> For your small blog with one hundred visitors per month, it's probably the same: "no one will burn their DDoS capabilities on you!"
If this is their core argument for not using CDN, then this post sounds like a terribly bad advice. Hopes and prayers do not make a valid security strategy. Appropriate controls and defenses do. The author seems to be completely missing that it takes only a few bucks to buy DDoS as a service. Sometimes people do DDoS your small blog because some random stranger didn't like something you said somewhere online. Speaking from experience. Very much the reason I'm posting this with a throwaway account. If your website receives DDoS, your hosts will take down your server. Nobody wants to be in this situation even if for a personal, small blog.
If you added up all the outage time caused by DDOS and all the outage time caused by being behind auxiliary services that have their own outages... I wonder which would be larger?
I'm not too worried about someone DDOSing my personal site. Yeah, they could do it. And then what? Who cares?
> I'm not too worried about someone DDOSing my personal site. Yeah, they could do it. And then what? Who cares?
Have you experienced a targeted DDoS attack on your personal site? I have. I too had this attitude like yours when I didn't know how nasty targeted DDoS attacks can get.
If you're not too worried about someone DDoSing your personal site, then your host taking your website down and then you having to run circles around their support staff to bring back the website up again, then I guess, you don't have a problem. It's nice that you don't care. (Honestly speaking. Not being sarcastic at all.)
Personally, I wouldn't mind DDoS on my personal site if the problem was just the DDoS. Unfortunately, mostly it isn't. A DDoS has other repercussions which I don't want to deal with exactly because it's a personal site. I just don't want to spend time with customer support staff to find out if and when I can bring my website back up again. DDoS on my personal website by itself isn't all that bad for me. But having to deal with the fallout is a pain in the neck.
Yeah I suppose by "doesn't work" I should clarify that maybe it is doing something and preventing some attacks, and that it doesn't take down my server. With that being said, it has certainly failed to mitigate attacks on numerous occasions that cf would've.
No, in the cases 'throwaway150 and I are talking about, your site is not back up. You (hopefully) got an email in your inbox saying your hosting provider has decided to take your website offline because of anomalous traffic or whatever, and after the attack ends you’ve got at least a couple of days of back and forth with support ahead of you before your downtime is actually over.
So until daddy's credit card runs out, plus two days. A shame, but it still doesn't cause meaningful harm.
Or get a different provider. Some are faster to respond. I had a false positive DDoS detection from netcup once (I was scraping an FTP site in active mode) and they automatically routed my IP through a DDoS scrubbing service, and automatically stopped that when an attack was no longer detected. I don't know what they have set up to be able to reroute a single IP globally like that - they agreed with some of their upstreams, to allow the occasional /32 for DDoS protection purposes.
I'm less scared of the hoster pulling down your site - not the end of the world - then decided to charge you bandwidth fees for all the MS-DOS attacks. The former presumably has no financial impact, the latter, potentially brutal
Off-topic, but there are six different people using the word "hoster" in this thread. I've never heard that word used instead of "host" or "hosting service" before, and yet here it's somehow prevalent. I feel like I'm having a stroke, or I just stepped into an alternate universe. Where did you all pick up that word?
this is too naive sorry, Hetzner will disconnect (and ban you if DDoS is too long), same as OVH. It works mostly for brutal UDP flooding but sophisticated attacks such as swarm of Puppeteers hosted on infected machines by the millions will not be protected, those "new DDoS mode" are offered by most DDoS providers.
Likely true, but now you can go back to the original statement: the issue isn't really that the service isn't available for a while... It's that the hoster will remove your server.
Your server will keep existing if cloudflare just drops their free service, effectively going down for the ddosrs but still available for your own access directly
Except that Cloudflare is geared towards ddos protection - i.e. you can monitor, get alerts, turn on temporary protection, etc. It can do this because that's it's main business. It's not possible to have the same expectations from infra providers like Hetzner.
Citation needed. I know folks using the free plan that have gotten ddos’d and cloudflare kept them online. Can you point me to an article where cloudflare disconnected someone for getting attacked
They definitely used to do this ca. 2011-2012, any bigger attack and they'd drop you right away if you were on a free plan (and slightly slower if you weren't). But well, that was almost 15 years ago.
