proxy
be sure to contact their abuse department directly, not the sales guys. if their server IP is registered by different company than their domain registrar, take the path of least resistance - first ask the provider headquartered in a country closer to yours.3. Depending on the TLD it will be anywhere from trivial to impossible to figure out the operator of the site and/or get a court order that forces their DNS provider to drop them
4. Report them to Google Safe Browsing
Use the optionReport Phishing Page
. This will - if our Google overlords decide so - create a big fat warning for users of the proxy AND it will remove the site from search results. Most users of most browsers are using the Google safe browsing block lists, so this will effect not quite everyone, but close to.