Quick post here. If you’re using something like Cloudflare for the sole purpose of mitigating a distributed denial of service attack (DDoS), please be smart with your DNS records.
I have a lot of respect for Cloudflare as a service. They use a combination of anycast + cache header injection + using their own Content Delivery Network (CDN) for static files (JS, CSS, images, etc).
If you are using this service as a frontend to mitigate a DDoS please mind your DNS records. Putting your site behind cloudflare, and changing your actual origin server ip could very easily mitigate a DDoS and keep your site online. However, it does no good if someone knows your “real ip” / “origin ip”.
How would the attacker be able to figure this out? Well, if you want to stop a hacker, start thinking like one. The first thing I would do is query common subdomain records for your domain.
for sub in mail cpanel dev staging real direct web1 web2 web3 db1 db2 db3; do dig +short "$sub".some-domain-behind-cloudflare.com done
Oops! You may have forgotten to remove a DNS record that exposes the “real ip” / “origin ip”. So keep this in mind. Delete those records if you don’t use them. If you do need an A record that points directly to the server, consider handling this at the server level, or at least creating a less “guessable” subdomain, ie:
oL7Vic67ZKvDDRMbHKRQ8Bk69HtchM4q.some-domain-behind-cloudflare.com that points to the real ip.
Security via obscurity is never the right solution, but it’s better than nothing sometimes.