I can’t imagine.
Was it a targeted attack? Scanning entire networks is easily done. Scanning and enumeration.
Cloudflare can not do anything against it since they are basically protecting on DNS level. (origin IP gets hidden behind CF)
Are you sure that there’s no DNS record exposing the origin IP? This is often the case with “mail.domain.com” which points to the origin as a subdomain. Since mail isn’t proxied by Clodflare (domains handling mail services must be set to ) the attacker has got the origin IP. And guessing smtp., mail, imap., webmail… isn’t that difficult. Even if it is not the same IP it might be on the same network range. Companies are often listed
in the whois record along with their provider so an attacker can go ahead with the scanning…
There are many ways this is just one example
Is he a CloudFlare employee? Oh, and it’s from 2011.
You can achieve more protection with Argo Tunnel for example. It’s available on every plan and billed on usage. You can find it under the “Traffic” tab.