Important note: this post is NOT meant to encourage anyone to carry out a DDoS attack on any website. Rather it is my tongue-in-cheek way of exposing a major flaw in the popular Cloudflare service, in hopes they will take this shit seriously and actually reform their business practices. If you, dear reader, ever DDoS a site for real, I hope you die in a fire.
I use Cloudflare on several sites — for DDoS protection, as a Web Application Firewall, and also for their CDN. I have sites on both free and paid plans with them. Up until now, I thought Cloudflare was a great service — little did I know how easy it is to defeat the entire purpose of using them.
Or to put it another way: Cloudflare is great — until they decide to fuck you over.
Here’s how you defeat Cloudflare: