> This is obviously a huge threat to CloudFlare’s entire business model
I disagree. There are plenty of ways to hide your origin server, for example:
1. IPv6 only, since there are too many addresses to scan
2. Accepting connections only from cloudflare IPs (probably not enough on its own, since features like workers might allow an attacker to trigger requests from a cloudflare server)
3. Mutual TLS authentication
4. Authentication headers (since mTLS might be difficult to integrate in your application)
5. Responding only if the right host is requested, which could even be different from the public domain (not enough on its own, but prevents untargeted scans)
6. Using tunnels (as frizlab pointed out)
I think cloudflare already supports all of these out of the box. They just need to push their customers to apply such mitigations via documentation, displaying warnings if the origin server can be accessed directly, etc. So I consider this an inconvenience for cloudflare, but not a huge threat.
Why on earth would you try to help DDOS'ers? I think you should really take a step back here and reevaluate what drives you here and what impact you have on other people.
Technically speaking, GitHub took the repo down. This is an important distinction, because voluntary takedowns and legally compelled takedowns are two entirely different things, and it’s not necessarily correct to assume the latter.
> This is obviously a huge threat to CloudFlare’s entire business model and it totally makes sense that they want to bury this.
Protecting origin servers is hard. Nothing unique to CloudFlare about that. If you follow their set up documentation then this tool can't harm you: https://developers.cloudflare.com/fundamentals/get-started/t...
If folks are really concerned about getting exposed they can firewall off everyone except cloudflare.
>, I intend to create a new internet-wide scanning system in order to revive the functionality of CrimeFlare just to prove a point that security through obscurity is no security and all,
I'm not familiar with CrimeFlare and its technical details but a cursory google search shows that security-through-obscurity is possible with Cloudflare if one follows the correct sequence of steps to hide the ip. Otherwise, a careless setup such as public MX mail record will inadvertently "leak" the ip. E.g. Stackoverflow Q&A: https://stackoverflow.com/questions/58591448/how-does-crimef...
>, I intend to create a new internet-wide scanning system
But the host systems at the receiving end of your scanning tool still have to respond to your tool pinging them with network requests and if your ip origin isn't Cloudflare, the host server doesn't have to reply with useful information. Or did you have another mass scanning technique we're overlooking?
Scanning the internet and indexing domains? Isn't that EXACTLY what binary edge and shodan do???
If you are going to use someone else to front your service, take care to make sure that that (1) it cant even be accessed except via that front, and (2) that you dont leak your origin IP address or network, even if traffic to that origin is dropped from sources other than the service fronting it.
How can you index domains by scanning the public internet? Wouldn’t trying to match domain names with IP addresses get you blocked by the server after too many failures? Or at least it would be too many attempts to make that it would take more than weeks?
>by scanning the public internet in it’s entirely, indexing the domains
Can you explain this?
The name might be infringement or the code might abuse their API. Or, GitHub could decide it's not worth it. Why would you try to scan every IP address?
as far as i remember when the backend times out, CloudFlare shows a screen where you can see the actual IP of the server
Do you even know under which rule it gotten taken down?
Just another reason to add to the pile of why I hate that company.
They probably reported it as malware and M$ team didn't check what it was
> CloudFlare had it taken down.
I'm not sure where the idea that we took this down came from, but I checked with legal and we didn't. Such tools, services, etc. have existed forever. Just one reason why we encourage people to protect their public IP (https://developers.cloudflare.com/fundamentals/get-started/s...) and have Cloudflare Tunnel (https://developers.cloudflare.com/cloudflare-one/connections...).