| ▲ | erdaltoprak 10 hours ago |
| At some point we really need to think if this is the web we want, one/two major actors are down and everything goes with it Not downplaying the immense work of infra / engineering at this scale but my neighborhood local grocery market shouldn’t be down |
|
| ▲ | eptcyka 10 hours ago | parent | next [-] |
| Decentralisation is at some point directly opposed to operational efficiency, when the sun is shining. |
| |
|
| ▲ | karimf 10 hours ago | parent | prev | next [-] |
| It's hard not to use Cloudflare at least for me: good products, "free" for small projects, and if Cloudflare is down no one will blame you since the internet is down. |
| |
| ▲ | graemep 9 hours ago | parent | next [-] | | > if Cloudflare is down no one will blame you since the internet is down. That is true. it is also the problem. It means the biggest providers do not even need to bother to be reliable because everyone will use them anyway. | | |
| ▲ | reassess_blind 9 hours ago | parent [-] | | Well, no. If they are unreliable to the point of being an outlier when compared to the alternatives then people will switch. At this stage they’re not an outlier. | | |
| ▲ | antonyh 9 hours ago | parent | next [-] | | Maybe not, but they are approaching it. I wouldn't use it for anything funded with my own cash, I no longer recommend it as a first choice, but I'm not suggesting it gets replaced yet. It's somewhat in the 'legacy tech' category now in terms of how I perceive it and deal with it. | |
| ▲ | graemep 7 hours ago | parent | prev [-] | | They are often promoted as bing more reliable. |
|
| |
| ▲ | Dilettante_ 9 hours ago | parent | prev | next [-] | | "Accountability Sinks" https://aworkinglibrary.com/writing/accountability-sinks | |
| ▲ | timeon 9 hours ago | parent | prev [-] | | > if Cloudflare is down no one will blame you since the internet is down. But this is not really the case. When Azure/AWS were down, same as this one with Cloudflare: significant amount of web was down but most of it was not. It just makes more obvious which provider you use. |
|
|
| ▲ | finghin 10 hours ago | parent | prev | next [-] |
| There’s certainly a business case for “which nines” after the talk of n nines. You ideally want to be available when your competitor, for instance, is not. |
|
| ▲ | saxenaabhi 9 hours ago | parent | prev | next [-] |
| Setting up a replica and then pointing your api requests at it when cloudflare request fails is trivial. This way if you have a SPA and as long as your site/app is open the users won't notice. The issue is DNS since DNS propagation takes time. Does anyone have any ideas here? |
| |
| ▲ | viraptor 9 hours ago | parent | next [-] | | > Setting up a replica and then pointing your api requests at it when cloudflare request fails is trivial. Only if you're doing very basic proxy stuff. If you stack multiple features and maybe even start using workers, there may be no 1:1 alternatives to switch to. And definitely not trivially. | |
| ▲ | isodev 9 hours ago | parent | prev | next [-] | | Two domains for your api perhaps, a full blown SPA could try one and then the other. | |
| ▲ | 9 hours ago | parent | prev | next [-] | | [deleted] | |
| ▲ | tambre 9 hours ago | parent | prev [-] | | Owning your IP space and using Anycast. | | |
|
|
| ▲ | nuker 9 hours ago | parent | prev | next [-] |
| > At some point we really need to think if this is the web we want, You think we have a say in this? |
| |
| ▲ | louismerlin 9 hours ago | parent | next [-] | | You have the power to not host your own infrastructure on aws and behind cloudflare, or in the case of an employer you have the power to fight against the voices arguing for the unsustainable status quo. | | |
| ▲ | reassess_blind 9 hours ago | parent | next [-] | | If you need DDoS mitigation then you essentially need to rely on a third party. Every third party will have inevitable downtime. For many it’s just whether you’d prefer to be down while everyone else is down or not. | |
| ▲ | rwky 9 hours ago | parent | prev | next [-] | | A lot of business would accept the rare downtime from Cloudflare in exchange for the DDoS protection. If the internet was always a nice place we wouldn't need Cloudflare and similar :( | |
| ▲ | quaintdev 9 hours ago | parent | prev [-] | | You also have the power to not pay money to big tech |
| |
| ▲ | squigz 8 hours ago | parent | prev [-] | | The HN crowd in particular absolutely has a say in this, given the amount of engineering leads, managers, and even just regular programmers/admins/etc that frequent here - all of whom contribute to making these decisions. |
