[talklittle]

> by visiting one of the vulnerable sites repeatedly

I mean, how could CloudFlare, or anyone, possibly differentiate this from normal scraping/polling/ manual F5 refresh behavior? This sounds like a PhD thesis.

I guess you are asking CloudFlare to quantify the amount of distinct bytes of unauthorized data sent to any particular user agent? But then, any sophisticated attacker would rotate IPs, UA identifiers, and probably even between vulnerable websites, if they had known about this vulnerability.

I don't think it's reasonably possible to rule this out, even with a massive dedication of investigative resources. Like the other commenter said, it's wisest to assume it happened.

[Rapzid]

It should be possible to show statistical significance in access pattern changes from before, during, and after the window to the sites that were leaking data.

[edraferi]

Yeah, particularly because the specific HTML that causes the problem is known.

If you have perfect information about what resources were requested when, you can look for a spike in queries for vulnerable resources. Once you see that, you know there was an intentional exploit and can start to look at who drove that spike, what was leaked, etc.

The problem is that we're talking about l huge amounts of data. I'm skeptical that CF has lots of sufficient length and detail to conduct this analysis, but have no real knowledge about their forensic capabilities.

[shawnz]

But the specific HTML that causes the problem is a common error that can be seen on plenty of pages, and the window which the vulnerability was active for was huge. How could you know that someone is intentionally using that erroring page to exploit the vulnerability?