If we're talking about putting static assets (like basic websites) on their CDN, or moving your backend to Workers, (etc...) you are by definition moving _away_ from single point-of-failure.
> Maybe that's the core of this message. Face your fears. Put your service on the internet. Maybe it goes down, but at least not by yet another Cloudflare outage.
Well I'd rather have my website going down (along with half the internet) be the concern of a billion dollar corporation with thousands of engineers - than mine.
> As they say in security, "no one will burn a zero day on you!". For your small blog with one hundred visitors per month, it's probably the same: "no one will burn their DDoS capabilities on you!"
The last I saw you can hire DDoS as a service for like $5 for a short DDoS, and many hosts will terminate clients who get DDoSed.
I'm waiting for my first DDoS attack at which point I will hide behind Cloudflare. I have all the bits in place to make that a smooth transition but would hate every aspect of it.
The lesson I learned is it's OK to put your site with Cloudflare. It's not ok to put your DNS on a registrar who is also on Cloudflare. We got locked out because our registrar is also on Cloudlfare, and now I can't even switch DNS to get the site back up. Keep your domain name registrar, DNS service provider and application infrastructure provider separately.
Cloudflare tunnels makes it dead simple these days. Like some others in the comments it seems; I'd rather Cloudflare fighting the war against hacker armies than me. Once our networks become compromised from opening our firewalls (possibly even not) our routers and IOT devices become unwillingly complicit in the army that's bringing the internet down.
But yeah, if you don't need Cloudflare, like, at all, obviously don't use them. But, who can predict whether they're going to be DDOS-ed in advance? Fact is, most sites are better off with Cloudflare than without.
Until something like this happens, of course, but even then the question of annual availability remains. I tried to ask Claude how to solve this conundrum, but it just told me to allow access to some .cloudflare.com site, so, ehhm, not sure...
> For your small blog with one hundred visitors per month, it's probably the same: "no one will burn their DDoS capabilities on you!"
If this is their core argument for not using CDN, then this post sounds like a terribly bad advice. Hopes and prayers do not make a valid security strategy. Appropriate controls and defenses do. The author seems to be completely missing that it takes only a few bucks to buy DDoS as a service. Sometimes people do DDoS your small blog because some random stranger didn't like something you said somewhere online. Speaking from experience. Very much the reason I'm posting this with a throwaway account. If your website receives DDoS, your hosts will take down your server. Nobody wants to be in this situation even if for a personal, small blog.
> Sometimes people do DDoS your small blog because some random stranger didn't like something you said somewhere online.
I've received death threats. Do I engage in charged political commentary on my site? Not really. Just vaguely left-of-centre stuff in a way that I feel moves the discussion forward (and not even that often). The internet is fun: you're instantly connected to every unhinged asshole lunatic in the world.
Cloudflare does both but some providers do one or the other. You can use any CDN no matter if you use Cloudflare or not (shout-out to Bunny CDN btw, very happy with them - they do one thing and do it well)
I wish online discourses didn't feel like engaging with possible shills for corporations as it did during 2000s, or maybe it didn't. Maybe, we became too aware and critical or maybe there is absolutely no honest discourse possible when commerce, political or even ideological agendas are involved. The best stance should one that presents varied solutions to a common problem.
Unless these sites are your personal pages, oftentimes these decisions to use cloudflare or not are made by the business and money and risk people, not by the operations and other technically-minded employees. They see every other site using cloudflare and ask why they aren't as well.
"No one was fired for buying IBM (or cloudflare)."
Fat chance arguing against the people holding the purse strings.
The lesson for me here is the round robin DNS configuration.
I had an issue with the theme of your site probably not being important anyway. If your site probably isn’t important then it’s probably ok that it’s down too.
Cloudflare is still down and now its been 5+ hours. Having said that, the thing about "if you don't need to" is not that simple. FOr personal sites/blogs, I can agree but then it really doesnt matter for those. For a real business, the value of cloudflare (As centralized as it gets) is the proxy especially against attacks. The other stuff like CDN/Caching etc are bonus on top.
Unless there is a better option, just asking real businesses (no matter how small) to not use cloudflare is not an option.
Don’t trust your traffic to autopilot, get a it back in your hands, take a look into your bots (1), perhaps there is no real need for CloudFlare at all.
All the sites that I'm personally aware of are either NOT behind Cloudflare, are large and targeted, or are behind Cloudflare because they have actually experienced a DDOS attack(s). I don't know of anyone that is just sticking themselves behind Cloudflare willy-nilly.
The one time my company suffered a denial-of-service attack we were able to get support from our colo provider to stop the attack. This was years ago and our provider has been bought a couple of times and while the company has grown the staff are more remote and fewer in number so I'm not sure if we'd get the same support today.
