
CloudFlair: Bypassing CloudFlare using Internet-wide scan data - 68c12c16
https://blog.christophetd.fr/bypassing-cloudflare-using-internet-wide-scan-data/
======
jgrahamc
See also Cloudflare Warp [https://blog.cloudflare.com/introducing-cloudflare-
warp/](https://blog.cloudflare.com/introducing-cloudflare-warp/) which enables
you to hide completely and connect to Cloudflare and also the use of this to
expose k8s to Cloudflare natively: [https://blog.cloudflare.com/cloudflare-
ingress-controller/](https://blog.cloudflare.com/cloudflare-ingress-
controller/)

~~~
slig
Is there a way to get bumped up on the beta queue? Thanks!

~~~
jgrahamc
Email jgc @Cloudflare

~~~
msumpter
Are you looking to make this feature available to only the paid tier or also
to the free tier? Wasn't certain based on the blog posting, but most of the
time you'll say if a feature is enterprise only, etc.

Currently on the free tier for my personal projects and would love to play
with this on my personal k8s cluster.

~~~
mrkurt
It's gross to advertise your own company, but the weather's bad soooo ...

We have an open source tool called wormhole that works similarly. You can run
it yourself, or use it on fly.io (including the free tier):
[https://github.com/superfly/wormhole](https://github.com/superfly/wormhole)

~~~
deforciant
Another option is webrelay ingress controller for k8s, also tunnel based :)
[https://webhookrelay.com/v1/examples/relay-
ingress.html](https://webhookrelay.com/v1/examples/relay-ingress.html)

------
gtirloni
Slightly off-topic:

 _> A few minutes before publishing this article, someone brought to my
attention that a similar piece had been written a few months ago_

This can be demotivating. I've been trying to remember that I should write for
myself, to collect my thoughts and not to satisfy the interwebs.

~~~
harlanji
Getting back to it myself. Ultimately my past successful works have have never
been intended to be. And I enjoy them still, upon rediscovery. So not much to
lose except the feeling of being redundant. It's good to stay current but also
habitually create with minimal inhibition.

------
hughesey
You can also potentially view the historical DNS A records for the domain to
view the pre-Cloudflare IP at
[http://viewdns.info/iphistory/](http://viewdns.info/iphistory/).

~~~
tyingq
If you're determimed, though, you just null route, or block, etc, everything
other than Cloudflare inbound.

~~~
pheldagryph
For many, many DDoS scenarios this does not work. The spurious packets may
saturate an upstream ISP, causing that ISP to unilaterally apply a null route
or block for all packets for the targeted origin IP. No CloudFlare packets
would arrive at all.

If one is concerned about DDoS, one should work with their ISPs on the plan of
action for various scenarios. Finding out their procedures when ones' hair is
on fire is not fun.

~~~
topranks
Well you're behind CloudFlare.

Just change your IP address, and tell CloudFlare the new one.

Sure the DDOSers could find your new IP, but it's not like changing your
public DNS, it would be difficult for them to find it.

I don't think your SSL certs would show the new IP on the website in the
blogpost very quickly if you changed IP.

~~~
pheldagryph
It's not so much about changing the IP address, but moving the targeted system
out from behind the clogged tube. Changing IP address may or may not do that.

------
mxpxrocks10
Great post. Also, Cloudflare Warp looks like it will be cool.

(disclaimer: I work on DNSTrails) Another way to find the origin is to use
trails left by DNS using a tool like
[https://www.DNSTrails.com](https://www.DNSTrails.com).

You can see a sample with a site that moved to Cloudflare like this:
[https://dnstrails.com/domain/haveibeenpwned.com](https://dnstrails.com/domain/haveibeenpwned.com)

~~~
xxdesmus
when the origin is properly secured (which we encourage all customers to do)
even passive DNS won't help:
[https://dnstrails.com/domain/canhazip.com](https://dnstrails.com/domain/canhazip.com)

~~~
mxpxrocks10
nice!

------
dx034
Allowing only cloudflare IPs for ports 80/443 (e.g. in nginx) is easy and the
server can still be used for other purposes without Cloudflare. Other services
can use different domains, would be hard to find out the server ip this way.

~~~
blibble
it's far from an ideal solution given they keep changing the lists

I only seem to find out when people complain that the site is down from
certain parts of the world

~~~
jgrahamc
_keeping changing the lists_

We don't change the IPs often and we always update the list well before they
are ever used (typically months before). The last update was two years ago.
I'm sorry if you had a problem.

