A way to bypass target web server Cloudflare protection

I occasionally find out a way to bypass Cloudflare protection for target web server.

I tend to report it to Cloudflare but as I am using free plan there’s no easy way for me to contact their customers support.

Most people know that Cloudflare like CDN/WAF solution protect original web server by proxy DNS resolving on Cloudflare cloud infrastructure. So your original web server IP address is hid by Cloudflare. You can also create security policies firewall rules on Cloudflare to mitigate lot of Internet threats.

The best practice is Cloudflare manage your domain DNS. You configure your web server only accept web traffic sourcing from Cloudflare infrastructure IPs blocking the rest. The Cloudflare in this architecture is acting as WAF to protect your original web server. Tons of granular access policies, security rules can be applied to your managed zone. All the loads and web traffic suppose to hit Cloudflare first and only filtered ‘clean’ requests will flow to your server.

However, this ideal world is based on the assumption you didn’t expose your original web server real IP address. There’s too many ways to expose your server original IP, such as outbound requests, DNS misconfiguration and other non proxied services. Some people will argue now, didn’t we apply the iptables / firewall rules on original server only accepting web traffic from Cloudflare IPs? Even my original server IP exposes, attacks still no way to establish the connection, all those requests will be dropped by iptables.

So the trick I discovered to bypass those well defined Cloudflare access rules works like this.

• First, you still need to obtain the target original server IP address.
• Second, register a new domain on Cloudflare and point its DNS A record to that target server IP address.
• Third, creat whitelist on your Cloudflare dashboard to allow all your attacking sources to this domain.

Now you can attack your own created domain instead of target server original IP or target web domain. What the victim web server see is all the traffic volume is coming from Cloudflare IPs but not being stopped by his Cloudflare WAF rules.

Some thoughts:

1. Try your best to not expose your real IP.
2. Never take it granted to have that trust model of Cloudflare source IP whitelisting approach.
3. Looking for options to implement something like Authenticated original pull.