I am a plebe who doesn’t understand these things but what exactly does cloudflare do? I see it popping up more and more often redirecting before visiting a site. I assume that this has something to do with bot traffic? It seems like every mention of cloudflare is about how it ruined someone’s day.

  • Snot Flickerman@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    64
    ·
    edit-2
    6 months ago

    The short answer is: A bit of both, really.

    The longer answer is pretty detailed and would include all the positive things they have done as well as the negative things they have done and the unintended consequences of having so much of the internet “behind” Cloudlfare.

    It’s sadly not a cut-and-dry situation, they’ve definitely added some cool, positive stuff to the world. They’ve also created a mangled mess for a lot of people where they’re blocked from accessing certain parts of the web because Cloudflare is throwing down a false-positive and thinks they’re a “bad actor.”

    I would say it’s up to individual interpretation if they’re doing more “breaking” or more “fixing.” For some, far more is broken than fixed, and for others, it’s the opposite.

    I fall in the “more is fixed than broken” camp, but the “more is broken than fixed” camp have plenty of evidence to support their assertions. I am not really willing to ignore the downsides just because they don’t affect me personally.

    • The Stoned Hacker@lemmy.world
      link
      fedilink
      arrow-up
      23
      ·
      6 months ago

      As a user of a small, privacy respecting VPN, Cloudflare is both great and awful. It’s great because Cloudflare captchas are single click usually while Google captchas go for infinity. It’s awful because just as often as I benefit from Cloudflare, I also get blocked by Cloudflare.

  • Potatos_are_not_friends@lemmy.world
    link
    fedilink
    arrow-up
    42
    arrow-down
    2
    ·
    edit-2
    6 months ago

    Hard to answer your question because it’s a mixed bag.

    As tech gets cheaper, it gets easier and easier to do malicious things.

    On the small scale: I used to host my tech blog on a rinky dink raspberry pi.

    I was getting hundreds of funny bot visits a hour, as they try to pen test and find any vulnerabilities. And that was after I set up some tools to block weird IPs. Two years ago, I was getting thousands, and the numbers kept growing. It didn’t hit a point where user experience was taking a hit, but at some point it will.

    I could get a beefier system (more expensive), or I can just sign up for cloudflare. And now the management of that layer is handled by Cloudflare, so I can focus on coding.

    Now to talk About the enterprise level: same thing but hundreds of times more. We were actually getting DDos. We originally didn’t want to use Cloudflare, and instead use in-house solutions. But after a hefty trial and seeing our AWS expenses skyrocket, we swapped to Cloudflare.

    Signed up, swapped over to Cloudflare, and instant uptake. We are also paying a fraction compared to our in-house solution.

    It sounds like a freaking ad for cloudflare.

    But one thing I don’t like is Cloudflare can easily monopolize the internet. As we all switch, Cloudflare now has a lot of power to tell sites to fuck off if they don’t like their content. Cloudflare hasn’t yet. They keep up White Power websites and racist shit. But they have taken down calls of violence and online gambling.

    If you have your day ruined by Cloudflare, I’m going to either assume you run a bot network, you’re trying to do something incorrectly, or you are part of the dark web.

    • dustyData@lemmy.world
      link
      fedilink
      arrow-up
      21
      arrow-down
      1
      ·
      edit-2
      6 months ago

      My day is regularly ruined by cloud flare, and I don’t run a bot net. Because instead of doing their job they decided to declare my entire regional IP block a spam source. Now, no doubt there might have been one bad actor who used one IP in this IP block once. The entire block is for residential IPs though. But we all have to suffer degraded service because cloud flare can’t be bothered, and as a private user of the internet, I have no resource or place to complain. Not even my ISP has recourse because cloud flare answer is “we don’t care about your clients”.

      • bobs_monkey@lemm.ee
        link
        fedilink
        arrow-up
        7
        ·
        6 months ago

        Yeah it gets sticky like that with VPNs as well. I run an always-on VPN (PIA), and depending on which server I’m connected through, it’s either a good day or a bad day. Sometimes switching servers works, others not so much.

