> JUST STOP MASS BLOCKING. You literally have no reason to.

As someone who has dealt with massive influx of requests caused by bad actors who use everything in their arsenal to mask their behavior, yes they do. It may not be ideal by any means, but DoS attacks can be very, very expensive and being extra trigger happy on the ban is the difference between an operational site to most to an unavailable site for all.

The reasons behind mass blocking can be understood if your run a website and manage online servers.

I resorted to putting my website under a Cloudflare firewall. I benefit from it by getting web traffic stats and keeping away the bad requests. Many bots are set up with Tor and automate their browsing.

It would be impossible for me to pay fees in order to fend off DDOS attacks. My site is awalkaday.art. The amount of bad requests, per Cloudflare classification, goes up to 70-90% of regular web visitors. Imagine if you have to service 9 unidentifiable/shady customers, out of 10 people visiting your online store? It's not financially wise to allow anyone to deplect hardware resources (i.e: servers) of a new internet services. Moreover, these bad requests don't improve the growth or bring in revenue. The world wide web is too wild. Its unregulated in the sense that anyone from anywhere can start and successfully run an army of bots to scour the Internet for specific purposes.

I'm happy that Cloudflare can help mitigate some security issues before they occur.

> The amount of bad requests, per Cloudflare classification, goes up to 70-90% of regular web visitors.

Or do they just make them up?

If you mean that those requests were not made at all, then it's unlikely, as this is trivial to check: repoint DNS directly to your server and watch. CF seems to care about their reputation, so I don't think they would do something that is so simple to disprove.

If you mean that those requests were actually "good" (real humans) but CF mistakenly mark them as bad... then yes, this probably happens. For example, I have old tablet which regularly gets CF captcha, and sometimes this causes me to abandon some websites rather than solve it. I am sure that this appears in the logs as "bad" request -- after all, how can you tell frustrated human from defeated bot/DDOS?

But for many sites, the question is not "captcha vs same content no captcha" but rather "captcha vs significantly reduced functionality"... so at least for me, occasional captcha is worth not having to login / having full-resolution images etc...

To be fair I have stats for my site that before Cloudflare barely got a look-see, but when I ran it through Cloudflare for a private zero tunnel, the requests from all over the world were in their thousands by a few days.

Seemed fishy, but never questioned it.

The only thing I can think of is some bad actor that constantly tries CF websites to try and find a hole that can be exploited. Otherwise that does sound pretty fishy.

I thought HN of all places would understand this: The Cloudflare captcha is not for DDoS. It's for the rest of the "security" issues Cloudflare markets itself as a solution to:

> The problem is Tor exit nodes often have very bad reputations due to all the malicious requests they send, and you can do a lot of harm just with GETs. Content scraping, ad click fraud, and vulnerability scanning are all threats our customers ask us to protect them from and all only take GET requests.

https://blog.cloudflare.com/the-trouble-with-tor/

>JUST STOP MASS BLOCKING. You literally have no reason to. The only reason would be if you have an agenda to stop people from anonymously accessing information.

You are not entitled to access a website and the website doesn't know if you're a "good" or "bad" person automatically.

Put another way, if 9/10 of all phone calls/text messages sent to you are antagonistic at all hours of the day with NO filtering, would you accept that?

If so please post your unfiltered phone number that you will always answer, or your email address that has no spam filtering on it.

When most of the traffic on the internet is junk, some level of filtering is required.

How does a website determine if you're a "good" person, or a hacker who will destroy them otherwise?

That's a lot of false logic and implicit assumptions there buddy.

Perhaps you want to take another go, only this time don't push a false narrative?

It was possible to reach sites without cloudflare before and view the content.

Now its primarily being used as a stopgap to block and de-anonymize people. The website doesn't need to determine if you are good or bad.

They simply need to manage their resources, and send the response to requests.

That is if they are actually in the business of providing something to someone like content or something else. Otherwise the business they are really talking about is data brokering and surveilling without really disclosing it, and that's another discussion completely.

Most of the traffic on the internet isn't junk, somewhere about 30% is protocol overhead, some small percentage is discarded during path and routing, and a large percent is the data people ask for.

There are tactics you can use as a website owner that target bad actors without blocking en-masse. Server side checks that characterize specific actors that are not related to IP or ASN. Those can then be easily targeted, and its not hard to set that kind of response up as an automated response.

> Not entitled

I'm saying what Cloudflare should do as reasonable engineers. It's not a question of entitlement. IP blocking is never valid aside from temporary DDoS mitigation. Eventually, those IPs will get reassigned or the attacker will get bored, and you have to stop blocking at that point or else you will just block legitimate users, since IP addresses do not represent individual people.

Your analogy is invalid. The captcha we're talking about here is not for filtering messages. To further nip this argument in the bud: Most sites that have a Cloudflare captcha to view anything at all will still require more captchas, email confirmation, and often phone confirmation before being able to sign up and post. Then this last idea that IP blocking stops hackers is just not even plausible (queue flood of posts arguing about the diminishing returns of repurposing firewalls/av/block lists for mitigation of low quality automated exploit attempts).

