top of page

Support Group

Public·27 members

How To Get Real IP Address Of A CloudFlare Protected Website

If the attacker can get your web server to connect to an arbitrary address, they will reveal your origin IP. Features like "upload from URL" that allow the user to upload a photo from a given URL should be configured so that the server doing the download is not the website origin server. This is important because if an attacker can choose the URL entered, they can set up a web site specifically to monitor who connects to it, or use a public service that monitors the IPs that contact unique URLs.

How To Get Real IP Address Of A CloudFlare Protected Website

This may not work if your target website runs on shared hosting with a shared IP,which will use a technique called Server Name Indication (SNI) to run multipleHTTPS websites on a single IP address. To fix this, cURL offers a --resolveargument to explicitly map a domain name and port to an IP address instead ofusing the traditional DNS lookup. It must include the port and full domain name.

If you do this, and the validity of the visiting IP address is important, you might need to verify that the $_SERVER["REMOTE_ADDR"] contains an actual valid cloudflare IP address, because anyone can fake the header if he was able to connect directly to the server IP.

Since Cloudflare is a reverse proxy service, it acts as an intermediary between website visitors and the host server. This makes it very hard for anyone to find the IP address of a website that uses Cloudflare.

Anyway, that is all from us. Let us know if you are aware of any other methods to find the true host or IP address of a website. In case you have any questions, then let us know in the comments below.

While Cloudflare idea of hiding IP addresses behind the proxy for their web acceleration and CDN is really good, sometimes it is widely used and abused by warez, phishing and other sources of malicious type websites that are often investigated, in this cases finding Cloudflare websites IP address is a little bit more tricky than normal websites that do not use any Cloud Proxy services.

AttackNow, suppose you are an attacker. By pinging and, you realize that the website has Cloudflare enabled, which means and both have an IP address that belongs to Cloudflare.

All examples in this article work like this when making the mistakes described in the scenarios. The whole article is about finding the IPs because of mistakes that were made by the website operators. It is absolutely not about a fault within CloudFlare. They are even warning you when you are exposing your real IP through a MX record for example. On top of that, they encourage you to whitelist their IPs for your webserver, so you are not exposing your website and or a certificate for your domain on the IP.They also have a service called Argo Tunnel. With Argo Tunnels, your server is establishing a tunnel between your server and CloudFlare. This means you don't have to publicly expose your webserver at all.CloudFlare is probably the most popular product in this category, which is why it has been used in some of the examples. It could be replaced with any similiar service.

When you enter a URL in your browser, the first task the browser does is go to a DNS server and get the address of the server that is registered as hosting that website. There are many DNS servers in the world and the one that your browser uses is usually dictated by your internet service provider. However, it is possible to go into the settings of your browser and override the default DNS server selection.

DNS hijacking is a great medium for hackers. If a hacker can control the DNS server that your browser uses, he can replace the real IP addresses of bona fide websites, such as Google, Yahoo, and financial sites, with the addresses of phishing sites. The benefit of DNS hijacking for cybercriminals is that the regular web address of the site appears in the browser, even though a fake version of that site is retrieved.

The Cloudflare "Error 1020: Access Denied" message can occur when you try to access a URL on a Cloudflare-protected website. Cloudflare can block your IP address if it deems it dangerous or spammy, leaving you locked out.

There may be a problem with the website if none of these fixes have worked so far. Your final resort is to contact the website admin and ask them to check if Cloudflare has blocked your IP address, country, or anything else.

If there is sensitive content on your website that you want visible to real visitors, but that you want to hide from suspicious visitors, all you have to do is wrap the content with Cloudflare SSE tags. Wrap any content that you want to be excluded from suspicious visitors in the following SSE tags: . For example: Bad visitors won't see my phone number, 555-555-5555 . Note: SSE only will work with HTML. If you have HTML minification enabled, you won't see the SSE tags in your HTML source when it's served through Cloudflare. SSE will still function in this case, as Cloudflare's HTML minification and SSE functionality occur on-the-fly as the resource moves through our network to the visitor's computer. ( -us/articles/200170036).

