Origin Server IP From Cloudflare

There are two methods you can use to "unmask" the origin server IP address of a cloudflare'd website. I have used both to some success, if one fails then try the other.

Method One

Lets say the website example.com is cloudflare'd, and they are hosting material that may be illegal or fraudulent, or a phishing site, and we want to send a report to their host to have them taken offline. Cloudflare will not remove a site from their service, you must contact the actual host that serves the site.

Depending on the configuration of the site on cloudflare, you can simply ping the default pass-though address direct.example.com. If that subdomain doesn't exist, then try a second subdomain that I discovered cloudflare occasionally creates automatically and is not listed on the dns page of the cloudflare control panel: direct-connect.example.com.

Example app for doing this automatically in autoit...

#include <guiconstantsex.au3>

$gui = GUICreate("Cloudflare Server IP - Brad @ Pingturtle.com", 260,80,-1,-1)
GUICtrlCreateLabel("Enter domain using Cloudflare below.",45,5)
$domain = GUICtrlCreateInput("",40,20,-1,-1)
$go = GUICtrlCreateButton("Go!",80,45,100)

While 1
	$msg = GUIGetMsg()
	Switch $msg
		Case $gui_event_close
		Case $go

Func getip($name)
	If $name = "" Then Return
	$ip = TCPNameToIP("direct-connect."&$name)
	If @error Then
		$ip = TCPNameToIP("direct."&$name)
		If @error Then
			MsgBox(16,"","Could not get an IP for this domain. Sorry!")

Method Two

If method one didn't work for you, method two will. Simply send an email to abuse@cloudflare.com, state the domain of the site in question, and ask them for the origin server IP address so that you can contact the host. They will reject your request if you don't have a valid reason, such as suspecting fraud or illegal material. Also note, if they grant your request and release the origin server IP to you, the cloudflare abuse department will send an email to the cloudflare account owner who owns the domain being reported and forward them your request for the origin server IP, along with your email address to let them know that the origin server IP has been handed out.

Posted 1/30/2012 by Brad