How to know the real IP site hidden behind DDoS protection

How to know the real IP site hidden behind DDoS protection

There are different services that hide the site address behind another IP – for protection against DoS, DDoS or other attacks. These can be cloud services like Cloudflare, web application firewalls (WAFs) and other security solutions. The task of circumventing them is to call the real IP, and there are ready-made utilities for this. Let’s see how to use them in practice.

At first I will tell you a bit more about what a WAF is and how it works. For example, as part of the familiar Apache web server, there is a module mod_security, which can act as a firewall for web applications and help protect your service from some trivial DoS attack. One such attack is HTTP(S) GET Flood, where the server is sent countless requests for information. The server is unable to process so many requests in a very short period of time and simply drops.

Some cloud provider may also provide such a function – for simplicity, I will call different services of this type just WAF. The principle of their work can be described in the following way.


  1. The web server to be protected runs as usual without filtering dangerous requests, and the WAF service is configured on a separate server of the company providing such services.
  2. The IP address of the WAF.
  3. server is not its real address, but the IP address of the WAF server.
  4. After this configuration, all requests to the domain name of the site will be sent to the WAF server rather than the site itself.
  5. This server accepts the request, processes it and if the request meets the configured rules, sends it to the protected server. WAF receives from this server the requested information (web page, file) and forwards it to the client (user).

How to cheat-system

Since modern WAFs block many malicious requests, utilities like sqlmap or WPScan cannot be used. Also, attacks like DoS or DDoS are not possible.

So we have two options.

  1. Construct the request in such a way as to bypass the rules written in WAF.
  2. Send request directly to web server without checking WAF.

We’ll focus on the second point from here. To implement it, we need to know the real IP address of the server and make sure that this server is able to accept requests directly from anyone on the network. The direct IP address of the server is often called the word bypass. Sometimes direct access to it is specially saved so that the server can continue to work in case of problems on the side of WAF-services.

For this purpose, we will use a script with a long, but speaking name: Bypass firewalls by abusing DNS history.

This utility tries to find out the real IP address of the server we need in two ways at once.

  1. History analysis of DNS records.
  2. Search for subdomains and then analyze their IP addresses.

To all found IP addresses, the script makes requests for verification.


The script is publicly available at GitHub. I ran it on Kali Linux, but it can work in other distributions as well.

The commands to install it on Kali look like this:

$ sudo apt install jq
$ git clone 

The team for installation in the BlackArch distribution:

$ sudo pacman -S bypass-firewall-dns-history jq 

Back to Kali. The first line is to put the necessary module to run the script, and the second line is to download the script from GitHub. To get help on using the tool, just go to its directory and run the following command:

$ bash --help 

As you can see, the script developer has provided several parameters:

    • -d – mandatory key to use the script. With this key we specify the domain name of the site for which we want to find bypass;


  • -a – with this parameter the found IPs will be checked not only for the main domain, but also for subdomains;
  • -l – this parameter allows you to upload your list of subdomains to the script to perform a more detailed and accurate check;
  • -o – this parameter allows you to save the result of the script to a file, the path to which is specified after the parameter.

Now let’s run the script:

$ bash -d <Your_target> 

For example, I found one site that is vulnerable to an attack of this kind. This is what the script output for this site looks like.

In the IP column, the IP addresses that can be accessed directly from the server will be recorded one by one. The second column shows the probability that this is the correct IP, expressed as a percentage. The Organization column contains the name of the company that owns this IP.

Let’s take another example and expand the search area by adding an IP to subdomains:

$ bash -d <Your_target> -a

Here, among other things, another column appears – Domain, which lists subdomains corresponding to the found IP addresses.

In order not to lose the result later, it is usually saved to a file. Well, let’s use the -o parameter and write the path for saving the log to the user’s home folder.

$ bash -d <Your_target> -a -o /home/kali/<output.txt> 

You can specify not the whole path, but only the name of the file in which the result will be written. The file will be saved in a folder with the script.

As you know, not everything is cracked in one click. Sometimes programs also need help – in our case we can ease the task by making a voluminous list of subdomains. We will fill this list with the help of Amass script, which knows how to do it perfectly. Amass is launched by such a team:

$ Amass enum -d <Your_target> -o <subdomains.txt> 

With the parameter -d specify your target, with the parameter -o – file to save the result of the work.

Back to WAF Bypass. Now we will use the list of found subdomains to find the real IP address of the attacked server:

$ bash -d <Your_target> -l <subdomains.txt>

As we can see, the two most likely bypasses have been found.

Try skills in business

In order to dispel your doubts about the performance of this method, I suggest we do a little research. We will try to break through several sites with the help of this utility and make a small statistics.

I want to make it clear: we will check only servers that are protected by WAF. To make sure, we are going to use the dig utility built into Kali:

$ dig <DOMAIN> NS +short. 

The utility will show us a list of DNS servers to which the site is connected. If you see the DNS servers of Cloudflare or other WAFs, it means that the site is protected from DOS and DDoS attacks.

We will use the same command for testing:

$ bash -d <Your_target> -a 

Okay, here we go. Let’s take one game site protected by Cloudflare as an example. I won’t show the domain for obvious reasons. Let’s try to use our utility to break through the WAF and see if we will succeed.

As you can see, we got a list of possible bypasses, but it’s too big and each IP has its own probability rating. This suggests that it’s not easy to break through large companies.

Now let’s take a look at one of the servers for the Minecraft collaboration game. They also often use protection services against DoS and DDoS.

For the experiment, I’m taking the first servers I get. This one was foreign, and its protection stood up.

Let’s try something more defenseless – I got a cast-iron role-playing server of GTA V. at hand.

One hundred percent success. However, the server was so modest that it had to force a full scan to stop.

Now let’s check some news sites. The first “victim” (in quotes, as we did no harm) was one popular news portal.

We got a lot of mistakes. They are related to the fact that the log server has limited our ability to make requests. However, this utility did not prevent us from achieving success. In the very first report we found a bypass with 100% probability, but it was a subdomain.

Next, let’s try the foreign educational log.

You may notice that the program has already started to fall off, but still tried to find bypasses in subdomains. The success rate is rather small.

And finally, the last candidate.

Success! One hundred percent bypass found.


As you can see, this method can really help you find the right bypasses. Of course, it doesn’t always work out qualitatively, otherwise WAF would be useless at all. However, when you come across one of them, do not give up, because there are a couple more effective tools in your arsenal now.

WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments

Do NOT follow this link or you will be banned from the site!
Would love your thoughts, please comment.x

Spelling error report

The following text will be sent to our editors: