Uncovering bad guys hiding behind CloudFlare
by Daniel Brandt
PIR founder and president

CloudFlare-Watch, a project of Public Information Research, follows in the footsteps of other PIR projects. NameBase has been on the Internet since 1995. Google-Watch began in 2002 when no one else was criticizing Google. Scroogle started in 2005 and lasted until Google began throttling our servers in 2012.

At PIR we believe in privacy for passive users of the web (this is what Scroogle provided). But publishers on the web, as opposed to passive users who merely read pages, should be accountable. All CloudFlare customers are publishers, and many use CloudFlare because it encourages them to hide their original IP address. When they receive abuse complaints, CloudFlare resorts to diversions to pretend that they are acting responsibly — assuming that they respond at all. A refusal to embrace web accountability leads to cybercrime. That's why we use the term "CrimeFlare" to describe this company.

There are sites on the web that specialize in collecting registration and nameserver data. Several are serious research sites, while the rest are sites claiming that various domain names are worth big bucks in potential ad revenue, based on their traffic. CloudFlare maintains around 391 nameservers, and customers must change the nameservers on their registration in order to use most services. Each customer's domain is assigned two nameservers. This makes it easier to verify which domains depend on CloudFlare, and helps us keep our domain lists relatively current.

Since customers can fiddle with their nameserver records on CloudFlare's control panel, there is a huge amount of churn happening behind any research about domains that use CloudFlare. If connectivity seems intermittent, for example, a customer might set his control panel to bypass CloudFlare temporarily. CloudFlare does not handle email, and some customers need a special MX record for email. Subdomains are another source of confusion, as these records must be listed a certain way to keep them hidden. If the customer isn't careful, a "direct-connect" IP address might be publicly visible, and persist until the customer takes steps to keep it hidden.

Some domains ( 2,927,742 ) that recently used CloudFlare

In our zip files, if the direct-connect lookup failed, the domain is not shown with an IP address and country, but is saved with its two CloudFlare nameservers and rechecked the next time around. The current direct-connect count is 1,626,378. Our data is cumulatively updated every three weeks. Here is a 18.11MB zip file of the domains with IP addresses that you can download and unzip. By scanning this file for specific IP addresses or netblocks, researchers sometimes discover clues about who is hiding behind CloudFlare.

IP addresses may be current, or they may have been current as long ago as August 2012. Enter a domain in the search box below to see our IP address lookups. If the direct-connect fetch done by the search below is unsuccessful or inconclusive, this means that further research is needed to discover whether an IP address is still valid.

A second 20.01MB zip file lists all domains in our database, sorted by paired nameservers. Researchers use this to find additional domains on a single CloudFlare account, thereby developing more clues. A specific pair of nameservers yields a maximum of a few hundred domains from this list, making it possible to scan manually.

Domains that stop using CloudFlare nameservers are purged from the zip files within three weeks. Our filtering also discards CloudFlare-user domains that are more annoying than interesting. For example, one customer has 103,900 domains on a single account. These dot-com domains all use "frank" and "kate" for nameservers, and point to a template page hosted at Amazon Web Services. After the first click on any template, Google Adsense links pop up on the same page — send in the clickbots! To put it mildly, CloudFlare attracts a huge amount of junk. Much of it gets past our filtering because we lack the resources to dig deeper.

If you find a listing that interests you, or if you know of a domain that uses CloudFlare but is not listed, enter that domain in the search box. Several lookups will be done to see if a direct-connect IP address can be found. If so, a final test will try to fetch a page from that address. If that works, it will show the title from that page.

Enter a domain:            

It costs $22 USD a day to keep CloudFlare Watch online with updated domain listings. Since January 1, 2014 we have received $11746 in donations, while our budget requires $20614 for the same period. Donations are tax-deductible.    ( This box is updated daily. )


home page