Correlating Ownership of Sites Protected by Cloudflare

2 min read Original article ↗

James Motherway

Home / Blog

Date: 2024-09-07    Status: Published

Cloudflare acts as a reverse proxy which allows it to provide content delivery network (CDN), web application firewall (WAF), and other services. The company offers a generous free tier, and so it is commonly used by threat actors to obfuscate their true origin server.

This obfuscation is effective when implemented correctly. However, one can correlate if multiple sites are likely owned by the same account, even in the absence of misconfiguration.

Cloudflare also provides authoritative DNS and registrar services. The ability to correlate account ownership is due to a specific pattern in how nameservers are assigned to accounts. Across all accounts I've administered or investigated, the same pair of nameservers were assigned to all domains in an account.

Currently, Cloudflare manages the zones for both jamesmotherway.com and jmotherway.com- we can use a tool like dig to demonstrate this behavior:

dig -t ns jamesmotherway.com +noall +short
isla.ns.cloudflare.com.
dave.ns.cloudflare.com.

dig -t ns jmotherway.com +noall +short
isla.ns.cloudflare.com.
dave.ns.cloudflare.com.

In 2013, Cloudflare had 101 nameservers split into two groups: one with 50 servers and another with 51. That could result in accounts receiving any one of 2,550 possible nameserver pairings.[1] Recent (unverified) sources suggest there are as many as 900 total nameservers.[2] Assuming this list is split into even two groups from which nameservers are assigned, that would result in 202,500 possible combinations.

If you find yourself investigating a cluster of sites with the same Cloudflare nameservers, it's highly likely that they are owned by the same account.

Bonus: Cloudflare's registrar provides WHOIS redaction; however, registrations for .com and other domains still often reveal the registrant's state and country. As this can be falsified by a threat actor or changed on a per-domain basis, it's not exactly a smoking gun. With that being said, the default behavior is to apply the same registrant information for all domains in the account. See below:

whois jamesmotherway.com | grep "Registrant State"
Registrant State/Province: MA

whois jmotherway.com | grep "Registrant State"
Registrant State/Province: MA

Happy hunting! For the particularly inspired reader, my account has several domains associated with it. One has an interesting history, and I'll even give you a hint:

"X marks the spot"

Questions, comments, or want someone to yell at? Contact me.

[1] What's the story behind the names of CloudFlare's name servers? (blog.cloudflare.com)
[2] cloudflare-names.txt (github.com/indianajson)