Handled hundred of dedicated servers for different projects over the last 20 years. Yes, OVH literally does ban accounts, and Hetzner nullroute your service at first if it's an elaborated attack.
This is mostly scaremongering, not all hosting providers take your site down just because someone you pissed off decided to DDoS you.
In Russia (I have nothing against Russia - I just know this info about “Дождь ТВ”), some news websites have been targeted by state-baked DDoS attacks, but I highly doubt most people are in this category.
Did they put it back up when the DDoS ended? If so, they're not hurting you since it's no worse than the DDoS itself, and they're actually helping you by preventing themselves from having a reason to ban you to save the rest of their sites.
You keep saying stuff like "the fallout" and "the repercussions" but then the only example you can provide is talking to customer service to bring your stuff back online. Is that it? Honestly speaking, not being sarcastic at all.
So the internet is a series of pipes, or tubes, whatever. This quintessential personal blog website is hosted somewhere in this inter connected mess of things. There’s a hierarchy of these pipes/tubes, and they all have some ever diminishing capacity as they head from a mythical center to the personal blog website.
When the bad guys want to DDoS the personal blog website they don’t go and figure out the correct amount they need to send to fill up that pipe/tube that directly connects the personal blog website, they just throw roughly one metric fton at it. This causes the pipes/tubes before the personal blog website to fill up too, and has the effect of disrupting all the other pipes/tubes downstream.
The result is your hosting provider is pissed because their infrastructure just got pummeled, or if you’re hosting that on your home/business ISP they also are pissed. In both cases they probably want to fire you now.
This is incorrect. Any decent host/ISP will instead (automatically, sometimes) emit a blackhole request for the given target IP address to their upstreams, causing the traffic to be filtered there (at the 'larger pipe'). In turn, these upstreams can also pass on the same blackhole request further up if necessary. This means the target is down from the point of view of the Internet, but there is no collateral damage.
Interesting, I didn't realise blackholes were special-cased to allow BGP announcements of /32 instead of the usual /24 or larger. I'd just assumed (like the GP) that the traffic ended up on the target's closest network to the source and only then was it filtered.
How? Isn’t it more like the difference between carrying an umbrella every day and ducking into the corner shop to buy one when you notice it’s raining?
That's a good analogy since the corner shop is going to be sold out of their small stock of umbrellas during the rain storm so you won't be able to buy one until the rainstorm is over but at least you'll have protection for the next storm. If staying dry is important to you, you should buy the umbrella before the rain.
That continues the analogy -- it doesn't rain often in the desert, but almost all deserts receive rain. And since it rains so rarely, you're certainly not going to find an umbrella during the rainstorm.
So again, if staying dry in the rain is important to you, buy an umbrella before the rain, if you don't care about getting wet from time to time, then no need for the umbrella.
While the personal blog owner may not care about DDoS related downtime, he may face extra usage charges due to higher bandwidth, CPU usage, etc that he'd like to avoid.
1 person using an umbrella, 4 are not. I'm starting to doubt if you're even human given that normal people don't go throughout their entire lives always carrying an umbrella wherever they go, even when it might rain.
Depends on the distribution of accidents and the distribution of costs. If P(ddos) * Cost(ddos) < P(no ddos) * P(cloudflare outage) * Cost(cloudflare outage) then you would be better off not using Cloudflare.
This is not considering other issues with Cloudflare, like them MITM the entire internet and effectively being an unregulated internet gatekeeper.
My site being down for a couple days is not an unacceptably large loss, unlike an uninsured car being wrecked.
It also isn't a good analogy because insurance doesn't apply retroactively to wrecks that happened before start of term, and is event-based rather than providing continuous value.
I thought that's why it's a good analogy - DDoS protection doesn't apply retroactively to prior attacks (or even current attacks, it's hard to apply DDoS protection while your site is down due to DDoS). If you want protection from DDoS, you need it before the DDoS. If you want to insure your car in case of accident, you need to insure it before the accident.
Sounds reasonable if the car insurance could magically and near instantly fix your car, undo all the property damage and no one could get injured.
Insurance for physical things is different for services, they don't map as an analogy. A better one would be, Because you buy a new car every hour, it's like buying insurance for every car after someone steals your 700th car. That prevents your car from getting stolen.
