How did you determine the ip of the server hidden behind cloudflare?

G

ghbdtnvbh2021-12-04 13:29:37

DDoS Protection

ghbdtnvbh, 2021-12-04 13:29:37

There is a server that was sent a DDoS attack. It was hidden behind a cloudflare. For a couple of days, the under attack protection helped, also using the logs, I looked at which uri path they were hitting and blocked it in the cloud. Today I saw that ddos goes directly over IP. How could it be leaked during ddos if everything is hidden behind the cloud?

Is the option now only to change the ip of the server?
will it help if I hide the ip also behind the proxy server? in this case, when leaking again, the leak will be a proxy server, which I can change faster than the IP of the server where the script is.

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

N

Nadim Zakirov, 2021-12-04
@zkrvndm

The fact is that your domain, which you previously added to Cloudflare, has a history of changing ns-servers and this history is quite publicly available. It is from this story that you can determine the hoster, and through it the IP address of the site - not always, but in most cases.
Only a new hosting and domain will help, and you need to add them to Cloudflare through a third host.

A

Alexander Karabanov, 2021-12-04
@karabanov

The "A" record in DNS pointed to the real IP of the server before the server was hidden behind CloudFlare and this information can be found (the Internet remembers everything). So we knew.
You can change the IP. You can use a firewall to prohibit everyone except CloudFlare from connecting to the server (actually, in any case, this should be done otherwise, what's the point). But it's better to do both.

S

SKEPTIC, 2021-12-04
@pro100chel

Change site server ip. It is best to change the data center or even the country.
Block completely access to the server on port 80/443 from all IPs except cloudflare.
If you didn’t change the ip after hiding behind cloudflare, then stupidly calculated the ip from the history of the site’s ip addresses and sent an attack there.
If you changed ip, but stayed with the same host, then they stupidly went through all the ip with the host header of your domain and found your ip. The same thing can be done with the data center and the whole country. Let me remind you that there are only about 4 billion ipv4 IPs in the world. It won't be hard to sort through all of them. It is all the more clear that in the same Africa or in some Guatemala you are unlikely to be hosted. In this situation, and taking into account the fact that one simple server can easily sort through a couple of hundreds or even thousands of ip per second, we can conclude that the enumeration will not take much time.

A

Alexander, 2021-12-04
@Adler_lug

There is no way to determine legally and guaranteed, but in principle it is possible with some probability. For example, the domain was once not through cloudflare, but directly attached to the IP or some other old associations between the domain and the "original" IP. You can google several such services, which with some degree of probability can find the old IP of the domain.