Using CloudFlare and still leaking real IP address?

Recently I ran across interesting challenge. Some friends had problems with their service. Providing brand new service and having someone on the other side executing DDoS this service is not very promising beginning for some startup. Therefore, I decided to tackle this challenge and at the end it was not very hard to find leakage.

CloudFlare provides services to protect and accelerate web sites. Using their services also protect against DoS in DDoS attacks. I know large number of clients that are using these services. By using this service real IP address of the website is hidden and so there is better chance to survive the DDoS attack. Just googling you can find some sites that can reveal real IP address such as http://www.crimeflare.com/cfs.html.

Going back to the challenge, I checked different pages and googled even more. I found out page where CloudFlare suggests what to do in such cases. This page can be found at this address: https://support.cloudflare.com/hc/en-us/articles/200170196-I-am-under-DDoS-attack-what-do-I-do-.

After registering at the attacked page, I tried to see if there is some leakage in their web page, but there was nothing to find. After looking little bit more, I went other way. Since webpage was sending out emails when registering or doing some other changes, I noticed, that there was some IP address that belongs to some hosting provider. This IP address was found in email headers of sent emails. I verified with my friends and after just couple of minutes they confirmed that this is real IP address that is under attack. They were checking lot of things, but they didn’t expect that leakage would be coming from email headers.

So what can we learn from such issue? We need to check all kind of sources that can reveal real IP address behind CloudFlare services. Webpage is just one of the things we need to check and next time be sure to check also emails headers.

After they changed IP address and fixed IP leakage from email headers, DDoS attacked stopped and also website is no longer under attack.

Here are some interesting links I found during my Google searching:

http://smartguysays.com/find-out-real-ip-behind-clouflare/

http://geekflare.com/find-real-ip-address-of-website-powered-by-cloudflare/

http://tipstrickshack.blogspot.si/2012/11/how-to-find-real-ip-protected-by-cloud.html

 

Posted by milanon3.12.2015