I think its worth mentioning that DDOS protection has become a tool to control online discourse. Once you get kicked off Cloudfare, thats mostly it for you if you have a determined attacker. Thats quite a beneficial situation for governments.
Have you actually run any sort of web service/website without Cloudflare? This sounds like something straight out of a sales reps mouth, obviously there is more solutions than just Cloudflare out there...
I dont think you appreciate the threat scenario discussed here if you think its reasonable to ask for personal experience. Leaves me to wonder if i am supposed to deny having committed any crimes while we are at it?
Still thank you for the response, gives the ability to clarify that this is by no means an advertisement. You have of course endless options for ddos mitigation right now. But once cloudflare no longer wants you, your other options have a tendency to evaporate as well.
>But once cloudflare no longer wants you, your other options have a tendency to evaporate as well
This! If the forces persecuting you made Cloudflare to drop you, and you go, you establish your own site and your own platform your own infrastructure, unless you have some billions lying around to put fiber optical cables over the oceans physically connecting your servers to the rest of the world, you will depend on other people. And the forces persecuting you, they could just go the next level and start to demand Tier 1 providers to drop you. And the whole thing start to derailing into a cat a mouse game. Where you will have to constantly be thinking "Okay, what is their next move to deplatform me?"
Because as you said. Usually when Cloudflare drops you... it's not very absurd to assume banking institutions, Mastercard, Visa, Google, Microsoft, Amazon, etc... will also drop you. And the law pretty much allows those multibillion dollar companies to deny service to a paying costumer, which is a pretty dangerous precedent in my opinion.
I believe cloudflare drops if they cannot withstand the level of traffic you’re being hit with, which is an exception to your suggestion. As per other posts, if CF drops you, you won’t be able to build your own ddos mitigating infra without billions. Microsoft and Amazon offer similar services, but I’m guessing cloudflare offers the best resiliency based on ops specific naming of CF.
I think generally with cloudflare is they may be quick to drop you (or demand payment) if large DDoS is a regular occurrence for you. The free tier is generous but it dries up if your a huge target.
My company runs a a bunch of large community products and we run cloudflare in front of them to handle frequent DDoS attacks. We also pay for a cloudflare enterprise plan though.
The other side of the coin is them dropping a custom for other reasons.
Is immediately after. And a person died. Clouflare are aware that they shouldn’t exist. They exist because they solve a problem that our telecoms networks and government/regulatory apparatus won’t. And it’s regarding the daily stormer.
Cloudflare keeps protecting the Russian state because if they don’t Russia will develop the technology themselves and then eat some of Cloudflare’s lunch. The effectiveness of a single period of successful DDOS attacks in a whole war is debatable.
It’s easy to stop a handful of neo Nazis. The Russian state is a lot harder. If you want Cloudflare to do it get the government to force them.
If cloudflare dropped someone because they couldn't withstand the traffic, that would be an exceptional event that would not go unnoticed. I don't believe they do that.
As someone who has run services online for the last two decades, without ever using Cloudflare, you do have "options". Those options tend to be rooted in proper network engineering, DDoS mitigation, owning and operating your own ASN and advertising routes through multiple physical POPs and proper distributed hosting, with low-dynamic content.
But if by "options" you are talking about "pay someone else to deal with the problem", then sure you might be right.
A lot of these solutions don't actually mitigate large DDoS attacks, or have enormous loopholes that can be bypassed by a novice attacker. I've heard that OVH's DDoS protection used to let in other OVH servers, for example.
When I checked, some of the equivalents to Cloudflare's lower plans cost hundreds of dollars a month.
> OVH's DDoS protection used to let in other OVH servers
And why wouldn't they? If you're getting ddos'd on OVH from OVH, they'll just turn off the source of the traffic rather than trying to fight it on the receiving end.
It really isn't that dire, AWS has Shield (or really just Cloudfront), GPC has Cloud Armor, Azure has "Azure DDoS Protection", everything on Digital Ocean is protected by default. And if you're on-prem or colo then even a modestly sized edge router can handle quite a bit of traffic. And if all you want is the CDN part and not origin protection then every commercial CDN does DDoS protection.
If you mean "providing expensive protection services for free on a $5/mo VPC" then sure Cloudflare might be your only bet.
Not a question of money. If i recall, all of these are as easy to reach for governments as cloudfare itself. Especially with the threat of KYC. Would be happy to be wrong here though.
"If a government decides they want you offline" is quite a big difference from the original "Once you get kicked off Cloudfare, thats mostly it for you".
Somebody else asked this but deleted before i could respond, so i am glad you asked.
