Hacker News new | past | comments | ask | show | jobs | submit login

This was an interesting Cloudflare "feature" I found out about the hard way. Even if you only use Cloudflare for DNS hosting, they will happily accept proxied requests for your hostnames and route them to your origin. I discovered this when we received a L7 DDoS from only Cloudflare IPs - the attacker had pointed their bots at Cloudflare with our hostname (bold move!).

The official solution (and might be why you see the blocked page) is to set up the WAF to block all requests.




Could you elaborate on this? What is being proxied, http requests? And can you use any CF IP?


Yes, HTTP / HTTPS requests can be proxied this way. Any CF IP seems to work. HTTPS only works if the target hasn't disabled Universal SSL (i.e, they have a TLS cert provisioned on Cloudflare's IPs).


Do they also accept proxied requests for domains that are not yet verified?




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: