It turned out that the DDoS protection by Cloudflare can be bypassed using the instruments offered by Cloudflare itself. Stefan Proksch, an Austrian security engineer, discovered the vulnerability by taking advantage of certain logical flaws in inter-client security management. What he needed was only a free Cloudflare account and the target IP.
The problem is related to Cloudflare's common infrastructure, which receives connections from all users having at once two vulnerabilities – one regarding requests from Authenticated Origin Pulls and another one regarding the allowlist.
Authenticated Origin Pulls is the function that provides that requests sent to the origin server go through Cloudflare (and not from a potential cybercriminal). Cloudflare reverse proxy servers use SSL certificates to authenticate themselves to the origin server (the server where the website is hosted). This helps ensure that the communication between Cloudflare and the origin server is secure.
An attacker could potentially take advantage of these vulnerabilities by doing the following:
- The attacker sets up a custom domain with Cloudflare and points the DNS A record to the victim's IP address (the origin server).
- The attacker then disables all protection features for that custom domain in their Cloudflare tenant.
- They can now route their attacks through the Cloudflare infrastructure using the shared certificate, effectively bypassing the protection features set up by the victim.
According to Proksch, his security issue can only be mitigated by using custom certificates. However, using custom certificates requires customers to create and maintain their own origin pull certificates, which may be less convenient than using the Cloudflare certificate.