|
|
| ▲ | severino 9 hours ago | parent | prev | next [-] |
| It's not the web we want, but it's the web corporations want. And everybody else doesn't give a damn. |
|
| ▲ | 10 hours ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | carlosjobim 10 hours ago | parent | prev | next [-] |
| Think about this rationally. If Cloudflare doesn't fix it within reasonable time, you can just point to different name servers and have your problem fixed in minutes. So why be on Cloudflare to start with? Well, if you have a more reliable way then there's no reason. If you have a less reliable way, then you're on average better off with Cloudflare. |
| |
| ▲ | erdaltoprak 10 hours ago | parent [-] | | Well I can't change my NS since it's on Cloudflare too but besides that my personal opinion was not about this outage in particular but more the default approach of some websites that don't need all this tech (yes I really was out of groceries) | | |
| ▲ | carlosjobim 9 hours ago | parent [-] | | Is Cloudflare your domain registrar? In that case, yes I think you should think about being less dependent on them. As for websites which don't need Cloudflare, in my experience almost every website will be DdoS attacked from time to time. | | |
| ▲ | darkwater 9 hours ago | parent | next [-] | | > Is Cloudflare your domain registrar? In that case, yes I think you should think about being less dependent on them. And why I should overthink my architecture now? If I had to manage redundant systems and keep track of circular dependencies I just could keep managing my infra the old way, no? I'm being sarcastic here, obviously, but really one of the selling point for cloud back in the day it was "you don't have to care about those details". You just need to care about other details, now. | |
| ▲ | erdaltoprak 9 hours ago | parent | prev | next [-] | | I am personally really happy with Cloudflare for domains, pages and dns, I don't run critical stuff but some websites are and they should not be lazy about it | |
| ▲ | Semaphor 9 hours ago | parent | prev [-] | | > in my experience almost every website will be DdoS attacked from time to time. The place I work at has been online since 1996, not even a DoS yet, let alone a DDoS. Though we now use CF to filter all that bot traffic. |
|
|
|
|
| ▲ | neop1x 8 hours ago | parent | prev | next [-] |
| We? I am not using it. I never used it and I will not use it. People should learn how to work with firewall, setup a simple ModSecurity WAF and stop using this bullshit. Almost everything goes through cloudflare and cloudflare also does TLS fronting for websites so basically cloudflare is MITM spying proxy but no one seem to care. :/ |
|
| ▲ | 10 hours ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | lofaszvanitt 10 hours ago | parent | prev | next [-] |
| Why everyone needs to be behind Cloudflare. I don't think DDOSing sites out of whim is so rampant that everyone needs the virtual umbrella. |
| |
| ▲ | grey413 10 hours ago | parent | next [-] | | It's the web-scrapers. I run a tiny little mom and pop website, and the bots were consistently using up all of my servers' resources. Cloudfare more or less instantly resolved it. | | |
| ▲ | dana321 9 hours ago | parent | next [-] | | Caching would have been the correct answer | |
| ▲ | jwr 9 hours ago | parent | prev [-] | | You mean you outsourced to Cloudflare the decision on who is allowed to view your website. That could be well-intentioned, but it's a risky thing to do, and I would not to outsource that decision. Especially as I wouldn't know who failed to get to my website as there is no way to appeal the decision. As a side note, what does your site do that it's possible to use up all server resources? Computers are stupid fast these days. I find it's really difficult to build something that doesn't scale to at least multiple hundreds of requests per second. | | |
| ▲ | grey413 9 hours ago | parent [-] | | You'd be amazed how easy it is to take down a janky decades old LAMP stack. |
|
| |
| ▲ | reassess_blind 10 hours ago | parent | prev | next [-] | | I’ve been DDoS’d countless times running a small scale, uncontroversial SaaS. Without them I would’ve had countless downtime periods with really no other way to mitigate. | |
