It's trivial to determine the real IP of a Mastodon server behind Cloudflare. All it takes is one well-crafted request:
https://gist.github.com/cutiful/4f36da3ed37b24f9a7106064393f5e7f
I wonder how many instance admins using Cloudflare know about this? My hunch is most do not, because the primary justification I see for using Cloudflare here is DDoS protection.
Cloudflare won't help if the attacker knows your origin IP, and you can't hide that with Cloudflare alone, due to the nature of ActivityPub.
#MastoAdmin #InfoSec
https://gist.github.com/cutiful/4f36da3ed37b24f9a7106064393f5e7f
I wonder how many instance admins using Cloudflare know about this? My hunch is most do not, because the primary justification I see for using Cloudflare here is DDoS protection.
Cloudflare won't help if the attacker knows your origin IP, and you can't hide that with Cloudflare alone, due to the nature of ActivityPub.
#MastoAdmin #InfoSec
Detecting the real IP of a Cloudflare'd Mastodon instance
Detecting the real IP of a Cloudflare'd Mastodon instance - mastodon-ip.mdGist
reshared this