top | item 31095709

Ask HN: What gives Cloudflare the right to takedown apps revealing site real IP?

35 points| 5ESS | 3 years ago

I stumbled across an interesting app called “CrimeFlare” and what it does is reveal the real IP website’s using Cloudflare’s Ddos Mitigation Service.

CloudFlare had it taken down. https://github.com/zidansec/CrimeFlare

I’m assuming it does this by scanning the public internet in it’s entirely, indexing the domains. (A household fiber connection can scan the entire IPv4 space in a mere matter of weeks)

This is obviously a huge threat to CloudFlare’s entire business model and it totally makes sense that they want to bury this.

I just fail to understand what grounds they have to take something like this down. Internet IPs are public knowledge and these websites are publicly accessible. Just because Cloudflare built a billion dollar buisness exploiting the fact that sites “real” IPs can be hidden through obscurity, doesn’t mean they should be able to censor/takedown apps that expose the flaw in their business plan!

Anyways, I intend to create a new internet-wide scanning system in order to revive the functionality of CrimeFlare just to prove a point that security through obscurity is no security and all, and that CloudFlare doesn’t have the right to take something like this down!

58 comments

[+] jgrahamc|3 years ago|reply

> CloudFlare had it taken down.

I'm not sure where the idea that we took this down came from, but I checked with legal and we didn't. Such tools, services, etc. have existed forever. Just one reason why we encourage people to protect their public IP (https://developers.cloudflare.com/fundamentals/get-started/s...) and have Cloudflare Tunnel (https://developers.cloudflare.com/cloudflare-one/connections...).

[+] 5ESS|3 years ago|reply

Thanks for clarifying that it had to be Github. The post you replied to says Gitbub or Cloudflare take it down. Either way, this issue should be brought to customers attention more clearly. Most people probably don’t know that the entire internet can be scanned in a matter of hours or days which might uncover their site. I’m curious how many customers are paying for your anti-ddos service yet their sites are easily findable using such a tool effectively rendering the service useless. Do you scan the internet yourself and proactively warn customers when their real IP is findable in this way?

[+] 5ESS|3 years ago|reply

Say that, despite your linked recommendations for hiding the public IP, thousands of customers were under the impression that as long as no one leaked the IP, no one would be able to discover the site. They’re paying you a lot of money for security, yet that security can be completely undermined by a teen with a scanner tool. If there’s thousands of clients paying for anti-DDOS services yet their IP is easily findable, then it’s like…what are they even paying for? On a scale of thousands this probably adds up to a large sum of money…Money paid for pointless services rendered.

[+] CodesInChaos|3 years ago|reply

> This is obviously a huge threat to CloudFlare’s entire business model

I disagree. There are plenty of ways to hide your origin server, for example:

1. IPv6 only, since there are too many addresses to scan

2. Accepting connections only from cloudflare IPs (probably not enough on its own, since features like workers might allow an attacker to trigger requests from a cloudflare server)

3. Mutual TLS authentication

4. Authentication headers (since mTLS might be difficult to integrate in your application)

5. Responding only if the right host is requested, which could even be different from the public domain (not enough on its own, but prevents untargeted scans)

6. Using tunnels (as frizlab pointed out)

I think cloudflare already supports all of these out of the box. They just need to push their customers to apply such mitigations via documentation, displaying warnings if the origin server can be accessed directly, etc. So I consider this an inconvenience for cloudflare, but not a huge threat.

[+] frizlab|3 years ago|reply

They have tunnels now. The source does not have to be open to the public at all anymore (the tunnel is a kind of VPN between the source and Cloudflare; all the source has to do is install a single binary)

[+] fjfbsufhdvfy|3 years ago|reply

Cloudflare can easily do 4 as well. Use Transform Rules to inject Authorization header or any other one you want.

[+] unknown|3 years ago|reply

[deleted]

[+] Nathanba|3 years ago|reply

Why on earth would you try to help DDOS'ers? I think you should really take a step back here and reevaluate what drives you here and what impact you have on other people.

[+] CodesInChaos|3 years ago|reply

Publishing such tools raises awareness of the weakness, and pushes vulnerable origin servers to fix it. Ideally cloudflare would show a warning in their UI when the origin server is publicly accessible.

[+] peppermint_tea|3 years ago|reply

There is a website currently publishing my (outdated) informations without my consent (old home address, current email, old phone number) and it is hiding behind cloudflare. I wrote to cloudflare months ago, and silence... So there can be many sides to that story here...

edit : oh and what the hell, name and shame https://www.reversecanada.com/ (and they have variants for other countries)

[+] unknown|3 years ago|reply

[deleted]

[+] ushakov|3 years ago|reply

aren’t there any legitimate use-cases for it?

