Cloudflare is one of the popular web performance and security company that offers CDN, DNS, DDoS protection and security for millions of websites. It acts as a middle man between the users and the website. It boosts a website's performance and protects it from various types of online security threats. However, some websites are often misconfigured, because not all website owners are tech savvy. If there is a poorly configured website, an attacker can bypass the Cloudflare altogether and run DDoS attacks or exploit the web-based vulnerabilities. This is where CloudFlair comes in help. CloudFlair is a tool to find origin servers of websites protected by CloudFlare who are publicly exposed and don't restrict network access to the CloudFlare IP ranges as they should.
The tool uses Internet-wide scan data from Censys to find exposed IPv4 hosts presenting an SSL certificate associated with the target's domain name. Please not that this post is not claiming Cloudflare service is unsafe. It just explains whether the origin of a website protected with CloudFlare is publicly exposed or not. Cloudflare will not protect the poorly configured websites by the website owners and/or webmasters against DDoS attacks.
CloudFlair is written in Python. It should work well with Python 2.7 and Python 3.5. To install this tool, make sure you have installed PIP in your systems. If not, refer the "Installation" section in the following guide.
Register a free account on Censys. Censys is a great web service that continually monitors every reachable server and device on the Internet. After registering an account, make sure you have verified the given Email. Then, browse to https://censys.io/account/api, and set two environment variables with your API ID and API secret in your .bashrc or .zshrc file
Add the following lines:
export CENSYS_API_ID=<Your-API-ID_Here> export CENSYS_API_SECRET=<Your-API-Secret_Here>
Save and close the file. Run the following command to take effect the changes.
After installing PIP and set the environment variables, git clone CloudFlair repository:
git clone https://github.com/christophetd/cloudflair.git
Finally, run the following commands to install CloudFlair and required dependencies.
pip install -r requirements.txt
Find Origin Servers Of Websites Protected By CloudFlare
To find origin IP address of websites, run:
python cloudflair.py website1.com
Replace website1.com with your actual website name.
If it is vulnerable, then you may see an output something like below.
[*] The target appears to be behind CloudFlare. [*] Looking for certificates matching "website1.com" using Censys [*] 6 certificates matching "website1.com" found. [*] Looking for IPv4 hosts presenting these certificates... [*] 2 IPv4 hosts presenting a certificate issued to "website1.com" were found. - 220.127.116.11 - 18.104.22.168 [*] Testing candidate origin servers [*] Retrieving target homepage at https://website1.com [*] "https://cyberciti.biz" redirected to "https://website1.com/" - 22.214.171.124 - 126.96.36.199 [*] Found 1 likely origin servers of website1.com! - 188.8.131.52 (HTML content is 99 % structurally similar to website1.com)
If it is not vulnerable, then the output will be:
[*] The target appears to be behind CloudFlare. [*] Looking for certificates matching "website2.com" using Censys [*] 2 certificates matching "website2.com" found. [*] Looking for IPv4 hosts presenting these certificates... [*] 0 IPv4 hosts presenting a certificate issued to "website2.com" were found. [-] The target is most likely not vulnerable.
If the website is not using CloudFlare service, you will see the following output:
[-] The domain "example3.com" does not seem to be behind CloudFlare.
What to do if the website is vulnerable?
No worries! Cloudflare has got your back. The following detailed guide contains some helpful tips to help keep your origin IP secure to protect against attackers who want to bypass CloudFlare’s DDoS protection. Just read it carefully and make sure you have done everything described in this guide or hire a skilled webmaster to fix every possible loopholes.