Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You do not get attacked from Cloudflare with TCP attacks. Somebody is spoofing the IP header and make it seem like Cloudflare is DDoSing you.

The only way for somebody to DDoS from Cloudflare would be using workers, however, this isn't practical as workers have a very limited IP Range.



The reason people do this, by the way, is because it's common if you're hosting via CF to whitelist their IPs and block the rest. This allows their SYN flood to bypass that.


I run a fairly popular service and have received DDoS attacks from Cloudflare's IP range (~20gbps). I can confirm they respond to SYN+ACK with an ACK to complete the TCP handshake. Through some investigating it seems like a botnet using Cloudflare WARP (their VPN service).


Why are you assuming amplification attacks aren't a thing?

I think you're probably right about the spoofing but it comes off a little dismissive when the possibility of a site that queries other sites, could be tricked into doing something it shouldn't, is always going to be in the realm of a possibility.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: