Thanks for clarifying that it had to be Github. The post you replied to says Gitbub or Cloudflare take it down. Either way, this issue should be brought to customers attention more clearly. Most people probably don’t know that the entire internet can be scanned in a matter of hours or days which might uncover their site. I’m curious how many customers are paying for your anti-ddos service yet their sites are easily findable using such a tool effectively rendering the service useless. Do you scan the internet yourself and proactively warn customers when their real IP is findable in this way?
> Do you scan the internet yourself and proactively warn customers when their real IP is findable in this way?
There is no reason for them to scan the internet. They could simply probe the configured origin server from an IP outside the whitelisted cloudflare IP range, and display a warning if it's accessible.
Say that, despite your linked recommendations for hiding the public IP, thousands of customers were under the impression that as long as no one leaked the IP, no one would be able to discover the site. They’re paying you a lot of money for security, yet that security can be completely undermined by a teen with a scanner tool. If there’s thousands of clients paying for anti-DDOS services yet their IP is easily findable, then it’s like…what are they even paying for? On a scale of thousands this probably adds up to a large sum of money…Money paid for pointless services rendered.
As someone on the “buy side” of Cloudflare-like services, that’s not how it works. How could a third party like Cloudflare protect my unprotected IP address? A very basic part of using a CDN/DDOS protection product is not allowing raw traffic to your origin server.
RE “as long as no one leaked their IP” - the IPv4 space is quite small. It’s trivial to scan it and discuss unadvertised, but ultimately very public, servers.
If customers don’t already have an understanding of both of these points, then they need to increase their competence in areas that are, frankly, pretty basic.
> How could a third party like Cloudflare protect my unprotected IP address?
Simple, they could scan the internet like I explained and notify their customers who’s site IP is findable this way with a big scary warning message. They could do this easily and cheaply, but for some reason they don’t.
Security tools, when misused or misunderstood, may have security weaknesses.
My house has a lock on the front door. Yet that security can be completely undermined if a teen throws a brick at my window. That isn't the fault of the manufacturer of the lock on my front door.