[chimeracoder]

> so even if they redirected traffic through Cloudflare, the attacker could still find their direct servers fairly easily and attack that IP.

Why would it be easier for the attacker to find their direct servers if they only have a /23 - doesn't Cloudflare obscure the identity/location/IP of the server on the other side?

[timdorr]

It's only 512 addresses, so the attacker can just switch between different IPs until service degrades and keep on that address. Also, it's likely their rack/cage has a limited amount of bandwidth compared to the whole datacenter, so they can just send traffic to that range and overload the switch.