That's like saying my personal blog going down is as impactful to my health and finances as getting into an automobile accident.
Assume a "personal" blog or site is not making money for the owner, and they have backups of the site to restore if the VM gets wiped or defaced. Why spend money on DDoS protection if it is unlikely to ever occur, much less affect someone monetarily?
Depending on the host, you may get charged a big bill for traffic. If you're hosting at home, your ISP may blackhole all traffic to your residence (affecting your day job and being a nightmare). When it comes to DDoS, most providers are quick to blackhole, and slow to unfreeze, without getting the run around.
No its like saying you should buy a new battery after your battery dies. Yeah, its nice to have a spare battery around i guess but its not like your battery dying will significantly ruin your finances
It's more like buying the plug-in version after the battery dies...
You already experienced the downtime, so if not having downtime was a goal you already failed. If avoiding downtime is not important then there's no reason to add anti-downtime capability to your system. The most charitable modeling of this approach is that the downtime incident may prompt one to realize that avoiding downtime actually is an important property for their system to possess.
The actual charitable model is that you expect close to zero attacks, but if you actually get hit your expected rate of future attacks goes up by an order of magnitude or two. And it's that change in expectations that gets you to buy protection.
You don't care about going down once, you do care about frequent outages. And you know this from the start, you don't realize it later.
Yes, the original assessment was wrong. Such things happen all the time to reasonable people.
The person you were describing in your "most charitable" version above was not being reasonable. They didn't just underestimate the petty anger of the internet, they were being fundamentally foolish about their own desires. That's why I replied, to show you a different way someone could end up in this position.
in the cloud you should be able to turnkey this quite easily. i think in a DC this can be a bit more tricky because you will still be getting traffic from the DOS to your network interface after you have flipped the switch to cloudflare. This traffic will cause both you and your provider a problem. but i think the idea is you would have two sets of IPs one for the normal public hosting, and one for cloudflare proxy then when you become under DOS attack you have a process in place for BGP to stop advertising the normal public hosting IPs and you switch to cloudflare. i presume if BGP stops advertising the IPs then eventually you will stop getting the DOS traffic.
> When you become under DOS attack you have a process in place for BGP to stop advertising the normal public hosting IPs and you switch to cloudflare.
You think people hosting personal sites are going to even have the access to manage their IPs with BGP? It's not something I've seen offered at that scale / pricing.
This strategy requires you to be "on-call" for personal stuff. Honestly, I don't want to spend more time on pet projects than I already do. Or cutting some of it away on support instead of spending more on things I would actually be interested in.
And resulting downtime might be even bigger than that with cloudflare.
> then your host taking your website down and then you having to run circles around their support staff to bring back the website up again
These are very different situations. With a DDoS the disruption ends when the attack ends, and your site should become available without any intervention. Your host taking down your site is a whole different matter, you have to take action to have this fixed, waiting around won't cut it.
It is obvious those two are very different situations. I'm not sure I understand your point. Yeah, nobody will be bothered by a short 15 minute DDoS attack. I prolly wouldn't even notice it unless I'm actively checking the logs. Sure, nobody is going to be bothered by that. But what if someone's DDoSing persistently with a purpose? Maybe they're just pissed at you.
My point is... a sustained DDoS attack will just make your host drop you. So one situation directly leads to another and you are forced to deal with both situations, like it or not.
> It is obvious those two are very different situations. I'm not sure I understand point.
Your host taking down the site and forgetting to bring it back up after a DDoS attack isn't a common thing with any host, unless it's the kind that does this routinely even without a DDoS. And then you should look long and hard at your choice of hosting.
Either you suffer from a DDoS attack and come back when it's over, or you have a host that occasionally brings your site down and fails to bring it up until you chase them. But one does not follow the other without a lot of twisting.
I'm pretty sure in every webhost terms of service I've ever read they leave language in to kick you out if you are degrading the service for others. Turns out a prolonged DDoS attack is degrading the service for others. The bigger cloud providers are drastically less likely to drop you but now you're paying a premium on hosting.
How does taking the site down stop the DDOS attack?
Isn't the host network still being bombarded by garbage packets, even if there isn't anything there listening?
Or is routing the destination IP to /dev/null enough to blunt the attack?
I know there are different kinds of attacks (e.g. some that are content based, impacting the individual server), but I thought most of them were just "legit" requests storming through the door that the server can't keep up with.
Having the site taken down after the fact, as a "risk to infrastructure" that the host can't afford, that's a different issue.
Forgiveness not necessary, these are good questions.
Internet packets have to travel through many routers between the source and the attack and the server they're attacking, at each step the routers usually get smaller. the smaller routers are less able to withstand the amount of traffic destined for one server, which means they can't route traffic to all the other servers that are not under attack. a common strategy is to drop the traffic at a much farther away server, thus protecting the smaller routers, thus protecting all the other servers.
The host Network would definitely still be affected by the DDOS, which is why the strategy is often to "blackhole" the traffic farther away from the individual server racks.
I see people say route traffic to /dev/null All the time, but I personally try to reserve that for the individual servers or the nearest router, just to avoid your exact confusion.
depending on how well designed, any specific network is the "hug of death" which has taken down many sites would also degrade the performance of the peers next to that server. Which is why many ISP are quick to block the traffic farther away. To protect not you but their other customers.
To be fair (pedantic), if it's part of a DDOS, it's not a legit request. Depending on the capabilities of the attackers, they will either choose obviously invalid requests because those take longer to process or exclusively valid requests which take longer to process. it is generally speaking much easier to send valid well-formed requests because that's what most libraries exist to do. you're often writing custom code if you want to send an invalid request because that is a bug in other cases.
A good example of an invalid request is setting up TLS transmitting a partial packet and then closing the connection (or leaving the TCP open), This one can be particularly expensive and much harder to detect.
> How does taking the site down stop the DDOS attack?
When people say take the site down, in this context, they often mean one of two things, either changing the DNS configuration to point to a different IP address (or none at all), or "null routing" traffic to the under attack IP, at an edge router, edge in this case meanthing their upstream ISP or other network peer. (farther from the victim server) I object to both uses because the specificity is important. When I say take down the server, I almost always mean quit [nginx] or power off the box.
It sounds like OP is describing a situation where someone persistently DDOS's them as long as it works. In which case DDOS time trivially dominates cloudflare outage time. Note that OP is posting, even now, from an anon account.
Oh sorry, not you. The OP in the chat thread, they were DDOS'ed by someone and are commenting anonymously. Maybe grandparent is the correct word for it, in any event this is the comment I was referring to when I said OP, not your article: https://news.ycombinator.com/item?id=45966683
For our SaaS, the uptime probably isn't much different but the cost definitely is. If any of your stack has usage based billing, things can get very expensive quickly.
My blog was constantly going down for unknown reasons, with nothing obvious in the logs. I migrated it to CloudFlare and was able to track down the root-cause of the issue.
I also blocked all the AI crawlers after moving to CloudFlare and have stopped a huge amount of traffic theft with it.
My website is definitely much more stable, and loads insanely faster, since moving to CloudFlare.
I don't give a penny to CloudFlare to be clear, and I would definitely not pay for those services for my blog.
It's not because it's not a criticism that it's a sponsored post.
I happen to have multiple sites that use the same technology (WordPress, with the same few plugins and the same theme) running on the same server, with one behind CloudFlare and one not. Left value is with CloudFlare, right is without:
- First Contentful Paint: 0.4s - 0.7s
- Largest Contentful Paint: 0.8s - 0.9s
- Total Blocking Time: 0 ms - 0 ms
- Cumulative Layout Shift: 0 - 0
- Speed Index: 0.4s - 8.9s
The difference is quite staggering, and I'm located pretty close to my server (a Hetzner VPS), I can't imagine the difference for someone that lives across the world.
There's no CF magic here. If you're improving from 0.4s to 8.9s that means you're not doing basic caching on your side and you could achieve this in your local nginx/whatever as well. The 0.3s saving on first paint is nice, but could be achieved with putting your assets in any kind of distributed provider, not just CF.
I never said the contrary, but there's a lot of "basic" things you need to setup on your own and that CloudFlare (or any equivalent) does out of the box: caching, SSL certificate, basic analytics, filtering bots, etc.
Add all this together and you have an extremely not basic setup at all anymore.
> Sure, but your post reads like an infomercial, hence the snark.
Re-reading it you're right, but ultimately the last sentence aims at directly answering this question from the parent:
> If you added up all the outage time caused by DDOS and all the outage time caused by being behind auxiliary services that have their own outages... I wonder which would be larger?
I'm quite sure something else is going on here. Adding another hop generally shouldn't improve performance, especially if you are close by to the server.
What are the response times of requests between CF and accessing them directly?
The tides are turning against CF it seems.. they used to have a lot of HN support, but lately every thread about them is just a mess of MITM accusations and "too much of the internet is behind them".
The downtime cause by DDoS. It's now an endemic problem in the modern internet. Even relatively tiny communities suffer from it, because it's so damn easy to do.
It's like insurance. If you add up everyone's medical expenses, it's less than we all pay for insurance. But if you're the one getting hit, it matters a lot.
I mean I'm not worried about it either, but I've been on the internet long enough that I know some of the people I used to know will probably do it just to do it. Gamers can be quite toxic.
> Nobody wants to be in this situation even if for a personal, small blog.
I would gladly be in this situation if it otherwise lets me remove a large source of complexity, avoid paying a few bucks, and increasing the avoidable centralization of the Internet on my personal, small blog.
Maybe I'd change my mind if it continues happening, or if I didn't have unlimited traffic (which is a very bad idea for many reasons other than DDoSes for personal sites), but otherwise, enabling Cloudflare for a hypothetical without consequences seems like pretty extreme premature optimization.
I'm behind Starlink, which is NAT'd to a shared public IP address, and I refuse to pay for hosting, so Cloudflare is how https://potateaux.com is on the Web. Of course nobody looks at it because there's very little there besides a cool landing page and a couple of JavaScript gags, so one outage per lifetime is a perfectly acceptable cadence in exchange for $0 in Cloudflare service costs :)
Ok, this is definitely even cooler than self-hosting a blog on Hetzner :) How are you using Cloudflare for this? Via Cloudflare Tunnel?
I'm currently unfortunately also behind double NAT, and my home server has been unreachable ever since as a result. I've been torn between using Tailscale Funnel, Cloudflare Tunnel, possibly a VPN with public IPs, or rolling my own thing based on reverse SSH forwarding to a Linux server with a public IP.
Here's your confusion: personal sites don't need a valid security strategy. They don't need nine nines uptime. They don't need CDN, and ability to deploy, etc, etc. That's all (and forgive the origins of the expression but it is the most accurate description) cargo culting. There's no issue if they're down for a couple days. Laugh it off.
Whereas if you put your site behind a defaults of a cloudflare denial of service wall then real human people won't be able to access your site for as long as you use cloudflare. That's much longer and many more actual humans blocked than any DDoS from some script kiddie. Cloudflare is the ultimate denial of service to everyone that doesn't use Chrome or some other corporate browser.
And forget about hosting feeds on your website if you're behind cloudflare. CF doesn't allow feed readers because they're not bleeding edge JS virtual machines.
What's the actual cost to me of my blog being offline for a few hours? Basically nothing. Certainly less than the couple of bucks someone might spend on a DDoS service
Usually when a small blog goes down it's not a DDoS, it's that a post has gone viral (e.g. hits the front page of HN), and it going down can absolutely cost a lot (depending on the goal of the blog)
Do you think a world where all the commercial websites are centralized, but personal blogs are not, is that different than a world where blogs are also centralized?
What is the benefit to having small blogs be decentralized?
If cloudflare decides they don’t want to be your CDN, you could just move off of cloudflare, and be in the same situation you would be in if you never used them. You aren’t locked in.
And thus, the lemmings walk straight off the cliff.
There seems to be two views. One forward looking and one not. The forward looking view appropriate recognizes the threat of centralization. Centralization crushes small businesses (and small blogs), leads to censorship (see youtube et al.), and destroys competition. No one on the planet can compete with cloudflare pound for pound and thus if they decide your site is bad based on $CURRENT_ZEITGEIST you're SOL. You may as well not exist. We already have plenty of evidence from 2016 to now of this occurring via a large conspiracy between big tech and government.
The non-forward looking view naively closes their eyes and says "well we aren't there yet so what does it matter". This is how rights erode. It is a shame people with this view are allowed to vote and breed.
I'm amazed at the responses saying something like, "It's great because when you go down, you can point to the BBC and say, it's not our fault, everyone is down." That should be the clue that this gives them enormous power. It's also bad for overall resilience. Better that businesses go offline more often in an uncorrelated manner, than go offline less frequently but simultaneously. I guess it's great if all you care about is not catching blame.
I am suggesting you host your website on your own server somewhere, and then you put it behind cloudflare. You still have your own host, just the same as you would without cloudflare. You are still providing your non-cloudflare host with the same revenue you would if you didn't use cloudflare, so I am not sure how that would hurt the ecosystem.
The 'Invasive species destroy ecosystems' quote sounds good, but what exactly does it mean in this case? What is the species, and what is it invading?
> I am suggesting you host your website on your own server somewhere, and then you put it behind cloudflare
I'd rather advocate for a solution that doesn't induce centralization. Because that still does. It's a weird suggestion to pay twice. I'm assuming in your hypothetical, cloudflare not only doesn't ever go down, but also absorbs only malicious traffic, and not any organic? Why should cloudflare do that and not my primary host? I'll assume I have XX to spend on hosting, you don't see how if I have to also allocate some of that to cloudflare, in addition to the real host, how that might limit what the real host can charge? If the real host can't charge enough to fund R&D on services like basic DDoS or other traffic shaping, wouldnt that mean I've then become dependent on cloudflare? And now hey cloudflare has other service, and I don't like the extra overhead of paying multiple services... I'll just move everything to cloudflare because they're bigger and do both... and now the small host is gone.
sigh
> The 'Invasive species destroy ecosystems' quote sounds good, but what exactly does it mean in this case? What is the species, and what is it invading?
I'm comparing cloudflare to any species that enters an existing system that has developed a natural ecological balance that includes diversity. Which then proceeds to grow for the sake of growth, consuming resourcs at an unsustainable rate; destroying the diversity that previously existed.
Destroying that diversity is bad because that diversity is what gives the system as a whole resistance to catastrophic events.
Like huge parts of the Internet going down because someone wanted to ship their project before the holidays, in time for their perf review.
The argument being: we should view cloudflare's growth, and consumption and takeover of the resources of the Internet as a whole, similar to the way we view other invasive species. It destroys the good parts of an existing system in a way that is almost impossible to recover from. Resulting in a much more fragile system. One than's now vulnerable to single events that take down "everything". A healthy system would be able to absorb such an event without destabilizing the whole thing.
The invasive species is cloudflare, and it's consuming and replacing large existing sections of the Internet; which gains much of it's strength and resilience from it being distributed amongst it's peers.
> I'd rather advocate for a solution that doesn't induce centralization. Because that still does. It's a weird suggestion to pay twice. I'm assuming in your hypothetical, cloudflare not only doesn't ever go down, but also absorbs only malicious traffic, and not any organic? Why should cloudflare do that and not my primary host? I'll assume I have XX to spend on hosting, you don't see how if I have to also allocate some of that to cloudflare, in addition to the real host
You don't have to pay cloudflare anything at all for them to act as CDN and provide basic DDoS protections.
> You don't have to pay cloudflare anything at all for them to act as CDN and provide basic DDoS protections.
I object to centralization and consolidation of power, how is this not both?
I'll duplicate my follow up question, from a sister thread.
If I actually start using the DDoS protection or other services... will cloudflare cut me off unless I pay? Will that charge be exorbitant? Does that behavior feel like extortion? Have they done that before?
> If everything is centralized then nobody can discuss topics that have been decided to be off limits by the moderation teams at a few large companies.
Nice, you root caused it too. I couldn't agree more.
Do I think people who want to do X should have some modicum of morals? Yes I do, but I can't fully blame them when ethics is not taught in most schools, least of all computer sciences.
First, let's stop perpetuating this destructive meme that running nginx on a VPS is rocket science, and fraught with peril; at least not on a forum of so-called hackers.
Many users not being able to access it simply because of their choice of OS or browser. I regularly can't access websites on my OpenBSD machines running Firefox with "strict" privacy settings, or "resist fingerprinting" enabled. CloudFlare has decided my browser is suspicious :) I can switch to another machine (or even just another browser with more permissive settings) and it lets me through.