> JUST STOP MASS BLOCKING. You literally have no reason to.

I've had to deal with websites getting attacked, most of the traffic comes from datacentre IPs which Tor exit nodes are usually hosted on. We block most if not all datacentre IPs from reaching our sites, we've seen a huge decrease in attack attempts since doing this.

You're choosing to access the website using a shared IP that bad actors use, there's only so many ways webmasters can protect their websites. This one sounds like it's on you for using Tor.

I do most of my browsing from "datacenter IPs", because I segment browser instances (including source IP) by activity type, and I only get one IP from my physical upstream. It's also very easy to rotate datacenter IPs frequently, and they don't spill my physical location.

I spend real money browsing from these rotating datacenter IPs, to many different online stores, and I've only run into a rare few that won't let me. If a website doesn't work, especially for the casual browsing of shopping, then that will very much influence my purchasing decisions.

If your website relies on surveillance to make money, meaning you don't particularly appreciate my efforts to stop the abuse of my privacy, then I understand how we're at an impasse. But if you're running an honest business and think that heavy handed blocking is only pushing away illegitimate traffic, please do reconsider.

Not running a business, running a free service that gets a lot of abuse from bad actors. We care a lot more about having a website that stays up as opposed to letting a few users have "privacy"

Practically, I thought one of the main points of Cloudflare was that it cached most pages? So, a deluge of read requests shouldn't really affect you, no matter the intent (assuming your website handles caching properly, etc).

I do completely understand that you need to rate limit things that mutate the site or perform a lot of non-cacheable reads (and thus always hit your own server(s)). But if you have some sort of account system, I'd urge you to make it so that logged in users bypass IP-based limiting. Thus someone coming from a non-naive IP may hit a bunch of CAPTCHAs to login, but once they're logged in they should have an easy experience (with the idea that if the account turns out to be abusive, you ban it). An account is basically a longstanding nym.

Also, it's unkind to put privacy in scare quotes. It's true that there is very little absolute privacy with the sorry state of web technologies, but that doesn't mean throwing the whole concept out. I personally find value even in little things like some ad that slips through saying "List of <whatever> in <city not related to me>", rather than getting my city correct, normalizing the idea that it's right for what I'm reading to be reading back at me, and perhaps enticing me to click.

> We block most if not all datacentre IPs from reaching our sites, we've seen a huge decrease in attack attempts since doing this.

Is people using iCloud Private Relay get blocked as well?

Just checked, looks like it at the moment.

Cloudflare has no problem classifying humans from developing countries as bots then inflating their statistics by blocking them. I know this is a fact because I personally get infinite block loops (captcha shows, complete captcha, captcha reloads) and many users especially from South and South East Asia for projects I consult for report similar problems. I know these are real humans because I have had voice calls with them, but according to cloudflare excluding people from some of the most populous countries on earth simply because of their geolocation IP address is stopping DDOS. At this point, DDOS has nothing to do with Botnets and is primarily about blocking people they view as undesirable. The cloudflare cto has been on hacker news before and agrees this is their policy and does not see a problem with it.

That said the op is wrong about vpn blocks, users able to afford a vpn with nodes in a first world country have no problems with access.

Ignored by nearly everyone in this thread is that this currently affects many Firefox users too. Cloudflare absolutely deserves criticism here for placing their business interests ahead of the open web with extremely aggressive blocking that sees real users' eyes very frequently lately.

I find it kind of crazy that the crowd here is so willing to excuse that kind of environmental pollution, knowing how important a healthy open ecosystem is to all of our work.

Why does it affect Firefox? Visiting cloudflared website on Firefox seems OK for me.

I have a few websites on Cloudflare and the first thing I turn off is their DDoS protection. It's on by default, but not many people know you can disable it. This is a gift to my visitors since they can now browse it without getting interstitials when surfing with low-rep IPs.

Ran into this issue with cloudflare before. Even their support pages didn't work because images and scripts were blocked, even after the captcha was completed. That's life on some networks.

CF has become part of the web's security theater. Insecure WordPress install? Secure WP install that may become vulnerable sometime next week? No PreparedStatements in your framework's DB queries? Not to worry, just throw CF at it! Don't fix your bloated server frameworks and autogenerated DB schemas, just throw CF at it!

Who cares if modest hardware 2 decades ago could serve the same volume of requests? You're living in the future with the latest and greatest flavor of the week framework. Just throw CF at it!

At my company we soft-ban IPs for malicious activity for 12 hours, if there's definite proof of known exploits being used.

As a result tor is de-facto banned, as well. But we don't target tor specifically, we just handle it as any other activity.

I rarely say something this direct and flamey on HN, but truth be told you sound like like you lack the necessity competencies for anyone to take your outsized rant even remotely seriously. This doesn’t deserve to be an “open letter” or whatever this is. It’s a complaint from a hot-headed customer’s customer that should seek clarity and shared understanding. before flying off the handle and assuming malice or incompetence.

Perhaps actually come up with a tangible argument before trying to paint yourself as the superior gentleman?