[+] 5ESS|3 years ago|reply

Before CloudFlare sends the FBI to my house..I’m not actually going to code this. It’s just an idea that exposes a problem. The problem is there’s a lot of Cloudflare customers who don’t have their servers configured properly to defend from it. If my amateur self can conceptualize this idea it means cybercriminals already have similar tools and are using them already so If you’re a site operator you should use this post as a warning and fix your servers ahead of time. However, it was messed up they might try to take down the tool rather then help mitigate the flaw.

[+] kube-system|3 years ago|reply

Technically speaking, GitHub took the repo down. This is an important distinction, because voluntary takedowns and legally compelled takedowns are two entirely different things, and it’s not necessarily correct to assume the latter.

[+] eli|3 years ago|reply

> This is obviously a huge threat to CloudFlare’s entire business model and it totally makes sense that they want to bury this.

Protecting origin servers is hard. Nothing unique to CloudFlare about that. If you follow their set up documentation then this tool can't harm you: https://developers.cloudflare.com/fundamentals/get-started/t...

[+] mmcgaha|3 years ago|reply

If folks are really concerned about getting exposed they can firewall off everyone except cloudflare.

https://www.cloudflare.com/ips/

[+] eli|3 years ago|reply

Or better yet: use Cloudflare Tunnel to connect your origin to Cloudflare without exposing any inbound ports. I think you can also have Cloudflare present a client certificate that you can verify before responding.

[+] jasode|3 years ago|reply

>, I intend to create a new internet-wide scanning system in order to revive the functionality of CrimeFlare just to prove a point that security through obscurity is no security and all,

I'm not familiar with CrimeFlare and its technical details but a cursory google search shows that security-through-obscurity is possible with Cloudflare if one follows the correct sequence of steps to hide the ip. Otherwise, a careless setup such as public MX mail record will inadvertently "leak" the ip. E.g. Stackoverflow Q&A: https://stackoverflow.com/questions/58591448/how-does-crimef...

>, I intend to create a new internet-wide scanning system

But the host systems at the receiving end of your scanning tool still have to respond to your tool pinging them with network requests and if your ip origin isn't Cloudflare, the host server doesn't have to reply with useful information. Or did you have another mass scanning technique we're overlooking?

[+] 5ESS|3 years ago|reply

What % of Cloudflare customers actually have their server set to only accept traffic from cloudflare IPs? Probably not the majority. If this is coming as a surprise to people then maybe Cloudflare isn’t doing enough to help people secure themselves against it.

[+] stairlane|3 years ago|reply

Scanning the internet and indexing domains? Isn't that EXACTLY what binary edge and shodan do???

[+] nickdothutton|3 years ago|reply

If you are going to use someone else to front your service, take care to make sure that that (1) it cant even be accessed except via that front, and (2) that you dont leak your origin IP address or network, even if traffic to that origin is dropped from sources other than the service fronting it.

[+] true_religion|3 years ago|reply

How can you index domains by scanning the public internet? Wouldn’t trying to match domain names with IP addresses get you blocked by the server after too many failures? Or at least it would be too many attempts to make that it would take more than weeks?

[+] cft|3 years ago|reply

>by scanning the public internet in it’s entirely, indexing the domains

Can you explain this?

[+] 5ESS|3 years ago|reply

So there’s only 4.2 billion possible IPv4 addresses where a site can live. A lot are reserved or unused, leaving about 3.7 billion possibilities. Household internet speeds are fast enough that it is within the realm of possibility that a computer could sequentially connect to every single IPv4 host on the entire internet in search for the target website. Specialty network cards with datacenter connections can scan the entire Ipv4 space in a matter of mere hours.

[+] formerkrogemp|3 years ago|reply

The name might be infringement or the code might abuse their API. Or, GitHub could decide it's not worth it. Why would you try to scan every IP address?

[+] 5ESS|3 years ago|reply

A valid use case for wanting to know the “real” IP of a site hiding behind CloudFlare is being able to access the website from a Tor IP address (which they categorically block). For users in a country with censored internet, such a service would be essential.

[+] spacemanmatt|3 years ago|reply

https://github.com/zidansec/CrimeFlare-1

[+] ushakov|3 years ago|reply

that’s just the client though

it only makes request to https://api.xploit.my.id/v1/crimeflare.php and logs the output

[+] ushakov|3 years ago|reply

as far as i remember when the backend times out, CloudFlare shows a screen where you can see the actual IP of the server

[+] jffry|3 years ago|reply

I have seen the screen where Cloudflare cannot contact the origin and it absolutely does not include the IP address or other details about the origin.

You might be thinking of the "Ray ID" that Cloudflare displays on that page, which is just a random request ID that has nothing to do with the origin server.

[+] dewey|3 years ago|reply

That would defeat the whole purpose of using Cloudflare as an anti-ddos measure so I doubt that.

[+] Teletio|3 years ago|reply

Do you even know under which rule it gotten taken down?

[+] rubyist5eva|3 years ago|reply

Just another reason to add to the pile of why I hate that company.

[+] jokethrowaway|3 years ago|reply

They probably reported it as malware and M$ team didn't check what it was