Uncovering bad guys hiding behind CloudFlare

We believe in privacy for passive users of the web. But publishers on the web, as opposed to passive users who merely read pages, should be accountable. All CloudFlare customers are publishers, and many use CloudFlare because it encourages them to hide their original IP address. When they receive abuse complaints, CloudFlare resorts to diversions to pretend that they are acting responsibly — assuming that they respond at all. A refusal to embrace web accountability leads to cybercrime. That's why we use the term "CrimeFlare" to describe this company.

There are sites on the web that specialize in collecting registration and nameserver data. Several are serious research sites, while the rest are sites claiming that various domain names are worth big bucks in potential ad revenue, based on their traffic. CloudFlare maintains around 391 nameservers, and customers must change the nameservers on their registration in order to use most services. Each customer's domain is assigned two nameservers. This makes it easier to verify which domains depend on CloudFlare, and helps us keep our domain lists relatively current.

Some domains ( 3,413,274 ) that recently used CloudFlare

In our zip files, if the direct-connect lookup failed, the domain is not shown with an IP address and country, but is saved with its two CloudFlare nameservers and rechecked the next time around. The current direct-connect count is 1,833,326. Our data is cumulatively updated every three weeks. Here is a 20.59MB zip file of the domains with IP addresses that you can download and unzip. By scanning this file for specific IP addresses or netblocks, researchers sometimes discover clues about who is hiding behind CloudFlare.

IP addresses may be current, or they may have been current as long ago as August 2012. Enter a domain in the search box below to see our IP address lookups. If the direct-connect fetch done by the search below is unsuccessful or inconclusive, this means that further research is needed to discover whether an IP address is still valid.

A second 23.55MB zip file lists all domains in our database, sorted by paired nameservers. Researchers use this to find additional domains on a single CloudFlare account, thereby developing more clues. A specific pair of nameservers yields a maximum of a few hundred domains from this list, making it possible to scan manually.

Domains that stop using CloudFlare nameservers are purged from the zip files within three weeks. Our filtering may also discard domains that are more annoying than interesting. One customer has 108,050 domains on a single account. These mostly dot-com domains all use "frank" and "kate" for their two nameservers, and point to a template page hosted at Amazon Web Services. After the first click on any template, Google Adsense links pop up on the same page — send in the clickbots! To put it mildly, CloudFlare attracts a huge amount of junk. Sometimes we get tired of processing it, and take out loads of trash by using various programs we've developed. But no matter what we do, most of it gets past our filtering. We suspect that a higher power is opposing us.

If you find a listing that interests you, or if you know of a domain that uses CloudFlare but is not listed, enter that domain in the search box. Several lookups will be done to see if a direct-connect IP address can be found. If so, a final test will try to fetch a page from that address. If that works, it will show the title from that page.

Enter a domain:            

home page