        • dustyData@lemmy.world
          link
          fedilink
          arrow-up
          6
          ·
          edit-2
          6 months ago

          Except that’s exactly how it works. Cloudflare keeps a record and rating of all IPs in the world. This rating determines the speed of response from the server and the number of security checks before traffic is let through to the protected server that is being queried. This rating is based on over 40 different surveyors that track and monitor spam mail sources, botnets, ISPs and data centers, and can flag IPs as bad actors. These records are available online.

          My ISP rotates IP addresses to clients every so often and after router restarts. One particular block is locked and throttled to hell. Sometimes, certain webpages stop working altogether for me, as if traffic is blocked. Or response speeds get excruciatingly slow. Every time it is because I have been given an IP in that exact IP block, tracing the hops shows that cloud flare servers are the bottleneck. Checking it on IP trust records confirms they are flagged as bad actors. It’s not my ISP nor their infrastructure, as using a VPN instantaneously restores high speeds and response times, and magically a cloud flare page shows up to check for a human.

          I have also checked directly with my ISP and they confirm that there’s absolutely nothing wrong on their end, it is cloudflare servers blocking the traffic to some webpages, nothing they can do about it. They have contacted them and they refuse to provide answers as we are in a country sanctioned by the US, so international commercial relations are hindered with bureaucracy.

          The worst part is that I can sort of bypass these problems with a VPN, but non cloudflare VPNs are also throttled and trigger anti bot checks every single time. So there’s no win for me. My ISP’s solution is to keep rotating IPs at random hoping clients spent the least amount of time affected by these issues.

    • quixotic120@lemmy.world
      link
      fedilink
      arrow-up
      9
      arrow-down
      1
      ·
      6 months ago

      Cloudflare has absolutely told websites to fuck off because they don’t like their content. They haven’t done it a ton of times but they absolutely have. No one cares because the sites they’ve done it to are toxic cesspool shitholes that, to be fair, the world is probably better off without. But each time it showed that cloudflare can simply wield its power if it feels like it.

      If your site becomes controversial in the future and is protected/hosted by cloudflare don’t be surprised if they suddenly send a letter saying “fuck off”. They’ve become arbiters of internet censorship and we have accepted it because the daily stormer and kiwi farms and 8chan are bad.

      The ridiculous part is all of those sites are still accessible; daily stormer and kiwi farms both still accessible from clearnet (iirc 8chan is tor only) so cloudflare dropping wasn’t even all that effective. Well funded hate speech found a way. But for the next ones that don’t have major alt right cash behind them to fund cloudflare alternatives they’ll just simply disappear. And then we will have the internet where corporations like cloudflare, who should absolutely be content agnostic, decide what we can and cannot see. You may think it’s fine right now because they’re doing it against websites that are admittedly gross and terrible, but what happens when they overstep and the line blurs?

      They should act like a proper tier 1 provider: find evidence of crossing a legal threshold, get a court order, and terminate service if something that bad has occurred. Anything less and they suck it up and honor the contract they signed. They haven’t, so fuck cloudflare. The internet is an amazing place but it’s also a disgusting abhorrent cesspool. Don’t get involved in hosting it if you can’t deal with that.

    • AnAmericanPotato@programming.dev
      link
      fedilink
      English
      arrow-up
      5
      ·
      6 months ago

      If you have your day ruined by Cloudflare, I’m going to either assume you run a bot network, you’re trying to do something incorrectly, or you are part of the dark web.

      Or you are unfortunate enough to share a subnet with someone who got on Cloudflare’s bad side, in which case there is basically no recourse.

      There are a million legitimate reasons to use a VPN, for example, but Cloudflare doesn’t care.

    • asudox@lemmy.world
      link
      fedilink
      arrow-up
      2
      arrow-down
      1
      ·
      6 months ago

      Just a few weeks ago, Primeagen read a blog about how Cloudflare threatened an online casino with taking their sites down if they didn’t pay them 120k$ in a day.

      • BaroqueInMind@lemmy.one
        link
        fedilink
        arrow-up
        4
        arrow-down
        1
        ·
        6 months ago

        If you read about it instead of the headline you would have discovered that the casino was simply trying to take advantage of cloudflare in a similar fashion they had been doing to people gambling in their own casino, by leveraging the cheap tier cloudflare provided and slamming the network which was a detriment to other users with smaller bandwidth needs.