Well, if you do that than human people like myself won't be able to load your blog behind cloudflare for as long as it's behind cloudflare. A much longer and more insidious denial of service targeted to those who cloudflare doesn't think are profitable.
Increased downtime due to having an additional component in the loop, having my readers presented with captcha nonsense because the CDN doesn't like their IP address, potentially being taken offline because a giant corporation decides that it doesn't like the content I post or doesn't want to support my use case on their free tier anymore.
And if you pay for it, you're still the product. This false notion of Paying = Better is driven entirely by profit seeking companies who want you to pay them for access and then they want to get paid for showing you ads as well.
Oh sure - I mean, bmw heated seats anyone? But even there you’re still not the product, you’re captive audience that might put up with that kind of abuse because of sunken cost fallacy and all that.
No it really doesn't. How are you the product when Cloudflare gives you free tier access? That's not their business model. You aren't the product, but you are an upsell lead for the sales team.
Sales teams don't pay for leads? If you keep me around, exclusively because the sales team wants to show me something... I'm the product.
Follow up question, if I actually start using the DDoS protection or other services... will cloudflare cut me off unless I pay? Will that charge be exorbitant? Does that behavior feel like extortion? Have they done that before?
If the Cloudflare free tier TOS allows them to sell your data then I would agree that "you are the product". IDK if it does, but I would put my money on no.
I have only used CF at the enterprise level so IDK if DDoS protection is free tier. Surprise billing like that is bad behavior, but it's not "you are the product" behavior.
Facebook also doesn't sell your data, but you're definitely still the product when they provide a free service in order to capture attention?
> [...] but it's not "you are the product" behavior.
Discarding the context for the thread, probably. But if we're discarding context, "you're removed when you start to consume resources" isn't you're the customer behavior either.
Add to that, once an attacker has your server's IP (because it wasn't behind a CDN in the first place), it's basically impossible to fend off the attack unless the attacker is not very bright, or you swap your server's IP.
Genuinely I don't understand how people post under their own name or connect their accounts to their real identities at all. I learned early that my opinion can piss people off (even though I think I'm pretty milquetoast to be honest), and there are people with enough time and hate to make their disagreement with you impact you personally.
I started using a pseudonym about the time my consulting site got taken down by a DDoS attack because I voiced an opinion about a presidential candidate who's name rhymes with Meorge Mush Munior. People are awful.
Well, the first profile I ever had was an Xbox account that was based on my real name, and I just carried that username onto everything else. So I just ended up having a username based on my real name everywhere. And I never bothered to restart my social life to get a new one.
> Hopes and prayers do not make a valid security strategy
It’s not “hopes and prayers” to actively decide a particular attack vector is unlikely enough that the the costs and risks are not worth it.
My local cafes and bars do not employ bouncers, but the local concert venues and nightclubs do.
All these places want to keep out outside food and drink and avoid violence among patrons. The local cafes and bars decided it’s not worth having a bouncer for that. That’s a valid decision.
Meanwhile the maintainer of Bear Blog - very nearly the poster child for small blogs with 100 visitors per month - recently put up a post talking about how much extra infrastructure it takes to keep the service online in the face of the massive uptick in AI scraper bot traffic we've had over the past few years.
I haven't tried managing my own site in ages, but I get the impression that the modern Internet is pretty much just one big constant DDoS attack, punctuated by the occasional uptick in load when someone decides to do it on purpose instead of out of garden variety apathetic psychopathy.
My small personal blog with tens of readers a month gets thousands of hits a day from bots. The ROI there must be worthwhile for those bots but not for me to self-host
But, yeah, it's gotten way worse to the point where you can't even run legitimate services because sometimes you will be blocked just for not being a known entity. e.g. try running your own email server and sending mail to any major email provider.
Some do, and it depends on what layer the attacks are coming in on.
Low-level attacks most or all providers have some protection against (to protect their network itself) but that may include black holing your IP at the border routers.