Centralized DDOS protection and DDOS seem to be two sides of the same coin, so i dont understand what the distinction would entail.
edit: You could argue that DDOS is an equal opportunity tool, while the threat of getting kicked off cloudflare is reserved for a selected few. So the difference would be which is more at threat of getting exploited. Hope that helps.
Who got kicked off of Cloudflare? Because both the cases I can think of weren't because of governments and were the sorts of schmucks that you really don't want hanging around.
A few companies with enough resources being able to decide who is a "schmuck that you really don't want hanging around" is worse than a government doing it IMO. At least the latter have to pretend to follow process and be accountable to the people
Though I'm not sure how to really solve it. I support ISPs being considered utilities with an obligation to serve any customer unless they can argue a compelling reason why they can't, but DDoS protection is not a technical essential like an internet connection is. Even if it's almost essential for a popular site in 2023
It's not a few companies. It's private people deciding who they want to serve. And yes that can mean that you find it impossible to publish neoNazi rags online.
It was a generic statement about a path to get rid of unwanted public discourse. The problem is that paths that exist get taken. Examples of who that happened to already and your opinion of who deserves what are not the point.
Its totalitarian rot, it doesnt stop, its like a moldy fruit.
Wait so your point is that if Cloudflare (or anybody?) doesn't want to do business with lying Nazis, then, the world is on an inexorable slippery slope to totalitarian fascism? That's obviously false.
That perspective is how being wrong looks here. Its an incredible shortsightedness, you have no basis for that degree of certainty. For starters, if it was so obvious you could explain how.
We are talking about a barrier to enter public discourse enforced through DDOS, not freedom to do business with whom you please. This robs you of the ability to self host. With zero checks and balances. You being certain that the likes of the daily stormer shouldnt exist in the public discourse doesnt absolve you of the responsibility for the delete function you just created. For which you have zero concern. That is how a totalitarian slope looks, totalitarians prick holes into the public discourse with no regards for the safe use of such holes. Unsurprising as there is no safe way to do this. Its building a horrific weapon with no targeting mechanism or safety.
You having made yourself a totalitarian through your flagrant disregard for the consequences of your actions. Your error lies in believing your intention matters more then the outcome. To the degree that safeguards became unnecessary. You could and should know better, reality always wants its toll for such behavior.
edit: Please check the comment a bit down starting with " Naive being the key point." on the use of the term totalitarian. I also mentioned stuff to read on the topic by people a lot more capable then me and and hopefully a lot harder to ignore.
Remember when google was one of the “not evil” companies? When it comes to internet companies we have got burned so many times it’s good to keep a healthy dose of skepticism when it comes to a company that potentially decides if you are able to survive on the internet.
One of my favorite illegal streaming websites that streamed old nickelodion tv shows and the xfiles from the 90s. they had problems with cloudflare and had to deal with a lot of problems from a rival hacker group ddosing
With those shows narratives heavily influencing how we think. With some no longer available after falling through the cracks of DRM (like Malcolm in the Middle in some countries).
At-least in my experience, OVH was the only hosting company where their network engineers spoke to me when we had a ddos problem.
Had a situation where one of my servers were getting ddosed we tried multiple providers both cloud and dedicated, but the attack was not getting stopped by anyone, the customer service was useless on most other places its either we get null routed, or hours of back and forth with customer service without any solution.
We moved our servers to OVH the customer service rep directed us to an engineer within a few minutes. I remember we had to send a few packet captures during an attack to one of their network engineers and, not only did they block the attack in a few hours, the engineer in charge explained exactly what happened was such a nice learning experience, that one interaction with them will always make me recommend them.
There are quite a few options, but what could be heard through the grapevines with Kiwifarms most turn out to be theoretical once attackers are motivated enough. Think about them what you will, they make a great canary.
Worth mentioning that totalitarianism is often characterized by being the rule of the stupid. Shortsighted actionism and signaling in spite of reality with the resulting corruption growing like a self destructive cancer. Bonhoeffer’s Theory of Stupidity puts it great and Meerloo giving a vivid description of what kind of societies this creates.
edit: Willful naivete is not a good life choice. Staying away from darwin awards and are not accidentally creating a fourth reich both require ongoing effort, no falling asleep on the wheel. History tells you this is a valid risk if you dont consider certain things when acting. With the guys having fought the nazis advising you to be less stupid to not repeat that. Seeing how horrible that was, maybe at least try to stay away from that instead of just intending to. This is insanely bad on the severity scale and justifies some effort. Reality is clearly lacking a bright red warning sign here with technology offering ever greater levers for less and less intentioned actions.
I can not overstate how bad of an idea it is to ignore that out of group think/tribalism and ego. It simply does not work and in hindsight you could have known. Failing so badly that nobody risks a "having told you so".
