IPv4 mass scans – do many Cloudflare customers pay pointlessly?

Question

A few months ago I discovered a service called CrimeFlare, which is a security research tool that is used to uncover the "real" IP address of services hidden behind CloudFlare's CDN. The tool works by performing mass IP scans on IPv4 range. As many of us techies are probably aware, there is only a limited number of IPv4 IPs in the world. A number small enough such that specialized software is capable of connecting to every IPv4 address in the world in a matter of hours(on a sufficiently powerful network). There are companies who's entire business model is based on performing mass internet scans, and scan multiple times per day - it is nothing unusual.This has the unintended consequence of inadvertently revealing the "real" IP of websites attempting to mask their IP behind CloudFlare. This is how the "CrimeFlare" service works under the hood. In order to prevent this, website operators are supposed to configure their server's backends such that they only respond to CloudFlare's IPs. This works of course, however, I suspect that many of their customers are not aware of how CrimeFlare/mass IP scans work and fail to configure their servers correctly. Meaning, a large number of CloudFlare's customers pay for a service which can easily be defeated. Only CloudFlare customers which are tech savvy enough to understand how to configure their servers to only respond to CloudFlare IP's would be able to stop this.CLoudFlare supposedly has 4.1 million customers. I suspect that the number of CloudFlare customer's who's backend servers are vulnerable(misconfigured to reply to non-CloudFlare IPs - and thus discoverable by CrimeFlare et al.) may be in the hundreds of thousands to millions. Meaning, hundreds of thousands of people could be paying for an easily defeated anti-DDOS measure. It feels wrong that CloudFlare is possibly making tens of millions of dollars off of vulnerable customers who they fail to notify that their sites are vulnerable. I don't believe enough is being done by CloudFlare to warn their customers about the danger of mass-IP scans possibly unmasking their services.

ADuckOnQuack · Accepted Answer

Cloudflare has guides on several different approaches for preventing access from non-cloudflare IP addresses[1], I&rsquo;m pretty sure they also direct you to this information as part of the setup process for new domains. For paying customers who aren&rsquo;t technical they also offer &ldquo;cloudflare tunnel&rdquo; which is very simple to set up [2]. It would be nice if cloudflare has automation to proactively checked and reach out to paying customers who do have their servers exposed though. [1] https://support.cloudflare.com/hc/en-us/articles/200170166-B... [2] https://www.cloudflare.com/products/tunnel/

ThePhysicist · Answer

Back when I used Cloudflare I always restricted the ingress IPs to Cloudflares' IP space, they provide a list for exactly that purpose [1]. Just take that list and block every HTTP connection not coming from those ranges.1: https://www.cloudflare.com/ips/

unknownaccount · Answer

If someone has a list of 100 random websites which use CloudFlare, it would be interesting to know what % of them are vulnerable to unmasking via CrimeFlare. This could give us a general idea of the scale of this vulnerability, as well as a rough estimate to how much money their customers are paying for pointless protection. I suspect it may be a non-trivial sum of money to the tune of multi-millions.

amadeuspagel · Answer

Cloudflare DDoS protection is free.

jsmith99 · Answer

If it works by scanning IP address then presumably this only works if the server will respond to requests that lack a SNI?