All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Cloudflare Anti-DDoS bypassed using Cloudflare
Cloudflare's Firewall and DDoS prevention can be bypassed through a specific attack process that leverages logic flaws in cross-tenant security controls.
To make matters worse, the only requirement for the attack is for the hackers to create a free Cloudflare account, which is used as part of the attack.
However, it should be noted that the attackers must know a targeted web server's IP address to abuse these flaws.
Certitude's researcher Stefan Proksch discovered that the source of the issue is Cloudflare's strategy to use shared infrastructure that accepts connections from all tenants.
Researchers Florian Schweitzer and Stefan Proksch, who discovered the logic flaws, reported it to Cloudflare via HackerOne on March 16, 2023, but the issue was closed as "informative."
Comments
They are right to categorize it this way, nothing new. I have used this trick to scrape most of the internet.
Then it looks like a backdoor they are unwilling to fix
This has been known for years: https://qt.gy/post/2021-8-26-bypassing-cloudflare-using-cloudflare
Also they don't mention the only good way to secure your origin: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/
They won't fix it if it is not exploited widespread. When this problem will become real (impact X amount of users) than it will be worth to allocate dev time to solve it.
Everything runs on slime and buggers, the one and single thing matters only - profit. That's how business work.
So the victim's origin server would just emit its data as long as the request comes from CF servers with CF's client cert, without first checking the requested hostname?
I often see misconfigured web servers replying to https://IPaddress/ with a first website hosted at the server.
That's not CF's fault.
How did you get the website IP though?
Chad.
Multiple ways..
Mailservers, non-proxied subdomains, shared cert (flexible mode), DNS history, javascript leak, shodan.io, censys.io, dnsdumpster, etc.
https://github.com/zidansec/CloudPeler
"attackers must know a targeted web server's IP"
and we call this a anti-ddos bypass?
However, if done correctly, a good owner will keep the site protected & change their IP if they leak by mistake and host their mail server separately to prevent IP leaks. Nevertheless, I understand that most sites out there don't do it correctly.
This attack has been known for at least 3 years.
Its easier to overload the website via cloudflare using L7 methods than L4 on DDoS Protected host even if you know the webserver IP. Hence its a valid security issue.
Mentally strong webmasters do not rely on Cloudflare to prevent DDoS.
We reveal our IP (ping yoursunny.com to see IP) and do not fear.
We (wo)man up and face the attackers, pistols water cannons at dawn.
We only use Cloudflare for technical reasons (e.g. Workers).
whole point is you're not supposed to know ip they have reverse proxy for a reason. if someone is careless to leak ip then thats not cloudflares problem
Most WP installation scripts as well as paid SaaS server tools don't actually create a default server block and so this is the result
It's documented in Cloudflare developer docs - Authenticated Origin Pull https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/ and https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/. You can use their certs or for more security use your own for Authenticated Origin Pull.
But you'd want to use custom Authenticated Origin Pull certs using your own custom CA cert and signed and uploaded client SSL certs at zone and custom hostname levels (quoted text links) instead of Cloudflare's default provided Authenticated Origin Pull cert
You can see Authenticated Origin Pull with custom hostname certs example I posted using Cloudflare API and creating my own custom CA certs and signed client certs using Cloudflare cfssl tool I posted at https://github.com/centminmod/cfssl-ca-ssl
Jumping to client SSL cert and Cloudflare API uploading of custom certs https://github.com/centminmod/cfssl-ca-ssl#client-ssl-certificate and sub sections
.
If you're OK trusting Cloudflare provided Authenticated Origin Pull certs instead of your own custom uploaded certs, you can obtain those Via Cloudflare domain zone dashboard or VIA Cloudflare API. I posted an example also at https://github.com/centminmod/cfssl-ca-ssl#create-cloudflare-origin-ca-certificate
Ultimately if your real server IP is leaked, you'd still have problems. Cloudflare Tunnels might be better.
So is it worth to keep websites proxied through Cloudflare or not?
Cloudflare is still a decent anti-ddos protection for free*
No, CF sucks.
Despite cloudflares size they are unable to negotiate or unwilling to get peering from certain ISP's.
Which makes everyone that uses that ISP, everything that is behind CF is going to suck and be slow.
Can you name a few? Haven't heard of such issues.
Haven't had such issues
It’s obviously a personal issue he’s having and therefore extremely important to everyone
Tl;dr: Yes, CF is worth it, if worth it equals spending 0 and getting a great DNS with WAF and a ton of features
You can google: cloudflare peering issues or cloudflare routing issues
There have been a few.
If there is such a issue, you report it, cloudflare is doing fuck all.
So you mean something like this one? BGP anycast is really complicated and I don't think it is reasonable to doing harder than CF currently do.
No, I use cloudflare for a few things, however as of right now, without VPN, not really usable.
So I was right; you’re having connection issues
How many % of people do you think have serious connection issues to CF protected websites as of now?
Given the ISP's size, a few million.
That is just one ISP.
However, not everything might be congested at once.
You might be lucky in a certain location or cloudflare might reroute you, into other countries, what they do right now.