| ▲ | sznio 9 hours ago | parent | prev | next [-] | | There's plenty of DDoS if you're dealing with people petty enough. The VPS I use will nuke your instance if you run a game server. Not due to resource usage, but because it attracts DDoS like nothing else. Ban a teen for being an asshole and expect your service to be down for a week. And there isn't really Cloudflare for independent game servers. There's Steam Networking but it requires the developer to support it and of course Steam. Valve's GDC talk about DDoS mitigation for games: https://youtu.be/2CQ1sxPppV4 | | |
| ▲ | RKFADU_UOFCCLEL 30 minutes ago | parent [-] | | > And there isn't really Cloudflare for independent game servers And yet game servers still work fine. Which answers this subthread's question ("how likely is it to get DDoSed if you don't have Cloudflare"), answer: not very likely, it happens once in a while at most. |
| |
| ▲ | frameset 10 hours ago | parent | prev | next [-] | | It actually is. I run a small video game forum with posts going back to 2008. We got absolutely smashed by bots scraping for training data for LLMs. So I put it behind Cloudflare and now it's down. Ho hum. | | |
| ▲ | watermelon0 9 hours ago | parent | next [-] | | Have you tried Anubis or similar tools? I've had similar issues with bot scraping of a forum taking all server resources, and using PoW challenge solved the problem. https://github.com/TecharoHQ/anubis | | |
| ▲ | frameset 8 hours ago | parent [-] | | I did! It's very cool tech. However for our config it was easier to slap CF in front of it. I will say one very appealing use of Anubis I'd love to try is using it as a Traefik middleware to protect services running in docker containers. |
| |
| ▲ | trollbridge 8 hours ago | parent | prev | next [-] | | Same problem here. If I didn't use Cloudflare, nearly all of my traffic would be (apparently misconfigured) scraper bots. | |
| ▲ | stevepotter 9 hours ago | parent | prev | next [-] | | Can you please elaborate on “smashed”? I’m very interested | | |
| ▲ | frameset 6 hours ago | parent [-] | | I took a screenshot of the graph in cloudflare when I switched on the bot challenges. https://i.ibb.co/qHCJyY7/image.png I wrote the below to explain to our users what was happening, so apologies if the language is too simple for a HN reader. - 0630, we switched our DNS to proxy through CF, starting the collection of data, and implemented basic bot protections - Unfortunately whatever anti-bot magic they have isn't quite having the effect, even after two hours. - 0830, I sign in and take a look at the analytics. It seems like <SITE NAME> is very popular in Vietnam, Brazil, and Indonesia. - 0845, I make it so users from those countries have to pass a CF "challenge". This is similar to a CAPTCHA, but CF try to make it so there's no "choosing all the cars in an image" if they can help it. - So far 0% of our Asian audience have passed a challenge. |
| |
| ▲ | shaky-carrousel 10 hours ago | parent | prev [-] | | It'd funny if these bots were run by Cloudflare. | | |
| |
| ▲ | xslvrxslwt 9 hours ago | parent | prev | next [-] | | I was arrested by Interpol in 2018 because of warrants issued by the NCA, DOJ, FBI, J-CAT, and several other agencies, all due to my involvement in running a DDoS-for-hire website. Honestly, anyone can bypass Cloudflare, and anyone that want to take your website down - will take it down. It's just that luckily for all of us most of the DDoS-4-hire websites are down nowadays but there are still many botnets out there that will get past basically any protection and you can get access to them for basically $5. | | |
| ▲ | olalonde 9 hours ago | parent | next [-] | | > anyone can bypass Cloudflare How? | | |
| ▲ | q3k 9 hours ago | parent [-] | | Plenty of ways to leak the original server IP address if it isn't really well hardened against that (and most aren't). | | |
| |
| ▲ | FridayoLeary 9 hours ago | parent | prev [-] | | One minute, what? Can you elaborate on that. I have loads of questions. What exactly were you doing? What consequences did you face? How come you are talking about it? | | |
| ▲ | xslvrxslwt 8 hours ago | parent [-] | | because I'm from Serbia so I was released immediately instead of actually being jailed like my friend from Croatia ~ |
|
| |
| ▲ | isodev 10 hours ago | parent | prev | next [-] | | There are plenty of alternatives to protect against DDoSing, people like convenience though. “Nobody gets fired for choosing Microsoft/Cloudflare”. We have a culture problem | |
| ▲ | dukeyukey 10 hours ago | parent | prev | next [-] | | Good chance the reason DDOSing isn't so big anymore is because everyone is on Cloudflare. | | |
| ▲ | xslvrxslwt 9 hours ago | parent [-] | | No but because all of us were arrested in 2018 for running DDoS-4-hire services. Bypassing cloudflare is very easy and I still can fry any of your websites (if i wanted to, just like any other skid) |