        Imagine a slow semi truck hogging a two lane road and getting mad at you for trying to go around him just to go home. Cloudflare said they had six months to pay for a higher bandwidth trunk or they can go fuck themselves. The casino did nothing for six months, so they got to go fuck themselves

        • asudox@lemmy.world
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          edit-2
          6 months ago

          I wouldn’t really defend cloudflare here. Sure, the tier might have been a bit cheap for a big online casino with high traffic. However, cloudflare should have set limits in place or warn the casino beforehand and not just surprise businesses with great amounts of builtup “damage” money if the business was causing their network to “struggle”. The call they made with the CF sales team about the serious issue wasn’t a warning at all. According to the blog, they just asked if the casino considered the enterprise tier. Nothing about their networks struggling is said at all. Additionally their future calls were misleading and just tricks to get the casino to talk with the sales team. I’m not sure how CF’s fooling the casino here can be seen as something reasonable at all.

          They shouldn’t call it unlimited if they can’t handle high amounts of traffic.

  • Regalia@lemmy.blahaj.zone
    link
    fedilink
    arrow-up
    35
    arrow-down
    1
    ·
    6 months ago

    Essentially, their entire schtick is being a middleman. By sitting between the server you want to visit, they can do helpful things like DDOS protection, being a CDN (basically store website assets closer to you), managing HTTPS for you and providing access to your website over IPv6 even if your server doesn’t have it.

    By nature of that though, their position is quite sensitive since it has become a service that a good chunk of the Internet goes through. That causes concerns about centralization and pisses in a lot of people’s cereals politically.

    • Snot Flickerman@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      16
      ·
      6 months ago

      It can also mean if you’re just an average Joe from some random country that is well-known for being the source of botnets or DDOS attacks, you’re fucked out of luck on accessing half the internet because Cloudflare assumes you’re part of the problem based on your source IP. Denied access because of someone else’s wrongdoing seems like a really bad side-effect.

      • Regalia@lemmy.blahaj.zone
        link
        fedilink
        arrow-up
        11
        ·
        6 months ago

        Yeah, it’s a technically difficult problem to deal with because you’re probably often sharing an IP address or a block of IPs with bad actors. You can’t really share details about it without giving them a hand.

        I guess cynically said, you could probably go through their VPN service to fix it, I’ve seen that from time to time.

      • NeoNachtwaechter@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        6 months ago

        average Joe from some random country that is well-known for being the source of botnets or DDOS attacks, you’re fucked out of luck on

        Like painpal blocking you and taking away your money forever if the person who lives in the flat above you is suspected of being a criminal.

  • rufus
    link
    fedilink
    arrow-up
    32
    arrow-down
    5
    ·
    edit-2
    6 months ago

    Mostly breaking it. They’re centralizing stuff and nowadays lots of services depend on that single service provider. And the original idea of the internet was to make everyone equal and have some resilience against single points of failure. That’s kind of detrimental to the whole idea.

    Secondly, you unencrypt your traffic and send it to them plain so they can read everything. That may or may not be an issue for your use-case, but I like privacy and encryption and no third parties reading my messages.

    And the question is: What do you need their service for? I understand that a tunnel is useful if you’re behind a NAT. But the DDoS protection and attack prevention is mostly snake-oil for most people. It’s often unnecessary, the free tier doesn’t include any of the interesting stuff and it’s questionable if most people get targeted by DDoS attacks anyways. And as I heard if it comes to that point, they will cease service to you anyways and want to see money ($240 to $2.400 per year.) So I don’t see a good reason why you’d use Cloudflare in the first place. Unless you need a tunnel or subscribe to one of the more expensive plans. Otherwise it only has downsides.

    • You999@sh.itjust.works
      link
      fedilink
      arrow-up
      12
      ·
      6 months ago

      But the DDoS protection and attack prevention is mostly snake-oil for most people.

      I wouldn’t say it’s snake oil for most people because of how cheap it costs to execute a DDoS attack, all it takes is for you to piss off one person for it to be worth it. Although you do not have to use cloudflare there are plenty of other protection services out there.

