Cloudflare DDoS Protection Vulnerability Allows Attacks from Within

By Ava McKinneyOnline Safety

Cloudflare DDoS Protection Can Be Bypassed Using Cloudflare Itself

Researchers from Certitude have discovered that Cloudflare’s firewall and DDoS protection can be bypassed by attacking other users from within the platform itself. The issue arises from the shared infrastructure accessible to all tenants, which allows attackers to target Cloudflare customers through Cloudflare’s own systems.

Two Main Vulnerabilities Identified

The experts identified two issues affecting the Cloudflare Authenticated Origin Pulls feature and the Allowlist Cloudflare IP Addresses feature.

1. Authenticated Origin Pulls

Authenticated Origin Pulls is a Cloudflare security feature that ensures HTTP(S) requests sent to the origin server come through Cloudflare and not from a malicious actor. When setting up this feature, clients can upload their own certificates via API or generate them through Cloudflare, which is the simplest method.

Once configured, Cloudflare uses SSL/TLS certificates to authenticate all HTTP(S) requests between its reverse proxy servers and the client’s origin server, preventing unauthorized access to the site.

However, as the researchers explain, attackers can bypass this protection because Cloudflare uses a shared certificate for all clients, rather than individual certificates for each tenant. As a result, all connections originating from Cloudflare are allowed.

“An attacker can create their own domain on Cloudflare and set the victim’s IP address as the A record in DNS. Then, they can disable all security features for this domain in their tenant and launch an attack through Cloudflare’s infrastructure. This approach allows attackers to bypass the victim’s security measures,” Certitude explained.

In other words, attackers with a Cloudflare account can direct malicious traffic at other Cloudflare customers or route their attacks through the company’s infrastructure.

According to the experts, the only way to protect against this is to use custom certificates instead of Cloudflare’s default certificates.

2. Allowlist Cloudflare IP Addresses

The second issue involves the Allowlist Cloudflare IP Addresses security feature, which allows only traffic originating from Cloudflare IP addresses to reach clients’ origin servers.

In this case, an attacker can also create a domain on Cloudflare and set the victim’s IP address as the A record. The attacker then disables all security features for the domain and sends malicious traffic through Cloudflare’s infrastructure, which, from the victim’s perspective, appears to be trusted and therefore allowed.

To defend against such attacks, researchers recommend using Cloudflare Aegis (if possible) to define a more precise range of IP addresses allocated to each client.

Cloudflare’s Response

The experts note that they notified Cloudflare’s developers of their findings back in March 2023 through the bug bounty program. However, the report was closed as “informative,” and the company has not taken any further action.

Leave a Reply