| |
| ▲ | BoldColdHold 10 hours ago | parent | prev | next [-] | | DDOSing is absolutely so rampant that you need to be behind something. | | |
| ▲ | shaky-carrousel 10 hours ago | parent | next [-] | | Nope, I'm at hetzner and haven't seen a DDoS in years. | | |
| ▲ | input_sh 9 hours ago | parent | next [-] | | So am I and neither did I... up until a week ago. Now my server's being hammered with bot traffic 24/7. | |
| ▲ | xslvrxslwt 9 hours ago | parent | prev [-] | | Because of 2018 operation "Power OFF" but it's still pretty easy to take anything down. Hetzner has the WEAKEST DDoS protection out of ANYTHING out there - Arbor sucks. Send me your website url and I'll keep it down for DAYS and whenever you cry to hetzner I'll just fry it again, it's that easy and that's why they're the cheapest - because everyone ran away from them back then. | | |
| |
| ▲ | Mordisquitos 9 hours ago | parent | prev | next [-] | | Analogously, arson attacks against businesses in Palermo are absolutely so rampant that they need to be protected by someone. | |
| ▲ | timpera 9 hours ago | parent | prev | next [-] | | I run a few websites with moderate traffic (~900K daily page views total) on the same VPS and never had an issue with DDOS. Is this specific to some industries? | | |
| ▲ | xslvrxslwt 9 hours ago | parent | next [-] | | Literally specific to "did I make this skid angry or not", it takes $5 to DDoS a website (bypassing cloudflare included) | |
| ▲ | BoldColdHold 9 hours ago | parent | prev [-] | | Depends on what those websites are and how lucky you are. |
| |
| ▲ | lofaszvanitt 10 hours ago | parent | prev | next [-] | | Hm, interesting times we live in. | |
| ▲ | RKFADU_UOFCCLEL 7 hours ago | parent | prev [-] | | > Gooo gooo gaa gaaa look at this basic cassus beli I swallowed!!! And yet my website is still up today, and has not been down for years. |
| |
| ▲ | chromehearts 10 hours ago | parent | prev | next [-] | | Cloudflare DDOS protection is super essential (especially for smaller businesses) | | |
| ▲ | Tanath 10 hours ago | parent | next [-] | | DDoS prevention may be essential, but not CloudFlare. | |
| ▲ | Mordisquitos 9 hours ago | parent | prev [-] | | Who is motivated to launch DDoS against smaller businesses? What do they have to gain? | | |
| ▲ | the_bear 9 hours ago | parent | next [-] | | My small SaaS app has been DDoSed a handful of times, always accompanied by an email asking for a ransom in the form of bitcoin. The first time we switched to Cloudflare which saved us. Even with Cloudflare, the DDoS attempts are still damaging (the site goes down, we use Cloudflare to block the endpoints they're targeting, they change endpoints, etc.) but manageable. Without Cloudflare or something like it, I think it's possible that we'd be out of business. | |
| ▲ | xslvrxslwt 9 hours ago | parent | prev [-] | | Anyone that has $5. | | |
| ▲ | Mordisquitos 9 hours ago | parent [-] | | I've also got €5, but I see greater return on investment in spending them on a lottery ticket than in DDoS'ing arbitrary small businesses. | | |
| ▲ | xslvrxslwt 9 hours ago | parent [-] | | I know, but people love the feel of "power", especially when it's cheap or even free |
|
|
|
| |
| ▲ | hennell 10 hours ago | parent | prev | next [-] | | Honestly it kinda is. Ai bots scrape everything now, social media means you can go viral suddenly, or you make a post that angers someone and they launch an attack just because. I default to cloudflare, because like an umbrella I might just be carrying it around most of the time, but in the case of a sudden downpoor it's better than getting wet. | |
| ▲ | luckylion 10 hours ago | parent | prev [-] | | It's not super common, but common enough that I don't want to deal with it. The other part is just how convenient it is with CF. Easy to configure, plenty of power and cheap compared to the other big ones. If they made their dashboard and permission-system better (no easy way to tell what a token can do last I checked), I'd be even more of a fan. If Germany's Telekom was forced to peer on DE-CIX, I'd always use CF. Since they aren't and CF doesn't pay for peering, it's a hard choice for Germany but an easy one everywhere else. |
|
|
| ▲ | numpad0 9 hours ago | parent | prev | next [-] |
| BLOCKCHAINS! I mean, some sort of P2P hosting and/or node discovery would be nice. |
|
| ▲ | deadbabe 9 hours ago | parent | prev | next [-] |
| Believe me it’s what people want. The alternative is far worse. |
|
| ▲ | 10 hours ago | parent | prev [-] |
| [deleted] |
