110 comments

[ 5.2 ms ] story [ 88.2 ms ] thread
I think the big error here is thinking cloud flare is DDoS when it’s an entire self contained platform with workers and pages etc..

You’d see those same errors if someone took their own site down while working on it , probably accidentally

If we're talking about putting static assets (like basic websites) on their CDN, or moving your backend to Workers, (etc...) you are by definition moving _away_ from single point-of-failure.

> Maybe that's the core of this message. Face your fears. Put your service on the internet. Maybe it goes down, but at least not by yet another Cloudflare outage.

Well I'd rather have my website going down (along with half the internet) be the concern of a billion dollar corporation with thousands of engineers - than mine.

> As they say in security, "no one will burn a zero day on you!". For your small blog with one hundred visitors per month, it's probably the same: "no one will burn their DDoS capabilities on you!"

The last I saw you can hire DDoS as a service for like $5 for a short DDoS, and many hosts will terminate clients who get DDoSed.

I'm waiting for my first DDoS attack at which point I will hide behind Cloudflare. I have all the bits in place to make that a smooth transition but would hate every aspect of it.
I don't consider Cloudflare part of the "real" internet anymore, instead it's a private intranet that got too big.
Enterprise self hosting is an expensive nightmare for most companies. I think it is time to discuss multi cloud deployments to escape outages.

I am hosted on Cloudflare but my stack is also capable of running on a single server if needed, most libraries are not design with this in mind.

I’m also wondering if all these recent outages are connected to cyber attacks, the timing is strange.

The lesson I learned is it's OK to put your site with Cloudflare. It's not ok to put your DNS on a registrar who is also on Cloudflare. We got locked out because our registrar is also on Cloudlfare, and now I can't even switch DNS to get the site back up. Keep your domain name registrar, DNS service provider and application infrastructure provider separately.
Cloudflare tunnels makes it dead simple these days. Like some others in the comments it seems; I'd rather Cloudflare fighting the war against hacker armies than me. Once our networks become compromised from opening our firewalls (possibly even not) our routers and IOT devices become unwillingly complicit in the army that's bringing the internet down.
Fun fact: a whole bunch of local (as opposed to global: the distinction here is important) Cloudflare-related outages were caused by exactly this thinking: see https://blog.cloudflare.com/going-bgp-zombie-hunting/ and related HN discussion at https://news.ycombinator.com/item?id=45775051

But yeah, if you don't need Cloudflare, like, at all, obviously don't use them. But, who can predict whether they're going to be DDOS-ed in advance? Fact is, most sites are better off with Cloudflare than without.

Until something like this happens, of course, but even then the question of annual availability remains. I tried to ask Claude how to solve this conundrum, but it just told me to allow access to some .cloudflare.com site, so, ehhm, not sure...

The xkcd comic does not apply. Goes to show that a very big block holding everything is equally bad.
Using cloudflare really helps cut the bandwidth bill for free for smaller self-hosted sites. That was my primary motivation - not security.
> For your small blog with one hundred visitors per month, it's probably the same: "no one will burn their DDoS capabilities on you!"

If this is their core argument for not using CDN, then this post sounds like a terribly bad advice. Hopes and prayers do not make a valid security strategy. Appropriate controls and defenses do. The author seems to be completely missing that it takes only a few bucks to buy DDoS as a service. Sometimes people do DDoS your small blog because some random stranger didn't like something you said somewhere online. Speaking from experience. Very much the reason I'm posting this with a throwaway account. If your website receives DDoS, your hosts will take down your server. Nobody wants to be in this situation even if for a personal, small blog.

Also: AI scrapers. Which have already been documented to basically DDOS sites.
> Sometimes people do DDoS your small blog because some random stranger didn't like something you said somewhere online.

I've received death threats. Do I engage in charged political commentary on my site? Not really. Just vaguely left-of-centre stuff in a way that I feel moves the discussion forward (and not even that often). The internet is fun: you're instantly connected to every unhinged asshole lunatic in the world.

CDN is not the same as DDoS protection.

Cloudflare does both but some providers do one or the other. You can use any CDN no matter if you use Cloudflare or not (shout-out to Bunny CDN btw, very happy with them - they do one thing and do it well)

I wish online discourses didn't feel like engaging with possible shills for corporations as it did during 2000s, or maybe it didn't. Maybe, we became too aware and critical or maybe there is absolutely no honest discourse possible when commerce, political or even ideological agendas are involved. The best stance should one that presents varied solutions to a common problem.
Unless these sites are your personal pages, oftentimes these decisions to use cloudflare or not are made by the business and money and risk people, not by the operations and other technically-minded employees. They see every other site using cloudflare and ask why they aren't as well.

"No one was fired for buying IBM (or cloudflare)."

Fat chance arguing against the people holding the purse strings.

The lesson for me here is the round robin DNS configuration.

I had an issue with the theme of your site probably not being important anyway. If your site probably isn’t important then it’s probably ok that it’s down too.

How is this article anything other than advice on "you shouldn't have a single point of failure "?
Cloudflare is still down and now its been 5+ hours. Having said that, the thing about "if you don't need to" is not that simple. FOr personal sites/blogs, I can agree but then it really doesnt matter for those. For a real business, the value of cloudflare (As centralized as it gets) is the proxy especially against attacks. The other stuff like CDN/Caching etc are bonus on top.

Unless there is a better option, just asking real businesses (no matter how small) to not use cloudflare is not an option.

Cloudflare is nice for things like ZTNA, but only a very few need to use their caching services, 90% are just lazy devsoops people
All the sites that I'm personally aware of are either NOT behind Cloudflare, are large and targeted, or are behind Cloudflare because they have actually experienced a DDOS attack(s). I don't know of anyone that is just sticking themselves behind Cloudflare willy-nilly.
The one time my company suffered a denial-of-service attack we were able to get support from our colo provider to stop the attack. This was years ago and our provider has been bought a couple of times and while the company has grown the staff are more remote and fewer in number so I'm not sure if we'd get the same support today.

So, every now and then I think about at least putting our assets on a cdn with the option of using it in the case of a ddos attack but then I see things like today and the recent Aws problems and I just get the feeling I should keep everything close.

I get constantly attacked.

Usually it's big actors like Facebook, Azure and OpenAI who bombard my servers without any respect or logic. I need to update my access rules constantly to keep them away (using Cloudflare) Sometimes it's clustered traffic, more classic DDoS, from China, Russia or America. That I could easily filter with the DDos protection from my hosting (which is cheaper than cloudflare anyway)

What should I do if not Cloudflare to block with "complex rules" that is strong enough to survive hundreds of concurrent requests by big companies?

I have several tiny blogs behind Cloudflare. I'm not going to change a thing because of an exceptional event happening, and I think knee-jerk pontificating or being reactionary is extremely unproductive.

And DDOS is hardly my concern, and was never the reason I went to CF in the first place, so the whole foundation of this seems to be a strawman.

this. despite all the ghost stories and war stories. it’s how apple sells you the watch to save you from that bear attack or that time you got trapped somewhere.

the stories are real, and in some cases you may need it — in most cases you don’t. and it clearly doesn’t always protect you.

I don't think anyone is arguing that.. the truth is that all these big companies do actually need to