[https://www.changedetection.com/log/cloudflare/ips-v4_log.ht...](https://www.changedetection.com/log/cloudflare/ips-v4_log.html)

EDIT: I was rude in the previous version of this comment. Sorry for being a
jerk. And thanks to dang for letting me edit.

~~~
AgentME
I remember being affected by this too a few years ago. It's not something I
thought to check and update often. I was disappointed that I was never emailed
or otherwise notified by the change.

------
lossolo
This technique is in use for years, just get IP classes from CF website and
set them in your iptables for ports 80/443 + any other IPs (yours, from your
organization etc) and drop the rest.

Another way to get IPs is reading e-mail headers (register account on target
website to get e-mail etc), so many sites behind CloudFlare expose their
webservers IPs there.

~~~
kainosnoema
Unfortunately, iptables can't protect against all forms of DDOS attacks. Even
just getting flooded by packets being routed to a particular IP can cause a
datacenter's network to be affected. Something like CloudFlare Warp is the
only way to truly prevent packets from being routed to your servers in the
first place (I don't work for CloudFlare).

~~~
toast0
If it's not known where your servers are (because you got new IPs in a new
hosting facility and never allowed them to communicate with the outside world
directly), it's true that a packet flood would affect you, but it you would be
awful hard to target.

------
captncraig
Just changing IPs is not enough if the new allocation is publicly linked to
your company. It may help to get IP space through a third party or shell
company to anonymize it a little more, and make sure it is never publicly
identifiable as yours, either in paperwork or through scans.

------
trengrj
It would be good if AWS et al had an easy way to manage third party ip ranges
for security groups. When I was deploying a site we came across this issue and
so whitelisted Cloudflares ip ranges but it made me uneasy because what
happens if a new IP address is added? How do we manage this list and what sort
of notice is provided?

~~~
mxpxrocks10
Cloudflare has text files here
[https://www.cloudflare.com/ips/](https://www.cloudflare.com/ips/) \- would be
cool if there was some standard protocol for this.

~~~
krallja
DNS AXFR query would be suitable, I think.
[https://en.wikipedia.org/wiki/DNS_zone_transfer](https://en.wikipedia.org/wiki/DNS_zone_transfer)

------
nimbius
the JS DDOS portal, while amicable in intention, exists in a privileged place
among hosting service providers. Dreamhost found out all to well how easy it
was to be targeted in dragnet federal litigation designed to violate the
privacy of internet users. Cloudflares JS is innocuous only in that it --to
public knowledge-- is not being used to unmask anonymous proxy users or
silently track specific site visitors in a dragnet fashion.

Im not too encumbered by JS encapsulation at the moment, but a warrant canary
might put my mind at ease assuming the internet still does those
[https://en.wikipedia.org/wiki/Warrant_canary](https://en.wikipedia.org/wiki/Warrant_canary)

~~~
avidal
Cloudflare has a transparency report[0], updated twice a year.

In the transparency report there's a warrant canary:

    
    
      Some things we have never done
      Cloudflare has never turned over our SSL keys or our customers' SSL keys to anyone.
      Cloudflare has never installed any law enforcement software or equipment anywhere on our network.
      Cloudflare has never terminated a customer or taken down content due to political pressure.
      Cloudflare has never provided any law enforcement organization a feed of our customers' content transiting our network.
    

[0]
[https://www.cloudflare.com/transparency/](https://www.cloudflare.com/transparency/)

~~~
Justin_K
Where do you draw the line between political pressure and the management's
political beliefs?

~~~
koolba
That latest report says it covers the first half of 2017 so we'll have to wait
to see whether they consider the actions from the second half of the year to
change the fourth item on that list.

~~~
crunchatized
Is it concerning yet that they haven't put up their semi annual warrant
canary, actually? The last two times, they had it updated by January 14th [0]
and July 8th.[1]

[0]
[https://web.archive.org/web/20170114100401/https://www.cloud...](https://web.archive.org/web/20170114100401/https://www.cloudflare.com/transparency/)

[1]
[https://web.archive.org/web/20170708164222/https://www.cloud...](https://web.archive.org/web/20170708164222/https://www.cloudflare.com/transparency/)

------
darkhorn
I think the writer is not aware of mod_cloudflare
[https://www.cloudflare.com/technical-
resources/](https://www.cloudflare.com/technical-resources/)

------
Donzo
Another thing that you can do is use Apache virtual hosts and send all traffic
that connects to the IP to an empty page.

------
captncraig
Is warp just "railgun" rebranded? That worked well for my company, when it
worked.

~~~
jgrahamc
No, it's a totally new code base and different model.

------
ManishKrishna
Funny.. next time please finish the article in two or three sentences.

------
j_s
[https://news.ycombinator.com/item?id=13719366](https://news.ycombinator.com/item?id=13719366)

