There are two ways to bypass CloudFlare and related services. 1) Most of the time, as Kephael said, websites expose their back end IPs through subdomains like ssh.domain.com or ftp.domain.com. MX records also sometimes function in the same way. There are a variety of ways to resolve a domain through CloudFlare. 2) CloudFlare bypass scripts can be bought for around $400 which manipulate the JavaScript per client when sending an attack (mainly by disabling JavaScript). This prevents the so called "challenge pages" from blocking malicious traffic, effectively slipping through CloudFlare protection. Most of these scripts work on most other providers such as Sucuri as well.