[yetanotherHNacc]

It is because many DDoS websites sitting behind Cloudflare are FBI run. See titaniumstresser[0] as an example. One of their sub-domain's IP address is allocated to the FBI[1]. Seems like the longest lasting sites peddling stolen info, child pornography, or malicious services are all run by feds.

Hostname: direct.titaniumstresser.net IP Address: 153.31.25.12 Organization: FBI Criminal Justice Information Systems

[0] http://titaniumstresser.net/

[1] http://direct.titaniumstresser.net.ipaddress.com/

[slipstream-]

LOL, that's just so someone (of a rival group) who tries to get their real IP address (to ddos them), finds that subdomain, and doesn't look closely, and goes to ddos the FBI.

[meowface]

Correct.

Many automated scripts script kiddies use to DDoS will do a basic check for subdomains like "direct.domain.com" and "direct-connect.domain.com" if the target domain is behind Cloudflare, and the scripts are naive and immediately assume that's the server's real IP.

Setting it to the IP of a site they dislike is also a popular choice.

[hnha]

That's not how you think it works. You can point domains you own at any IP you like.

[Igglyboo]

I could point my personal domain at the FBI in 3 seconds if I felt like it, completely legal and commonplace.