Few offer higher level DDoS protection that isn't rewrapped cloud flare or competitor.
a little niche cuz they're primarily a game server provider but nuclearfallout is the most proactive provider i've seen to do this, on vps or dedicated hardware. there has been many times they've worked with upstream bw providers and automatically holed incoming ddos, noticed packet loss and abnormal routing etc, before even reaching end user interfaces-
been using them for decades and they've been incredible for this, at least for the US options (prem/internap)
Thanks.. Trying to understand the issue bit better if you can bear with me..
Let's say you manage to install some cloudfare equivalent in your Vps so your hands are clean. That still exposes the provider systems up to that point, eating up resources?
Or they'll still knock you off and ban your IP at the first point of entry itself..
Cos where that leads us is subscribing to cloudfare type service almost becomes inevitable.. You can't get around it with some free software running in your own box.
> You think someone would DDoS you because you made a comment like this on HN?
Yes. Welcome to the internet! I don't just think someone would do this. I've seen these things happen. It just takes one person to be pissed off who has got nothing better to do and a few bucks to spare to buy DDoS as a service.
Cloudflare does both but some providers do one or the other. You can use any CDN no matter if you use Cloudflare or not (shout-out to Bunny CDN btw, very happy with them - they do one thing and do it well)
> Sometimes people do DDoS your small blog because some random stranger didn't like something you said somewhere online.
I've received death threats. Do I engage in charged political commentary on my site? Not really. Just vaguely left-of-centre stuff in a way that I feel moves the discussion forward (and not even that often). The internet is fun: you're instantly connected to every unhinged asshole lunatic in the world.
I wish online discourses didn't feel like engaging with possible shills for corporations as it did during 2000s, or maybe it didn't. Maybe, we became too aware and critical or maybe there is absolutely no honest discourse possible when commerce, political or even ideological agendas are involved. The best stance should one that presents varied solutions to a common problem.
> Sometimes people do DDoS your small blog because some random stranger didn't like something you said somewhere online.
People come with that argument so often. But then one day I was completely done with something and I put out a rant on Reddit in my real name. Hundreds op people disagreed and told me "Why do you do that under your own name?! Are you crazy? This will lead to many problems."
Guess what. This was months ago and nothing happened. Nada. Zero. Null. I have many servers running and nothing was taking down. Maybe one day it will. If that happens then I'll find a fix. It will probably not be a nice day, but it is what it is. The world will keep spinning. I'm done giving in to the fear.
"I must not fear. Fear is the mind-killer. Fear is the little-death that brings total obliteration. I will face my fear. I will permit it to pass over me and through me." -Frank Herbert, Dune
> Guess what. This was months ago and nothing happened. Nada. Zero. Null.
Just because it didn't happen to you does not mean that it doesn't happen to others. You can see a few anecdotes in this thread itself where people commented that they did get attacked for pissing people off. Like check this: https://news.ycombinator.com/item?id=45968219
DDoS is not a security issue for a small blog. It's a reliability issue, and reliability probably isn't that important. And to the extent that it is important, it's not at all obvious which choice is going to get me better reliability.
I'm not going to YOLO an actual security issue and, say, use my zip code as the password on a publicly-facing ssh service or something. But DDoS protection? Meh.
And if my blog with a few hundred visitors goes down because of a Clourdflare outage ... so what?
People act as if outages are some solvable problem and each outage should never have happened and we need to act (cloud no cloud, firewall rules, and so on) each time.
Rather I think history has shown this stuff happens and if the impact is terrible ... fine.
> The author seems to be completely missing that it takes only a few bucks to buy DDoS as a service. Sometimes people do DDoS your small blog because some random stranger didn't like something you said somewhere online.
thank you. thank you. thank you.
we are tired of hot takes on the internet due to opportunism.
yeah even the small sites are being tested everday by bots. how the bots know your site just came online - I don't know. so yeah cloudflare is nice. we hate centralization on the internet - but to be naive that they're no bad actors on the internet is pure stupidity.
If this is their core argument for not using CDN, then this post sounds like a terribly bad advice. Hopes and prayers do not make a valid security strategy. Appropriate controls and defenses do. The author seems to be completely missing that it takes only a few bucks to buy DDoS as a service. Sometimes people do DDoS your small blog because some random stranger didn't like something you said somewhere online. Speaking from experience. Very much the reason I'm posting this with a throwaway account. If your website receives DDoS, your hosts will take down your server. Nobody wants to be in this situation even if for a personal, small blog.