[5ESS]

Say that, despite your linked recommendations for hiding the public IP, thousands of customers were under the impression that as long as no one leaked the IP, no one would be able to discover the site. They’re paying you a lot of money for security, yet that security can be completely undermined by a teen with a scanner tool. If there’s thousands of clients paying for anti-DDOS services yet their IP is easily findable, then it’s like…what are they even paying for? On a scale of thousands this probably adds up to a large sum of money…Money paid for pointless services rendered.

[ebbp]

As someone on the “buy side” of Cloudflare-like services, that’s not how it works. How could a third party like Cloudflare protect my unprotected IP address? A very basic part of using a CDN/DDOS protection product is not allowing raw traffic to your origin server.

RE “as long as no one leaked their IP” - the IPv4 space is quite small. It’s trivial to scan it and discuss unadvertised, but ultimately very public, servers.

If customers don’t already have an understanding of both of these points, then they need to increase their competence in areas that are, frankly, pretty basic.

[5ESS]

> How could a third party like Cloudflare protect my unprotected IP address?

Simple, they could scan the internet like I explained and notify their customers who’s site IP is findable this way with a big scary warning message. They could do this easily and cheaply, but for some reason they don’t.

[ebbp]

Well they wouldn’t need to do that, because you’re already pointing them at your IP, right?

Cloudflare are providing the service they say they are, it’s the customer’s fault if they don’t understand basic best practice.

[kube-system]

Security tools, when misused or misunderstood, may have security weaknesses.

My house has a lock on the front door. Yet that security can be completely undermined if a teen throws a brick at my window. That isn't the fault of the manufacturer of the lock on my front door.