Allowing only cloudflare IPs for ports 80/443 (e.g. in nginx) is easy and the server can still be used for other purposes without Cloudflare. Other services can use different domains, would be hard to find out the server ip this way.
IPv4 space is far too small not to use this. Often times if an attacker has determined your provider in the past, they may be able to leverage that information and scan only nearby ranges.
Other common anti-DDoS proxy bypass tactics:
- direct.* subdomain used to be used by default on CloudFlare for a direct route to the server
- Check headers in outgoing emails for an origin IP (this one gets way too many sites)
- CloudFlare only recently got websocket support - check if their websocket servers are secured or not
- Check for an MX record
- Use DNS bruteforcing tools to attempt to find other services
We don't change the IPs often and we always update the list well before they are ever used (typically months before). The last update was two years ago. I'm sorry if you had a problem.
I remember being affected by this too a few years ago. It's not something I thought to check and update often. I was disappointed that I was never emailed or otherwise notified by the change.
