Cloudflare is a Content Delivery Network as well as a firewall for a website. It protects the website against many attacks. Cloudflare is famous for it’s DDoS protection at no cost. It provides a thick layer of security over the website’s real IP and transports all data from origin server to CDN. In simple words, Cloudflare hides the origin IP address of the server. Replacing it with a DDoS-protected based server IP. In this article, we’re going to learn how can we find the real IP behind the Cloudflare or how to bypass cloudflare. So let’s begin…
How CloudFlare Works
As mentioned above, Cloudflare provides a layer of security by transporting the data securely between the server and the visitor.
When a website is added to Cloudflare, the website owner is asked to change the nameserver of the website with cloudflare’s name server. After the website’s name server is updated, the cloudflare takes over. Cloudflare now provides a shell case between website and the visitor. This is how it works.
How To Bypass Cloudflare
There isn’t just one step the bypass cloudflare. If not configured properly after setup, the website is vulnerable to get bypassed. Let’s see what are the steps through which we can bypass Cloudflare.
Yes. When someone adds their website to Cloudflare, cloudflare automatically scans over all sub-domains on the domain and shows the list. However, only few of them which are set as default has the cloudflare protection enabled. If other sub-domains are pinged, they might show the server IP of the website’s origin.
For example, the website with domain example.com is protected with Cloudflare. But it isn’t configured properly or has been left on default settings, the sub-domains might still be vulnerable to expose the real IP. Maybe “mail.example.com” or “server.example.com” would still be showing the real IP? Try pinging them all until you find the IP which isn’t hosted on Cloudflare’s network.
How can we find that the IP isn’t hosted on Cloudflare?
By simply tracking it. Cloudflare’s IP addresses are mostly hosted on their US servers and can be detected easily. Not necessarily USA, they’ve got many datacenters. You can simply check their ISP. If it is Cloudflare, it will show “Cloudflare”, if it doesn’t show “Cloudflare”, it is the real IP. Note that, not every non-cloudflare hosted IP(s) are website’s origin. Some might be their another server IP or maybe their 3rd party mail server’s provider IP, so be specific and use your common sense during the operation.
How can we track it?
Tracking might sound a big deal. But actually it is not. Yes, it is hard to find accurate location of the IP address, but still you can use public IP trackers. The best and most accurate(not exact) available for free is ShadowCrypt. Just enter the IP address and press “Submit” and the results are is raw format!
Finding Out Domain’s IP/Nameserver History
If you manage to find out domain’s IP address or it’s name server history, then you might have a chance to assume the real IP. Most of website owners migrate their website and then add Cloudflare. IP History archives keeps the record of which domain has changed to which IP and when. Like your target website was once hosted on Digital Ocean, but then was added to Cloudflare. How can you find that specific IP address of Digital Ocean? You can lookout for it’s history.
You can use ViewDNS. They provide a record of “most” of domain’s IP history. Not all domains, but atleast more then half of your query.
Let’s take a scenario of finding out IP address of the website “Tech2Hack.com”. It is currently under Cloudflare but I know it was hosted on NameCheap once. But which IP? I’ll find it by checking it’s IP history.
You can see the past 4 IP address records made by ViewDNS are from Cloudflare. But before those 4 IPs, you can see NameCheap’s IP. The IP address is “18.104.22.168” and when I tracked it with ShadowCrypt IP Tracker, it shows Namecheap!
When I Open The IP In Browser, It Shows Default Text Instead Of Website’s Content, why?
But when you open the IP, you see the “Default” page. The reason behind this is that the website is hosted on a shared hosting. And Of course, Namecheap provides shared hosting in a very affordable price too! So there might be many websites hosted on the same server. This makes the hosting provider unable to provide dedicated IP so they host them all on a single server. Mostly when a private server is used, the server’s directory is “/var/www/html” but when a shared one is used, it is usually “/home/websiteusername/public_html” where “websiteusername” defines the cPanel username of the website’s owner hosting account. There are many users hosted in the same server like “websiteuser2” and “websiteuser3” or “randomusername” or “websiteownername”. It depends on the website’s owner or sometimes hosting provider to assign the username. The website is hosted on same IP you’ve found.
Using A 3rd Party Cloudflare Resolver
You can use a 3rd party cloudflare resolver. Yes, they exist. They do the work for you. You might feel boring to ping all sub-domains. Such resolvers do the work for you for FREE!
ShadowCrypt’s Cloudflare Resolver
You can use ShadowCrypt’s Cloudflare Resolver which automatically brute-forces thousands of sub-domains and pings them. Tracks the IP and lists the providers for you and finally, shows you which sub-domain is active, which has cloudflare and which is not hosted on Cloudflare.
Crimeflare’s Cloudflare Resolver
Crimeflare is a strange website. I couldn’t understand what is their motive behind their website. But whatsoever, their content surely displays their hate towards Cloudflare. You can use Crimeflare’s Cloudflare Resolver to find the real IP behind website if you fail to find with previous methods.
How To Protect Your Website Against Such Bypassing Techniques?
Not more reading. You can read our previous article on “Configuring Your Cloudfllare Website To Avoid Getting It Bypassed“.
I would still be searching for more techniques to bypass Cloudflare other then the above mentioned and present you the ways to protect your website against those techniques.
Here we finally come to an end on “How To Bypass Cloudflare”. If you found this article to be useful, please share it with your friends who are interested in this topic. And let us know your thoughts in the comment section below. There might be some mistakes in the article as I write them all alone, so if you found any, please let me know by commenting :). Thank you for reading.