

Bypass Cloudflare protection using DMCA - yc1010

It seems there is a rather easy method of finding the ip address of any service behind Cloudlfare, send them a DMCA notice and they will happily hand over ip address to &quot;complainer&quot; who then can proceed with their DDOS<p>This has happened 3 times now to me, this time i was prepared the ip Cloudflare handed over (and only Cloudflare could have known about) was a vps re-routing http traffic to my real server via haproxy.<p>edit: Cloudflare did not forward the email to me, instead they sent it to OVH the host of the haproxy vps, the DMCA was a dud, for files uploaded by the attacker themselves!
======
jgrahamc
Can you reach out to me privately so that I can take a look at this?

~~~
yc1010
Sure see support Request #248668 I have cancelled my cloudflare pro
subscription (used to have a business one) after about a year, its not worth
it imho :(

No email was sent/forwarded to me as has happened once or twice before (and
was promptly acted upon), the files in question were fakes uploaded by
prospective attacker themselves.

The only way the ip address could have been exposed is by cloudflare.

Edit: I am not blaming Cloudflare, your service has been excellent and support
fast, just pointing out a potential exploit angle of the service. I have a
very clear DMCA policy which is automated and would have dealt with any
complaint in minutes, there was no need for the "complainer" to contact
Cloudflare or anyone else for that matter.

~~~
jgrahamc
I will follow up internally. Thanks.

