Security News > 2023 > September > Cloudflare DDoS protections ironically bypassed using Cloudflare
Cloudflare's Firewall and DDoS prevention can be bypassed through a specific attack process that leverages logic flaws in cross-tenant security controls.
Specifically, the analyst identified two vulnerabilities in the system impacting Cloudflare's "Authenticated Origin Pulls" and "Allowlist Cloudflare IP Addresses."
Authenticated Origin Pulls is a security feature provided by Cloudflare to ensure that HTTP(s) requests sent to an origin server come through Cloudflare and not from an attacker.
As Proksch explains, attackers can bypass this protection as Cloudflare uses a shared certificate for all customers instead of a tenant-specific one, causing all connections originating from Cloudflare to be permitted.
The problem arising from this logic gap is that attackers with a Cloudflare account can direct malicious traffic to other Cloudflare clients or route their attacks through the company's infrastructure.
The second issue impacts Cloudflare's Allowlist Cloudflare IP addresses, a security measure that only allows traffic originating from Cloudflare's IP address range to reach clients' origin servers.