Yes. One can identify the IP address of the origin server behind a reverse proxy if the server responds to direct requests in a way that identifies itself. See: https://cloudpiercer.org/
Two steps towards obscuring the origin server include requiring that the HTTP Host header is set and only responding to Cloudflare IP ranges: https://www.cloudflare.com/ips/
I used Censys to search for the IPv4 addresses of servers serving matching TLS certificates: https://censys.io/ipv4?q=443.https.tls.certificate.parsed.na...
Couldn't someone DDoS'ing a site use this to get around Cloudflare "protection?"
Uh, asking for a friend.
Yes. One can identify the IP address of the origin server behind a reverse proxy if the server responds to direct requests in a way that identifies itself. See: https://cloudpiercer.org/
Two steps towards obscuring the origin server include requiring that the HTTP Host header is set and only responding to Cloudflare IP ranges: https://www.cloudflare.com/ips/
(not op) Well as it happens, Cloudflare has had this massive data leak you might have heard of...