Ok, nmap people.

When I scan a site that is covered by CloudFront, how much of my scan is eaten by CF and how much is making it to the server? Or do I have to go look for myself? Might be hard question, I dunno yet.

#nmap

@Sempf why on earth would you nmap a cdn? you won't see the origin ports, and even at the application layer you'd only see the proxy. there may be some L7 proxy trickery or even some TCP level magic that works, but nmap is not the right tool to test those.

@Sempf I'm not an nmap person, but as someone who has configured CloudFront, I don't think a "one size fits all" answer is even possible for this question. For the same request IP, port, etc., CF might handle it or the origin server. CF isn't really a WAF, but it can be configured to handle some traffic and pass through other traffic. So I think "it depends?"

@CraigStuntz That is what I figured. Thanks.

@buherator The servers are protected by Cloudflare for DDOS and like that - all of the relevant ports respond as usual. CDN means something else to me - a place to put static content.

So I guess I'd ask what tool would you have in mind?

@Sempf Oh OK, the TCP-level DDoS protection is obviously secret sauce, so you'll end up in trial&error. My educated guess is that if you are not too aggressive with timings and do proper TCP handshakes (-sT IIRC) you should be fine, and if something triggers than suddenly all your connections will fail so -vvv and keep an eye on logs.

@buherator

"Secret sauce" - so it will be henseforth known.

And we are on the same page. I'm starting to see how a little -v and a little grep are gonna take me places.