How to Find the Real IP Behind Cloudflare? Technical Guide

When examining the recently increasing fake booking sites in the Turkish hospitality sector, it's seen that the vast majority are hosted behind the Cloudflare CDN (Content Delivery Network). This choice is no coincidence; Cloudflare hides the real server IP address, making the takedown (removal) processes significantly harder.

When we analyzed hundreds of fake hotel sites, we found that the vast majority were under Cloudflare protection. This protective layer is not unbreakable—however, it is not possible to bypass it without knowing the right methods.

Cloudflare works as a reverse proxy. Every request to the site first reaches Cloudflare servers, from there it's forwarded to the real web server, and the response returns to the user through Cloudflare again.

In this structure, the visitor sees Cloudflare's IP address. The real server IP seems to be disabled. However, "disabled" doesn't mean "completely hidden." When the right questions are asked, the real IP can leak from many places. For a detailed analysis of the behaviors of fake sites behind Cloudflare, you can look at our cloudflare-arkasindaki-sahte-siteleri-tespit-etme article.

This is the most common and easiest vulnerability to find. Even if the main domain is behind Cloudflare, subdomains used for email usually point directly to the server IP.

When a DNS query is made for subdomains like "mail.fakehotel.com" or "smtp.fakehotel.com", in most cases, the real IP address is directly returned. The reason is technical: the SMTP (email) protocol cannot be routed through the Cloudflare proxy.

In a fake site we detected in our research, while the main domain was under Cloudflare protection, the "info." subdomain pointed directly to a Ukraine-sourced IP address. This IP hosted dozens of different fake hotel sites.

Most fake sites open initially without Cloudflare, then switch behind a CDN against the risk of detection. Pre-transition DNS records remain in archives.

Services like SecurityTrails, ViewDNS, and PassiveDNS store which IP addresses a domain pointed to in the past. The IP used by a fake site before switching to Cloudflare may be visible in these archives.

Industry experts state that these old IP records are critically important in revealing the server infrastructure where fake sites are hosted. Once an IP address is found, it becomes possible to list all other fake sites on the same IP as well.

When every SSL certificate is obtained, the registrant's IP information is not recorded in the CT logs, but the domain name is. However, some servers can obtain certificates for their own direct IP addresses as well.

When an IP address-based search is made in CT log search tools like crt.sh, certificate records belonging to all domains hosted on that IP can be seen. This method is extremely effective for finding other fake sites on the same infrastructure once an IP is detected. You can examine our sahte-ssl-sertifika-tespiti-rehberi article for more information on the working logic of CT logs.

Shodan is a search engine that indexes devices and servers connected to the internet. Searching an IP address on Shodan can reveal the versions of the software running on that server, open ports, and service headers (HTTP header).

This information can both be used as direct evidence and helps to better understand the server infrastructure. In a portion of the fake sites we analyzed, the identification of the registered hosting company of the fake sites was possible with HTTP header information obtained from Shodan scans.

Misconfigured web servers can broadcast detailed server information at endpoints like "/server-status" or "/server-info". On servers where this is open, all virtual host names using that server can be listed.

Information obtained from such a vulnerability completely disables Cloudflare protection. Because with the server's own report, all domains and IP relationships come to light. We encountered exactly this vulnerability in one of the fake sites we analyzed; the server hosted 31 different fake domains and gave the information of all of them itself.

The Wayback Machine (archive.org) and Google's cache store old versions of sites. Information about the server where a fake site was hosted before switching to Cloudflare may appear in these archives. IP addresses written statically in the site's old HTML source code or old CDN references can be valuable for detection.

In addition, some fake sites serve images and media files directly through the original server. When you examine image URLs in the page's source code, it's possible to see that files not passing through Cloudflare are served with direct IP addresses.

Fake site operators in some cases send emails to their victims: fake reservation confirmations, campaign notifications, or customer service responses. These emails carry valuable technical information.

When you examine the header of the incoming email, the IP addresses of the servers the email passed through appear in the "Received:" lines. If the fake site operator keeps the email infrastructure independent of Cloudflare, these header lines can reveal the real server IP.

Cloudflare means a connection cannot be established with the detected IP address of fake sites via Cloudflare. However, this IP information is of critical importance in the takedown process:

• Complaint to the Hosting Company: When the real IP is known, it can be determined which hosting company the server belongs to, and a DMCA (Digital Millennium Copyright Act) or abuse notification can be sent directly to that company.
• Complaint to Cloudflare: Cloudflare can terminate the service of sites that violate its abuse policy; real server information serves as strong supporting evidence in this process.
• Prosecutor Application: IP information is the most critical technical evidence in organizational identification.

Applying these seven methods manually requires technical knowledge and takes time. In our research, it took hours to reach the real IP of some of the fake sites.

Is it legal to find the real IP of a site behind Cloudflare? Yes. DNS querying, CT log research, and examining public archives are completely legal operations. These methods only use public data sources; they do not involve unauthorized access to any system. To combat a fake site, collecting this information is legitimate and necessary.

What information does Shodan give? Shodan lists open ports, running services (web server, SSH, FTP), software versions, and service headers on an IP address. This information helps to understand which hosting infrastructure the server is running on and can be used as technical evidence in takedown applications.

Why is SecurityTrails so valuable? SecurityTrails shows the entire DNS history of a domain and all A records registered for that domain. It is possible through this service to learn which IP a fake site used before switching behind a CDN. Once the IP is detected, it also becomes easier to find other fake sites on the same infrastructure.

Can a takedown be requested without detecting the IP? Yes, domain-based takedown requests are possible. ICANN policies and registration firms accept abuse notifications without identifying the domain owner. However, when the real IP is known, the hosting company can be applied to directly; this path gives much faster results.

Try our free tool that automatically detects the real IP addresses and hosting server infrastructure of fake sites belonging to your hotel. The first scan gives results within minutes.