Bypass Cloudflare protection using DMCA

1 points by yc1010 ↗ HN
It seems there is a rather easy method of finding the ip address of any service behind Cloudlfare, send them a DMCA notice and they will happily hand over ip address to "complainer" who then can proceed with their DDOS

This has happened 3 times now to me, this time i was prepared the ip Cloudflare handed over (and only Cloudflare could have known about) was a vps re-routing http traffic to my real server via haproxy.

edit: Cloudflare did not forward the email to me, instead they sent it to OVH the host of the haproxy vps, the DMCA was a dud, for files uploaded by the attacker themselves!

3 comments

[ 2.6 ms ] story [ 15.3 ms ] thread
Can you reach out to me privately so that I can take a look at this?
Sure see support Request #248668 I have cancelled my cloudflare pro subscription (used to have a business one) after about a year, its not worth it imho :(

No email was sent/forwarded to me as has happened once or twice before (and was promptly acted upon), the files in question were fakes uploaded by prospective attacker themselves.

The only way the ip address could have been exposed is by cloudflare.

Edit: I am not blaming Cloudflare, your service has been excellent and support fast, just pointing out a potential exploit angle of the service. I have a very clear DMCA policy which is automated and would have dealt with any complaint in minutes, there was no need for the "complainer" to contact Cloudflare or anyone else for that matter.

I will follow up internally. Thanks.