[whitepoplar]

Isn't it trivial to discover the origin IP and then just hit it directly?

[re-thc]

You can use Cloudflare tunnel so there's no "origin" exposed.

[berkle4455]

you deny all, accept <cloudflare IPs> to the machines actually serving content.

[andersa]

If you set it up correctly, it's not possible.

[Sebguer]

Depends on the usecase, and whether you're shelling out the huge sums for Cloudflare Enterprise. Don't think there's too many cheap options for obfuscation if e.g. you're hosting a game server, which also happens to be one of the most common DDoS targets.

[stavros]

How would you?

[charcircuit]

one method is to look up what IPs someone owns and try to direct connect to them. Or you can just guess and assume they picked an IP address near the start of the block they have.

[stavros]

That only works for companies that own blocks, though, and assumes a company big enough to own a block won't just drop non-Cloudflare traffic (which is trivial: https://www.stavros.io/posts/block-non-cloudflare-ips-with-u...).

[charcircuit]

>assumes a company big enough to own a block

You don't have to be a big company to own a block. An ipv4 block is <$10k and the price is on a downtrend now that covid is over. It is risky as a site if you don't own your IP block because false abuse complaints can be sent to the ASN you are renting an IP from and can result in downtime. If you own the IP, the abuse reports for it go to you to handle.

>won't just drop non-Cloudflare traffic

Not all sites do this. Also they likely have other stuff running on the machines that are accessible without cloudflare.