So, every now and then I think about at least putting our assets on a cdn with the option of using it in the case of a ddos attack but then I see things like today and the recent Aws problems and I just get the feeling I should keep everything close.
Usually it's big actors like Facebook, Azure and OpenAI who bombard my servers without any respect or logic. I need to update my access rules constantly to keep them away (using Cloudflare) Sometimes it's clustered traffic, more classic DDoS, from China, Russia or America. That I could easily filter with the DDos protection from my hosting (which is cheaper than cloudflare anyway)
What should I do if not Cloudflare to block with "complex rules" that is strong enough to survive hundreds of concurrent requests by big companies?
I have several tiny blogs behind Cloudflare. I'm not going to change a thing because of an exceptional event happening, and I think knee-jerk pontificating or being reactionary is extremely unproductive.
And DDOS is hardly my concern, and was never the reason I went to CF in the first place, so the whole foundation of this seems to be a strawman.
this. despite all the ghost stories and war stories. it’s how apple sells you the watch to save you from that bear attack or that time you got trapped somewhere.
the stories are real, and in some cases you may need it — in most cases you don’t. and it clearly doesn’t always protect you.
110 comments
[ 5.2 ms ] story [ 88.2 ms ] threadYou’d see those same errors if someone took their own site down while working on it , probably accidentally
> Maybe that's the core of this message. Face your fears. Put your service on the internet. Maybe it goes down, but at least not by yet another Cloudflare outage.
Well I'd rather have my website going down (along with half the internet) be the concern of a billion dollar corporation with thousands of engineers - than mine.
The last I saw you can hire DDoS as a service for like $5 for a short DDoS, and many hosts will terminate clients who get DDoSed.
I am hosted on Cloudflare but my stack is also capable of running on a single server if needed, most libraries are not design with this in mind.
I’m also wondering if all these recent outages are connected to cyber attacks, the timing is strange.
But yeah, if you don't need Cloudflare, like, at all, obviously don't use them. But, who can predict whether they're going to be DDOS-ed in advance? Fact is, most sites are better off with Cloudflare than without.
Until something like this happens, of course, but even then the question of annual availability remains. I tried to ask Claude how to solve this conundrum, but it just told me to allow access to some .cloudflare.com site, so, ehhm, not sure...
If this is their core argument for not using CDN, then this post sounds like a terribly bad advice. Hopes and prayers do not make a valid security strategy. Appropriate controls and defenses do. The author seems to be completely missing that it takes only a few bucks to buy DDoS as a service. Sometimes people do DDoS your small blog because some random stranger didn't like something you said somewhere online. Speaking from experience. Very much the reason I'm posting this with a throwaway account. If your website receives DDoS, your hosts will take down your server. Nobody wants to be in this situation even if for a personal, small blog.
I've received death threats. Do I engage in charged political commentary on my site? Not really. Just vaguely left-of-centre stuff in a way that I feel moves the discussion forward (and not even that often). The internet is fun: you're instantly connected to every unhinged asshole lunatic in the world.
Cloudflare does both but some providers do one or the other. You can use any CDN no matter if you use Cloudflare or not (shout-out to Bunny CDN btw, very happy with them - they do one thing and do it well)
"No one was fired for buying IBM (or cloudflare)."
Fat chance arguing against the people holding the purse strings.
I had an issue with the theme of your site probably not being important anyway. If your site probably isn’t important then it’s probably ok that it’s down too.
Unless there is a better option, just asking real businesses (no matter how small) to not use cloudflare is not an option.
Don’t trust your traffic to autopilot, get a it back in your hands, take a look into your bots (1), perhaps there is no real need for CloudFlare at all.
1. https://github.com/tirrenotechnologies/tirreno
So, every now and then I think about at least putting our assets on a cdn with the option of using it in the case of a ddos attack but then I see things like today and the recent Aws problems and I just get the feeling I should keep everything close.
Usually it's big actors like Facebook, Azure and OpenAI who bombard my servers without any respect or logic. I need to update my access rules constantly to keep them away (using Cloudflare) Sometimes it's clustered traffic, more classic DDoS, from China, Russia or America. That I could easily filter with the DDos protection from my hosting (which is cheaper than cloudflare anyway)
What should I do if not Cloudflare to block with "complex rules" that is strong enough to survive hundreds of concurrent requests by big companies?
And DDOS is hardly my concern, and was never the reason I went to CF in the first place, so the whole foundation of this seems to be a strawman.
the stories are real, and in some cases you may need it — in most cases you don’t. and it clearly doesn’t always protect you.