They absolutely should have outlined a traffic limit for the $250 a month plan. That’s on Cloudflare for allowing it.

That said, if you make wildly excessive use of that loophole it probably shouldn’t surprise you if they do something like this. They called it “trust and safety” because it allows them to do anything they want under the guide of security.

Really, they didn’t define their service clearly and wanted to fire them as a customer unless they paid up for what they felt they were owed.

Realistically, this is why you pay for Akamai. You don’t get these shenanigans.

How the fuck were they still on a $250 dollar a month plan when they pumped through $2000 a month worth of traffic? That’s shady on the companiy’s part and Cloudflare shouldn’t have allowed it to happen in the first place.

Each party played their part here and did shitty things. Sounds like the tech equivalent of a crackhead arguing about selling stuff to the pawn shop employee.

If I had to guess after managing enterprise WAF across hundreds of domains…

It’s either a crowler or vulnerability scanner, and may be scanning by IP address. I don’t think you configured anything wrong.

You may want to add some form of captcha or user agent based filter to get rid of it. Good news is that it’s not necessarily something to worry about.

I’d avoid IP based blocking. It’s only temporarily effective.