      And a side note, I can’t believe how hard it is to find statistics on how many DDoS attacks have happened that’s not from someone with a vested interest in the matter. I’d figure the FBI/IC3 or CISA would have better statistics on the matter.

      • rufus
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        6 months ago

        Hmmh, I’d like to - at some point - speak to an admin who has been targeted by a DDoS attack. I know it happened to one Lemmy instance. What I’ve seen as an admin were some attempts that weren’t that bad for us, and that was years ago. It didn’t even really stop the service, just cause lots of load on the webserver and made the website open a bit slower than usual. And it was over after a few hours and never happened again. My other servers and websites have never been targeted.

        And I wonder if for example the Lemmy instances who use Cloudflare, pay them $240 a year. Because as I read, Cloudflare free ceases service if there is an ongoing DDoS attack.

        I think it’s mostly Live-Streamers and somewhat high-profile and controversial webservers who get targeted. Like the biggest Lemmy instances. Or if you’re successful at messing with the Russian internet trolls. Or play a game in a live stream and your fans like to seriously mess with you, like pay for a virtual attack or swat you. Other than that, I believe 99.9% of people who run internet services will never experience such an attack. And it wouldn’t really harm them if their service went down for some time.

    • WormFood@lemmy.world
      link
      fedilink
      arrow-up
      9
      ·
      6 months ago

      I run a small personal blog/portfolio website that doesn’t get more than a hundred or so human visits per day, but it gets hammered with bot traffic, not just malicious bots but tons of different search indexers and scrapers, many of which don’t respect robots.txt

      after setting up cloudflare I noticed a very significant drop in malicious traffic and in bandwidth use, which also corresponded to less bandwidth and CPU usage for my VPS.

      I know cloudflare has recently had a few bad customer service stories but for small and medium sized websites their service is invaluable

      my own personal criticism of cloudflare is that, as a VPS user, I get hit by cloudflare challenges more. but now that they’ve moved to hcaptcha it’s not too bad

      • rufus
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        6 months ago

        I think the correct way to handle this is to include a bad-bot blocker in your webserver. There are plenty scripts and addons available for the common software stacks. Is fairly easy to set up and comes with far less side-effects.

        There are also local and privacy-respecting Web Application Firewalls like ModSecurity, Janusec, Vulture Project (I haven’t yet tested them) which could maybe do the same thing.

        We’re all subject to these crawlers, bots and vulnerability scanners. I also run 3 small websites including mail and a few other services. I rarely block some bot that downloads images over and over again. And fail2ban blocks a lot of brute-forcing attempts. Other than that, the traffic they cause isn’t that much compared to a single other service like Matrix chat or some Fediverse software that causes lots of HTTP requests all day long. It runs without Cloudflare or other third-party services for years on my slow home internet connection. Back then even on a single board computer (like the Raspberry Pi.)

        So my experience is a bit different. And that I can run 3 websites on a RasPi on a 15MBit connection just fine and other people need Cloudflare for a 1000MBit VPS makes me think it’s snake-oil. But yeah, I agree if you block the bots, they stop after some time. That’s also my experience. But the traffic isn’t that much in the first place and there are better ways to do it in my opinion.

  • linearchaos@lemmy.world
    link
    fedilink
    English
    arrow-up
    28
    arrow-down
    1
    ·
    6 months ago

    Cloudflair provides a lot of network services that are during levels of difficult to achieve.

    They provide really great services at a free level but doing so there make you the product.

    They can be used to let you host a reasonably secure website at your house behind your ISP firewall that won’t let you host, with SSL that you don’t have to maintain. They handled dynamic DNS and host names and honestly dozens of other things that are all useful.

    Essentially morally they’re like Google back in the early 2000s. Eventually they’ll need more money and force us to pay or get out.

  • BlemboTheThird@lemmy.ca
    link
    fedilink
    arrow-up
    9
    ·
    6 months ago

    I’m no expert either but as I understand it, the core service they are most well known for is protection against DDOS attacks. By routing traffic first to Cloudflare before sending it to the intended destination, it can try to check to make sure that whatever it’s routing isn’t coming from a botnet or whatever.