I recently had to build a system to drop inbound traffic originating from cloudflare ASNs to prevent bad actors using WARP proxies, no legitimate cloudflare traffic usecases for anything inbound.
Getting increasingly sick of cloudflare.
for BadActor in $(curl -A Mozilla "https://api.cloudflare.com/local-ip-ranges.csv"|grep -Ev "::|/32"|awk -F "," '{print $1}'|sort | uniq); do ip route add blackhole "${BadActor}" 2>/dev/null;done
I do something similar seems to get the job done.
Something similar can be done with AWS EC2