In this age of cheap and easy DDOS attacks, DDOS protection services promise to go between your server and the Internet to protect you from attackers. Cloud based DDOS protection suffers from several fundamental flaws that will be demonstrated in this talk. This was originally discovered in the process of investigating malicious websites protected by Cloudflare- but the issue also affects a number of other cloud based services including other cloud based anti-DDOS and WAF providers. We have developed a tool – called No Cloud Allowed – that will exploit this new cloud security bypass method and unmask a properly configured DDOS protected website. This talk will also discuss other unmasking methods and provide you with an arsenal to audit your cloud based DDOS or WAF protection.