The WAF examines HTTP requests to your website. It inspects both GET and POST requests and applies rules to help filter out illegitimate traffic from legitimate website visitors. The Cloudflare WAF inspects website addresses or URLs to detect anything out of the ordinary. If the Cloudflare WAF determines suspicious user behavior, then the WAF will 'challenge' the web visitor with a page that asks them to submit a CAPTCHA successfully to continue their action. If the challenge is failed, the action will be stopped. What this means is that Cloudflare's WAF will block any traffic identified as illegitimate before it reaches your origin web server. ( -us/articles/200172016).

Besides increasing performance, Cloudflare also offers some security features that help protect the website from cyber attacks. Among them, the DDoS attack, when several simultaneous accesses to the page occur, either by real users or by so-called zombie computers.

One of them is when the CDN understands that the IP address that tries to establish the connection with the website is marked in the internal settings to be blocked. Thus, the CDN does not allow the connection, as it identifies a risk to the site.

This allows you to verify if there are blocked IP addresses. Also, you can identify a need for changing firewall rules or adding the desired IP address to grant access to the user who is unable to access the website.

If Cloudflare is configured correctly, then the real IP address of the site is never disclosed or recorded anywhere; but how many people do you know who always do everything right? For this reason, there are tools that look for holes in your Cloudflare settings. One of these tools is CloudFail, this tool will help you to find real ip behind cloudflare and this note is devoted to it.

In fact, the described process is already the third stage. In the first stage, CloudFail receives a list of possible subdomains from and checks them.At the second stage, CloudFail refers to the CrimeFlare service, which has gathered a large IP address base for sites protected by Cloudflare. If the site knows the IP, then it is immediately shown. About CrimeFlare described in more detail here.And in the third stage, the described brute-force subdomains are performed in the dictionary.

Cloudflare is a freely available service that offers CDN and caching functionality. In order to use Cloudflare a domains DNS will be updated to send all traffic through Cloudflare, as a result it will hide the IP address of the actual web server where the website is hosted in order to provide various protections.

By doing this, Cloudflare essentially hides the real IP address of the web server that is hosting the website. There are many times that we may wish to be able to find the actual IP address of a server behind Cloudflare, such as during a penetration test you may want to bypass the web application firewall (WAF) completely by directly targeting the server itself.

Some examples of this include registering an account on a website, using the forgot password form, or otherwise any activity that will cause the web server to initiate sending an external email to yourself. In the example below we can see the real IP address of the server that sent this message was from 52.x.x.x.

If the website was not initially setup with Cloudflare enabled there may have been a period where DNS was pointing directly to the server. With the use of some online tools we can easily view the history of DNS records, which may reveal to us the IP addresses in use prior to Cloudflare being activated which may still be the same.

A simple way to do this is to modify your hosts file and point the domain to the IP address, after flushing your DNS cache you can attempt to browse to that domain and it should still load up with the same page from the server if this is the real source of the website.

With these techniques it may be possible to find the real IP address of a website that would otherwise be hidden behind Cloudflare. Of course these methods are not a silver bullet and will therefore not always work, however in general I have found them quite useful in identifying the actual server address. Now that you are aware of these methods you could secure your website in order to protect it further with the mitigations discussed to help avoid leaking the IP address of your web server.

A situation can arise later. When DNS records in the domain registered the Cloudflare IP address, there are no DNS records for the subdomain pointing to another IP not protected by Cloudflare, as mentioned by ethical hacking experts. The final result will reveal an IP address that:

As a result of these analyses it is possible to find IP addresses that are not protected by Cloudflare. Ethical hacking experts point to the importance of assuming that the IP addresses of the subdomains belong to the owner, although this is not always true because the owners of the primary domain can specify any IP address, even if it does not belong to them.


Welcome to the group! You can connect with other members, ge...
bottom of page