> JUST STOP MASS BLOCKING. You literally have no reason to. The only reason would be if you have an agenda to stop people from anonymously accessing information

This is my take, who cares were people accessing the site is from. The only places that should kind-of care are Banking Sites.

The main use case of Cloudflare is not blocking for fun. We use it to defend against DDoS and and botting which are existential threats to our business.

Banking sites and anybody who suffers from any sort of attack, whether it's scraping, DDoS, bots, bruteforcing...

Does everybody get those attacks? Probably not, however, Cloudflare centralizes the attacks into a single IP reputation database so, if at some point, a certain node was abused on x site that uses Cloudflare, anybody who is routed through that node will have a poor experience browsing CF sites.

This approach of centralizing IP reputations has its own flaws and benefits, Tor Nodes aren't inherently given a bad reputation, it just happens that if 90 people are using the tool for all the good things, 2 assholes can abuse the IPs and have them blacklisted on almost any website, whether it's Cloudflare, Imperva, Akamai, PX, you name it. Cloudflare is the most known name but there are tons of other E2E/B2B providers that don't show up as often.

Some businesses just have no reason to interact with certain IP sets.

For example if you are running a SaaS website which only caters to customers in the US what is the advantage of letting IPs from China or Russia access your service? Those IPs are not going to utilize your service because you don’t offer services outside of the US; since the IPs cannot be used for legitimate actions they can therefore only be used for illegitimate actions and should be blocked.

People travel. This kind of approach is not uncommon and so annoying. Like Vodafone which didn't let me access the right country's version of their page to pay my bill while abroad. And Ing which listed only the local app in play store - couldn't download the Australian version in the UK.

That's literally being hostile to your customers where they may be under more pressure than normal to resolve whatever they're trying to achieve.

A B2B SaaS is very likely to have US based customers with employees working remotely from all over the world, either temporarily or permanently.

Chances are they won’t block IPs in the countries they have employees, and/or they’ll require a VPN for them.

I’m honestly a bit surprised to see so many people attempting to counter the idea that some businesses don’t need to be accessible from every region in the world.

if you have an ecommerce and you block acceas from countries where you dont do business, you are making every expat life miserable.

just imagine for a moment people may want to send gifts for their loved ones.

I’m sure everyone on this site can come up with reasons why some online businesses should support a worldwide audience. That does not mean every online business needs to set out to support the entire world when it makes no sense for them or 99.999%+ of their legitimate users.

Most US businesses don't have employees outside the US and you probably aren't catering to the ones that do.

Personally, I wouldn't deliberately signal "I'm too small time for you Fortune 500 outfits to bother with".

But even if you don't mind doing so... Our company didn't have any outside-the-US employees - until we did. We hired one remote in Canada, and we hired some contractors in the Philippines and Portugal. So you're creating a situation where either you have to fix your ability to let people connect from outside the US right now (with all the security issues that may cause, which you also have to fix right now), or else you lose a customer each time something like that happens.

I wouldn't login to my bank via Tor. So far though, both the financial websites I use don't care that I use a VPN.

I once did, to make a payment. Only at the end did I realize I was in a TOR window. All went through fine. I guess there is no reason not to, if login and 2F check out.

I logged into my bank through Tor for 10 years no problem. Until they blocked it.

You can, but I don't feel like risking being locked out of my main checking account. Mind you, Mullvad VPN seems to be working totally fine so far...

i've never used tor, but wouldn't it be better operational security to not use tor for banking to avoid being fingerprinted/identified, if one cared about remaining anonymous?

Fingerprinted/ID'ed by who? There is effectively no difference in security with tor when it comes to the end points. The main purpose of tor is to prevent anyone in the middle from getting any information.

All they'll get is a strong ID on your exit node. That node is, of course, shared by a ton of people and so trying to pick apart the traffic is going to be very difficult

> JUST STOP MASS BLOCKING. You literally have no reason to.

So I guess I should just let all the bots and wordpress hack attempts through to waste the very limited resources of my server and network connection?

Seems like a great idea.

/sarcasm

Do people often use Tor for DDOS? I was under the impression it’s no good for scraping, let alone attacks, due to its speed.

I think Cloudflare is breaking Tor on purpose.

Cloudflare's a pariah on the internet

> The catpcha page now contains a mix of embarrassingly wrong statements and nonsense propaganda

This struck me as insane the first time I saw it. Not too surprising the biggest MITM op on the world engages into what is essentially psychological warfare.

That’s…quite a dramatic embellishment.

> essentially psychological warfare

aka marketing

To push back against the hoards of commenters taking issue with the last line: An entity the size of CF shouldn't need to perform mass blocking to deter DDos attacks, both from the perspective of their customers or their resources. Would it be difficult to delay requests from "low-reputation" sources? Tor users are used to delays when browsing and the automated "ddos-protection" JS challenges appear to do that (even if not by design).

What ever happened to read-only websites? Using one's browser to render static content? An underrated concept in 2023, when almost every website wants to run some sort of code on your computer.

Your pain is felt, OP!