[5ESS]

So there’s only 4.2 billion possible IPv4 addresses where a site can live. A lot are reserved or unused, leaving about 3.7 billion possibilities. Household internet speeds are fast enough that it is within the realm of possibility that a computer could sequentially connect to every single IPv4 host on the entire internet in search for the target website. Specialty network cards with datacenter connections can scan the entire Ipv4 space in a matter of mere hours.

[CodesInChaos]

If the origin server only responds with the relevant content if the correct host is requested, this scan becomes much more expensive, since you need to scan all IPs for each domain you're interested in, instead of once total.

[cft]

But what makes you think that the real IP serves the same site to the public internet, as it proxies to CF? If I were using CF for DDoS mitigation, I would drop all traffic to my real IP other than traffic originating from CF.

[jeroenhd]

Your approach would definitely protect you. In practice, many site owners don't do this, or they configure their web server with the whitelist instead of their firewall, denying direct access but exposing information about their domain.

For site owners who don't know about this, these are the IP addresses you can expect traffic from: https://www.cloudflare.com/ips/

I'd personally advice using IPv6 (with a high, random address rather than the common aa:bb:cc:dd::0) to make scanning for hosts a lot harder to accomplish, just in case your firewall fails for some weird reason.

[Crosseye_Jack]

Thats the correct way of handling it, problem is not that many sites actually do that, or atleast they didn't used to.

Back in the day before teespring had a public API I was scraping order counts from product listings, prob was the main domain was behind CF so the "sold count" was always cached and I wanted the live number. I actually used "CrimeFlare" back then to get the real IP of the origin server and queried that instead. And thats TeeSpring.

Twitch also until recently had their origin server open to all (allthough it would often bounce you back to www.)