How Not To Use CloudFlare
For those that don’t know what CloudFlare is, please review their home page. The basic idea behind CloudFlare is a reverse proxy that allows CloudFlare to protect websites from Denial of Service attacks, cross-site scripting, and a variety of other attacks.
The important thing you have to realize though, is any information about a sites true host can still result in the compromise of a website. A common set of subdomains that can give away a real hosts IP address are:
While it is true that subdomains may not be hosted on the actual server the hidden site is on, it generally gives you a good idea of where to look. Servers are usually in the same C block if they are from the same hosting provider.
Lets look at a random example. How about… lizardpatrol.org? Looking at the nslookup, we can see that it is protected by CloudFlare.
So, let us look at subdomains to see if they are protected. I always start with the list above. After trying them all, the only one that returns is irc.lizardpatrol.com.
So… what does 18.104.22.168 point at? dk.0x1337b33f.com. Which, even though it is a subdomain, is hosted from the parent domain of 0x1337b33f.com.
Next step: Find out of lizardportal.com is actually hosted by the same server as 0x1337b33f.com. To do that, we execute the following raw HTTP GET request:
And what to our wandering eyes does appear?
So, as you can see… The server is hosting lizardpatrol.com. A simple direct query of a server will tell you every time if the site is hosted there.
While I do think that CloudFlare is a great tool to have, never assume it makes your site invulnerable. All it takes is some research into the site to figure out where it really resides. Once you know where the site sits, you can circumvent all the protection of CloudFlare and hit the site directly.
Remember to ALWAY remove any non-protected subdomains from the NS records. If you need to connect to your server, you should be connecting to it by IP instead of by URL. That way your websites can stay secured and you will not leak information.