HACKER Q&A
📣 5ESS

What gives Cloudflare the right to takedown apps revealing site real IP?


I stumbled across an interesting app called “CrimeFlare” and what it does is reveal the real IP website’s using Cloudflare’s Ddos Mitigation Service.

CloudFlare had it taken down. https://github.com/zidansec/CrimeFlare

I’m assuming it does this by scanning the public internet in it’s entirely, indexing the domains. (A household fiber connection can scan the entire IPv4 space in a mere matter of weeks)

This is obviously a huge threat to CloudFlare’s entire business model and it totally makes sense that they want to bury this.

I just fail to understand what grounds they have to take something like this down. Internet IPs are public knowledge and these websites are publicly accessible. Just because Cloudflare built a billion dollar buisness exploiting the fact that sites “real” IPs can be hidden through obscurity, doesn’t mean they should be able to censor/takedown apps that expose the flaw in their business plan!

Anyways, I intend to create a new internet-wide scanning system in order to revive the functionality of CrimeFlare just to prove a point that security through obscurity is no security and all, and that CloudFlare doesn’t have the right to take something like this down!

  👤 jgrahamc Accepted Answer ✓
> CloudFlare had it taken down.

I'm not sure where the idea that we took this down came from, but I checked with legal and we didn't. Such tools, services, etc. have existed forever. Just one reason why we encourage people to protect their public IP (https://developers.cloudflare.com/fundamentals/get-started/s...) and have Cloudflare Tunnel (https://developers.cloudflare.com/cloudflare-one/connections...).

👤 CodesInChaos
> This is obviously a huge threat to CloudFlare’s entire business model

I disagree. There are plenty of ways to hide your origin server, for example:

1. IPv6 only, since there are too many addresses to scan

2. Accepting connections only from cloudflare IPs (probably not enough on its own, since features like workers might allow an attacker to trigger requests from a cloudflare server)

3. Mutual TLS authentication

4. Authentication headers (since mTLS might be difficult to integrate in your application)

5. Responding only if the right host is requested, which could even be different from the public domain (not enough on its own, but prevents untargeted scans)

6. Using tunnels (as frizlab pointed out)

I think cloudflare already supports all of these out of the box. They just need to push their customers to apply such mitigations via documentation, displaying warnings if the origin server can be accessed directly, etc. So I consider this an inconvenience for cloudflare, but not a huge threat.

👤 Nathanba
Why on earth would you try to help DDOS'ers? I think you should really take a step back here and reevaluate what drives you here and what impact you have on other people.
👤 kube-system
Technically speaking, GitHub took the repo down. This is an important distinction, because voluntary takedowns and legally compelled takedowns are two entirely different things, and it’s not necessarily correct to assume the latter.
👤 eli
> This is obviously a huge threat to CloudFlare’s entire business model and it totally makes sense that they want to bury this.

Protecting origin servers is hard. Nothing unique to CloudFlare about that. If you follow their set up documentation then this tool can't harm you: https://developers.cloudflare.com/fundamentals/get-started/t...

👤 mmcgaha
If folks are really concerned about getting exposed they can firewall off everyone except cloudflare.

https://www.cloudflare.com/ips/

👤 jasode
>, I intend to create a new internet-wide scanning system in order to revive the functionality of CrimeFlare just to prove a point that security through obscurity is no security and all,

I'm not familiar with CrimeFlare and its technical details but a cursory google search shows that security-through-obscurity is possible with Cloudflare if one follows the correct sequence of steps to hide the ip. Otherwise, a careless setup such as public MX mail record will inadvertently "leak" the ip. E.g. Stackoverflow Q&A: https://stackoverflow.com/questions/58591448/how-does-crimef...

>, I intend to create a new internet-wide scanning system

But the host systems at the receiving end of your scanning tool still have to respond to your tool pinging them with network requests and if your ip origin isn't Cloudflare, the host server doesn't have to reply with useful information. Or did you have another mass scanning technique we're overlooking?

👤 stairlane
Scanning the internet and indexing domains? Isn't that EXACTLY what binary edge and shodan do???
👤 nickdothutton
If you are going to use someone else to front your service, take care to make sure that that (1) it cant even be accessed except via that front, and (2) that you dont leak your origin IP address or network, even if traffic to that origin is dropped from sources other than the service fronting it.
👤 true_religion
How can you index domains by scanning the public internet? Wouldn’t trying to match domain names with IP addresses get you blocked by the server after too many failures? Or at least it would be too many attempts to make that it would take more than weeks?
👤 cft
>by scanning the public internet in it’s entirely, indexing the domains

Can you explain this?

👤 formerkrogemp
The name might be infringement or the code might abuse their API. Or, GitHub could decide it's not worth it. Why would you try to scan every IP address?
👤 spacemanmatt
https://github.com/zidansec/CrimeFlare-1
👤 ushakov
as far as i remember when the backend times out, CloudFlare shows a screen where you can see the actual IP of the server
👤 Teletio
Do you even know under which rule it gotten taken down?
👤 rubyist5eva
Just another reason to add to the pile of why I hate that company.
👤 jokethrowaway
They probably reported it as malware and M$ team didn't check what it was