What do you need Cloudflare for? I’ve never seen a single use case for it (other than their DNS service, which is well done compared to many other providers). People who claim “DDoS protection” seem to have either picked a crappy web host, don’t know how to use caching, or are running Apache.
An alternative to surrendering your visitors to surveillance capitalism and forcing them to train Google’s AI that will enslave them?
I guess there are some use cases for services like CF, but most of the time it is just incompetency, forced on developers by their managers, or a fascination with bloat. A page without a spinner is just not the modern web!
Does configuring rate limiting and doing load testing before production deployment not count as an alternative? It’s not like we weren’t running websites and dealing with the problems cloudflare tries to address before that service existed.
No. Cloudflare isn’t a “rate limiting” service. Your load testing isn’t going to compare to real traffic. It’s a nice thing to do, but should never be considered representative of real traffic.
A lot of the problems that Cloudflare addresses have become worse due to multiple reasons.
Firstly, this is later in time. Technology has improved. This means that attacks have become stronger.
Secondly, services like Cloudflare weren’t there and people now have to find ways to attack against services like Cloudflare. This means that doing it yourself is substantially harder now, since you probably can’t compete with them in terms of DDoS protection. I doubt you ever saw anyone performing the largest DDoS in the world by hacking into people’s IoT cameras back then, either, but comparing reality 10 years ago to now isn’t the best approach to solving these problems.
How are you going to implement DDoS protection? Rate limiting isn’t doing that for you, it’s just rejecting requests that are excessive. That’s what Cloudflare is trying to do here.
It’s not trying to rate limit, that makes little-to-no sense.
EDIT: Also, if you’re the one that marked my response as “incorrect” then I don’t think that you know what “incorrect” means. It is absolutely correct to say not to consider a non-alternative as an alternative. Downvotes shouldn’t be an “I don’t agree” button.
I stumbled upon this project a few week ago. It seems there’s a protocol to redeem and use tokens when filling the first captcha and skip later ones. The protocol also allow user to stay anonymous.
There’s another part of note that this post seems to ignore.
It’s a common occurrence that Google serves an intentionally unsolveable (correct solution is rejected) CAPTCHA or even straight up refuses to serve a CAPTCHA at all. In that case, there’s just no way to access your site. And these things usually happen for months at a time.
Yeah, but you start getting this page when you start getting DDoS’d or it thinks you’re a bot. I’m not sure if the feature for disabling this page will skip the DDoS barrier as well is what I’m saying
I’m more concerned about blanket bans of entire countries people choose to deploy more and more often (not with CloudFlare specifically). After all, Tor is something people choose to use and can just stop any time. Having to circumvent bans just because you happen to live in a “bad country” (as if botnets know about national borders) is another story.
At some point it becomes a fairly straight forward cost/benefit analysis. There are situations where a country wide ban mean the difference between your service being up or down. My organization blacklisted all of China for a while a few years ago because our choices were between our customers in China not being able to access our site and no one in any country being able to access our site.
In our case we had the resources to reverse that ban pretty quickly, but if your service is being DDoS’d from a fairly small geographic region where you have few, if any, legitimate users I can at least sympathize with the decision to forgo traffic from that region entirely rather than make what might be a substantial investment for little return.
A lot of time I’ve seen people do it just because it feels safer that way, even though they’ve never even been DDoS’d from anywhere yet. That’s what I’m advocating against.
TIL: you can configure Cloudflare to skip CAPTCHA for Tor users: https://support.cloudflare.com/hc/en-us/articles/203306930-Does-Cloudflare-block-Tor-
I guess the next best thing after dropping Cloudflare and similar services completely…
If you can’t provide an alternative then I can’t take this seriously, and - until then - I hope that nobody else can either.
What do you need Cloudflare for? I’ve never seen a single use case for it (other than their DNS service, which is well done compared to many other providers). People who claim “DDoS protection” seem to have either picked a crappy web host, don’t know how to use caching, or are running Apache.
An alternative to surrendering your visitors to surveillance capitalism and forcing them to train Google’s AI that will enslave them?
I guess there are some use cases for services like CF, but most of the time it is just incompetency, forced on developers by their managers, or a fascination with bloat. A page without a spinner is just not the modern web!
See: http://idlewords.com/talks/website_obesity.htm
Does configuring rate limiting and doing load testing before production deployment not count as an alternative? It’s not like we weren’t running websites and dealing with the problems cloudflare tries to address before that service existed.
No. Cloudflare isn’t a “rate limiting” service. Your load testing isn’t going to compare to real traffic. It’s a nice thing to do, but should never be considered representative of real traffic.
A lot of the problems that Cloudflare addresses have become worse due to multiple reasons.
Firstly, this is later in time. Technology has improved. This means that attacks have become stronger.
Secondly, services like Cloudflare weren’t there and people now have to find ways to attack against services like Cloudflare. This means that doing it yourself is substantially harder now, since you probably can’t compete with them in terms of DDoS protection. I doubt you ever saw anyone performing the largest DDoS in the world by hacking into people’s IoT cameras back then, either, but comparing reality 10 years ago to now isn’t the best approach to solving these problems.
How are you going to implement DDoS protection? Rate limiting isn’t doing that for you, it’s just rejecting requests that are excessive. That’s what Cloudflare is trying to do here.
It’s not trying to rate limit, that makes little-to-no sense.
EDIT: Also, if you’re the one that marked my response as “incorrect” then I don’t think that you know what “incorrect” means. It is absolutely correct to say not to consider a non-alternative as an alternative. Downvotes shouldn’t be an “I don’t agree” button.
I do this for all my sites. It really should be the default, or at least more obvious.
I stumbled upon this project a few week ago. It seems there’s a protocol to redeem and use tokens when filling the first captcha and skip later ones. The protocol also allow user to stay anonymous.
There’s another part of note that this post seems to ignore.
It’s a common occurrence that Google serves an intentionally unsolveable (correct solution is rejected) CAPTCHA or even straight up refuses to serve a CAPTCHA at all. In that case, there’s just no way to access your site. And these things usually happen for months at a time.
Won’t this break their DDoS protection if Tor users decide to DDoS them?
A DDoS about as powerful as an internet connection in the middle of Africa
How would a Tor user DDoS someone?
There could surely be a way to perform an amplification attack on a system using CloudFlare over Tor
I think it’s reasonable to presume Cloudflare’s DDoS protection doesn’t reply on a tracking a single user on a shared IP address.
Yeah, but you start getting this page when you start getting DDoS’d or it thinks you’re a bot. I’m not sure if the feature for disabling this page will skip the DDoS barrier as well is what I’m saying
thanks for the heads up! Just changed it for my sites.
I’m more concerned about blanket bans of entire countries people choose to deploy more and more often (not with CloudFlare specifically). After all, Tor is something people choose to use and can just stop any time. Having to circumvent bans just because you happen to live in a “bad country” (as if botnets know about national borders) is another story.
At some point it becomes a fairly straight forward cost/benefit analysis. There are situations where a country wide ban mean the difference between your service being up or down. My organization blacklisted all of China for a while a few years ago because our choices were between our customers in China not being able to access our site and no one in any country being able to access our site.
In our case we had the resources to reverse that ban pretty quickly, but if your service is being DDoS’d from a fairly small geographic region where you have few, if any, legitimate users I can at least sympathize with the decision to forgo traffic from that region entirely rather than make what might be a substantial investment for little return.
A lot of time I’ve seen people do it just because it feels safer that way, even though they’ve never even been DDoS’d from anywhere yet. That’s what I’m advocating against.