Single IP appearing from multiple global data centers hits my site

TL;DR

An e-commerce operator says most recent bot traffic is concentrated to one or two IP addresses that produce hundreds of daily requests and lack reverse DNS. Cloudflare mapping shows that a single reported source IP appears to be requesting the site from many data-center locations across the U.S. and Singapore. A commenter recommends checking ASN and regional Internet registry whois/delegation data instead of relying solely on Cloudflare's interpretation.

What happened

The site owner, running an e-commerce site, reported an uptick in bot traffic. Much of that traffic can be traced to one or two IP addresses that generate hundreds of requests per day and have no reverse DNS entries. When the owner mapped the hits through Cloudflare, one of those IPs showed request counts attributed to many different data-center locations across the United States and a presence in Singapore. The post included a sample address (173.245.58.0) with request counts attributed to specific metro points such as Chicago (ORD), San Jose (SJC), Los Angeles (LAX) and others, ranging from more than 300 requests in some metros down to around 130 in Singapore. In comments, a respondent characterized this class of traffic as normal for public websites, suggested it often causes little measurable cost or load, and advised investigating the IP's ASN and RIR whois/delegation files rather than depending solely on Cloudflare's geographic interpretations.

Why it matters

• Misleading geo-IP mapping can complicate decisions about blocking, rate-limiting or other mitigations.
• High request counts concentrated on one or two IPs can look alarming even if they may not materially affect performance or cost.
• Relying solely on a CDN or service provider's geography output can hide the underlying network owner or routing context.
• Investigating ASN and RIR whois/delegation records can provide more authoritative ownership and routing information for an IP.

Key facts

• Site operator reports recent increase in bot traffic affecting an e-commerce site.
• Most of the suspicious hits trace to one or two IP addresses with no reverse DNS entries.
• Reported per-IP volumes are in the hundreds of requests per day.
• Cloudflare's mapping attributed a single IP to multiple U.S. data-center metros plus Singapore.
• Example IP cited in the post: 173.245.58.0.
• Example request counts by metro for that IP include: Chicago (ORD) 340, San Jose (SJC) 330, Los Angeles (LAX) 310, Atlanta (ATL) 310, Dallas-Fort Worth (DFW) 290, Newark (EWR) 280, Washington (IAD) 230, Miami (MIA) 210, Boston (BOS) 140, Singapore (SIN) 130.
• A commenter recommended looking up the IP's ASN and consulting RIR whois and delegation files for investigation.
• The commenter noted that hundreds of requests per day are often manageable and cautioned not to overreact to public web crawlers.

What to watch next

• Perform ASN and RIR whois/delegation lookups for the IPs cited (recommended in the source).
• Confirm whether the traffic causes measurable performance or cost impact on the website — not confirmed in the source.
• Check for reverse DNS or PTR records on the offending IPs to aid attribution — not confirmed in the source.
• Monitor whether the same pattern persists across days and different IPs to distinguish transient scans from sustained scraping — not confirmed in the source.

Quick glossary

• ASN: Autonomous System Number; an identifier assigned to a network operator that appears in routing tables and can indicate which organization controls a block of IP addresses.
• RIR whois: Regional Internet Registry whois records list allocations and administrative contacts for IP address blocks maintained by organizations such as ARIN, RIPE, APNIC, LACNIC and AFRINIC.
• Geo-IP: A method of mapping IP addresses to approximate physical locations; accuracy varies and can be affected by routing and data-source limitations.
• Reverse DNS (PTR): A DNS record that maps an IP address back to a hostname; its presence or absence can assist in identifying the operator of an IP.

Reader FAQ

Is this traffic necessarily malicious?
Not confirmed in the source.

Are hundreds of requests per day a serious problem?
A commenter in the thread said hundreds of daily requests are often manageable and sometimes trivial in cost or load.

How should I investigate one IP showing multiple locations?
The thread recommends looking up the IP's ASN and consulting RIR whois/delegation files rather than relying solely on Cloudflare's geographic labels.

Is the ownership of the example IP provided in the post?
Not confirmed in the source.

> hundreds of requests per day Does this matter? I can handle hundreds of requests per day with no issue on a home cable modem connection and my desktop pc…

Sources

• Ask HN: One IP, multiple unrealistic locations worldwide hitting my website
• Fraudulent Data Center Traffic [Effects + Prevention]
• One IP address, many users: detecting CGNAT to reduce …
• 50% traffic coming from a single IP on website

Related posts

• ‘ELITE’: The Palantir app ICE reportedly uses to map neighborhoods
• UK’s AR7 auction delivers record 8.4 GW offshore wind at prices well below gas
• Anthropic’s Cowork inherits Claude Files-API exfiltration bug, security risk