DEV Community

Cover image for How I Tracked a Real-World Web Assailant Using Firebase + Cloudflare
Tyler Johnston-Kent
Tyler Johnston-Kent

Posted on

How I Tracked a Real-World Web Assailant Using Firebase + Cloudflare

#webdev #firebase #cybersecurity #javascript

🎯 How I Tracked a Real-World Web Assailant Using Firebase + Cloudflare

For months, my site Formant.ca logged minor, non-destructive bot activity — low-level probes, most of them tracing back to Ireland-based automation clusters. No big spikes. Just quiet persistence.

But on August 7, 2025, everything changed.

🔍 The Reconnaissance Phase

At 7:25 AM (UTC-5), my geoEvents logging system picked up a hit to the root path / from Los Angeles, California. Unlike previous activity, this request had every sign of being human-directed:

  • Fingerprinted UA
  • Clean browser headers
  • Normal screen resolution
  • No erratic timing patterns

This was a probe.

🎯 The Attack Trigger

At 8:14:35 AM, a targeted request was made to /analytics6x4Z72xq1.html — a decoy analytics endpoint placed there for exactly this purpose.

By 8:15 AM, Cloudflare logs showed the attacker had bypassed CDN caching and hit the origin directly. That was their mistake.

They had triggered:

  • My custom firestoreMirror.js logger
  • IP + timestamp + UA + referrer capture
  • CDN bypass tagging
  • Geolocation tagging

And yes — I archived the full signature.

🧠 Stack Used

  • Firebase Firestore (custom mirrors for real-time bot tracking)
  • Cloudflare DNS + CDN logs
  • Decoy file endpoints (pseudo-legit but fake)
  • GeoIP + screen fingerprinting
  • Custom honeynet logging logic

🧱 What I Learned

  • CDN shielding isn't always enough
  • Botnets are the smoke — real attackers use them as fog
  • Firebase can be used for far more than just app data
  • When you build public systems that expose unethical behavior, you will get tested

🔗 Want to see the full breakdown?

🕵️‍♂️ formant.ca/#catching-hackers

🗨️ Let’s talk

If you’re building honeypots, threat traps, or privacy-first analytics with open tools like Firebase — drop your link below.

Let’s trade notes.

📁 Cloudflare Event Log (Snapshot)

Captured on August 7, 2025 at 13:14:25 UTC, the following event was logged by Cloudflare’s firewall:

Action: managed_challenge (threat detected and challenged)

Source: firewallManaged

Client ASN: CDN77 _

Country: United States (US)

IP Address: 2a02:6ea0:c803:3091::12

User Agent: curl/8.5.0

Request Path: /analytics6x4Z72xq1.html

Rule ID: 874a3e315c344b1281ad4f00046aab6f

This matches the decoy analytics file hit that triggered our honeypot logging and validated the origin bypass attempt. The full JSON is archived as part of our internal honeynet records.

Top comments (0)