Why do my server logs show Nexusguard's IP? Is Nexusguard attacking my website?

All traffic is routed through Nexusguard's network to go through our scrubbing centers for protection. When traffic is directed to Nexusguard, the servers logs will show Nexusguard's SNAT IPs because Nexusguard is acting as a proxy. Since the SNAT pool is a unique source of communication with your backend server, the traffic rate will be higher than normal. To avoid blocking on the backend by network-based firewalls or other protection software, we recommend adding our SNAT pool to your whitelist.

To view the original IPs that have visited your website, you should enable the "X-forwarded-For" function. For details, see "What is X-Forwarded-For function and how can I use it?" in the FAQs.

If you are not a Nexusguard customer, inform us immediately. Nexusguard never conducts DDoS Penetration tests without prior consent. It is likely the logs are a result of a TCP three-way-handshake authentication whereby our servers have responded to a SYN ACK packet sent by attackers that spoofed your IP address. A flood of these packets would amount to a condition called the “Backscatter” effect. Nexusguard takes proactive steps to prevent this side-effect from being abused by cyber criminals.

Have more questions? Submit a request