I get asked this question a lot so I thought I'd finally publish my response here for the sake of everyone. Cloudflare is the name of a company who provide DDoS protection to websites. They do this by basically filtering out the attack traffic from legitimate traffic so your site remains unaffected. They do this by inserting a proxy between your website and the people viewing your website. This means Cloudflare can now direct traffic towards or away from your website when its system detects a need to.

Cloudflare by all standards is awesome. They have a free lifetime package, speeds up your website, adds a level of anonymity to your website and reduces latency. Unfortunately those are very attractive features to criminals for this reason many security researchers get stuck in a dead end tracking criminals when the lead they was following is using Cloudflare. I have produced this basic guide to help get over these hurdles, legally.


If the website you're trying to track allows for upload from URL you can get the server behind cloudflare to reveal itself. The most common situation when a website allows update from url is forums for profile avatars or cat GIF's (obviously cat gifs are the best). Instead of entering a url that leads to an image for the site to download you can instead insert a link that directly logs IP addresses. My favourite is most likely grabify.link just because its at the top of a google search. Once you enter the URL you will see the log with the respective IP of the target websites "true" IP.