One possible issue is that the Cflow is deployed such that it is "open" to the internet. That is anyone on the internet can configure their browser to explicitly proxy to the "open" proxy. You can detect if this is the case by using telnet to connect to port 80 or port 8080 on the Cflow in question(from the internet):
telnet <ip address of cflow> 80
telnet <ip address of cflow> 8080
If telnet can connect to the cflow on either of these ports the proxy is open to the internet. This means anyone on the internet can connect to the proxy and consume its resources.
To prevent this from happening, there are two possible solutions:
1. Policy can be written to deny access to source subnets that are not in the client subnets.
2. The router/load balancer sending traffic to the proxy can be configured to only send traffic that is in the client subnets.
Solution 2 is the preferred solution, since it will consume few resources of the cflow.