Cloudflare shares IP reputation data with partners like Google, coordinated through a program called the Bandwidth Alliance. So, my original offense might not even have been against Cloudflare. It might have received the reputation data from a partner, and it just propagated through the Bandwidth Alliance network.

That's not what Bandwidth Alliance is at all. It's about reducing or eliminating egress fees between a cloud provider and Cloudflare. Not sure where the idea that it's about sharing IP reputation data comes from.

https://www.cloudflare.com/bandwidth-alliance/

So, if Google Search started showing a CAPTCHA that's not Cloudflare.

I've been gradually removing cloudflare based CDNs from services I develop and control because I don't want my users being arbitrarily discriminated against.

There was a good article posted on HN recently titled "The ideal level of fraud is non-zero" which I think is highly relevant here... In essence any mechanism employed to prevent illegitimate use comes with a negative cost to legitimate users, if that cost is too high it defeats the purpose. i.e what's the point in a website that is completely immune to a botnet and also cannot be accessed by anyone else? unplugging the ethernet cable also effectively protects against botnets. More subtly the cost of outright rejecting some legitimate users is usually not worth the savings of rejecting 100% of illegitimate ones. I think Cloudflare's service has it the wrong way around: it currently accept blocking legitimate users far too easily, that is not an acceptable cost; whereas you should be letting a higher level of bots through to avoid pissing off legitimate users - if it's not obviously a DDoS, it's probably worth the bandwidth cost.

Consider the bigger picture, if you save a slither of a penny by blocking a bot, but also end up blocking or seriously inconveniencing 10 real users... is it worth it.

The space is in need of solid competitors to break the stranglehold they have on the internet. Whether it's the right combination of services, documentation, etc.

But Tor is an enormous source of abusive traffic and if I don't filter it, then that's harmful to site owners. I'm being forced to choose between the needs of people that I know, work with, and depend on financially, and the needs of people in countries with issues that are far outside my ability to resolve. It's not a hard decision.

between 2015 and ~2020, my home ISP was blessed with every recaptcha being 3 rounds of slow fade-in bullshit. I have also seen infuriating gaslighting of "please try again" after certainly correct solutions, as well as 5+ rounds followed by a notification that my network is entirely blocked.

I've developed a reflex to Ctrl+W upon seeing it, unless that is absolutely vital for me to get past it - which is exceedingly rare.

if I had a genie lamp, I'd waste one of my 3 wishes to do terrible things to the people responsible for that shit.

Tor users do not have any special properties over clear-net users besides low accountability for their IP space. There are other ways to acquire this type of setup that don't involve broadcasting a public list of known exit nodes as an act of good faith. Any sophisticated attacker will be able to easily get ahold of the IP space and bandwidth they need to do their work, whether it's through a botnet or simply because they operate out of some less-accountable country like China or Russia.

IP filtering: now you have two problems!

/s, obviously, I hope.

Blocking Tor isn't a security measure, it's a nuisance reduction measure.

You kid, but this is completely true Email is simply an incredibly flawed, outdated and broken system, especially when used without PGP. Phishing is a massive problem, and it has only continued to grow in scale because spam, uh... finds a way. At the same time, spam filters regularly create false positives, making email an unreliable transport (leading "oops, it got lost in my spam folder").

>Blocking Tor isn't a security measure, it's a nuisance reduction measure.

You should block all IP space, this will reduce nuisances by 100%. In fact, this will save you from having to consider any real security practices or do your job properly.

Tor's advocates in this thread keep trying to argue it from ideology, as though anybody's obligated to deal with Tor traffic on principle alone, and not one of them so far has tried to argue that Tor is not 90+% bots and garbage. Funny, that.

I have Tor installed, figured it would be worth adding my boring browsing to the mix sometimes, but since most sites I try to load block Tor exits, Tor browser now sits unused.

On the other hand, if I woke up tomorrow deciding to start a bot farm or whatever other malicious thing, or course I'd be interested in hiding through Tor and might try it again (don't worry, I won't wake up that way).

So even if a hypothetical 100% of global internet users really wanted to do all their browsing through Tor, they might all reach the same conclusion as me that too many sites are blocked and therefore leave Tor to mostly bad traffic. Of course it's nowhere near 100%, but hopefully you see my point that the sites blocking Tor IPs (and I absolutely appreciate why) can become a self-fulfilling prophecy - and I'm not sure how you'd get out of that loop?

https://www.linode.com/community/questions/22305/entire-ip-r...

Depends on what you imply under 'hard'.

As a IaaS provider I endured alk the hurdles about that and ten years later - I don't care, at least not until my outbound bill is bigger than usual.

Like some of the clients are on CentOS6, on a public facing machines.

But the signup spam was a headache. I didn't want to just blackhole Tor traffic, and tried to reduce the abuse with other tools, including some custom stuff. The final straw was a customer's small business site that had a MailChimp or Constant Contact signup form. Those vendors want you to embed their code by default to render the form, so you have less control over the form itself. There were workarounds, but they all sucked.

Tor bots would sign up email addresses through this newsletter form, and then I'd have to go through and manually scrub them before newsletters went out, or the service would penalize my client for too many bounces/unsubscribes/complaints. Very nearly 100% of the abuse on that particular form came from Tor IPs.

I do not want to spend my limited time on this Earth manually sorting out bots from humans because of one particular network. Blackholing Tor made that problem disappear immediately.

VPNs are dime-a-dozen now, cheap VPSs are available from lots of vendors, there's Wireguard, there's ssh, a clever person could even set up Apache or nginx as a forward proxy with ssl from LetsEncrypt. Tor is well over 90% abusive traffic (https://blog.cloudflare.com/the-trouble-with-tor/). This is a Tor problem, not a me problem. There are better alternatives available.

Solution: Require sign-ups by email, so the end account must actively send your mailserver a registration message. This also turns an open-loop control system into a closed loop control system, which is inherently easier to secure / keep safe.

Proper DMARC configuration is table stakes to send e-mail, which makes that anything but trivial.

Then put the form behind your monopolistic internet gatekeeper. There's no reason for a GET to redirect to a sysiphean captcha treadmill.

> . Based on data across the CloudFlare network, 94% of requests that we see across the Tor network are per se malicious. That doesn’t mean they are visiting controversial content, but instead that they are automated requests designed to harm our customers. A large percentage of the comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning comes via the Tor network. To give you some sense, based on data from Project Honey Pot, 18% of global email spam, or approximately 6.5 trillion unwanted messages per year, begin with an automated bot harvesting email addresses via the Tor network.

Using tor hides your IP address from the website and makes switching exit nodes very straightforward, so you can run your account take over script in peace.

So yes, you can switch exits easily, but effectively your switching from one known bad IP to another bad IP.

I wonder if that's such a bad thing. Tor is safer when the traffic never leaves the network. In the ideal world, everything that matters would be inside the Tor network instead of being merely accessible through it.

I did tell Amazon about it, but it fell for deaf ears. The ban lasts for about a week and the internet is mostly unusable in that period

> The past few weeks I've been getting tons of redirects to verify my humanity before being allowed to view a webpage. Usually I just have to click the box that says human, not find all the ladders in a photo. SoFi is doing it every single time I log in. Petco, too, along with others who are more sporadic. This is happening with and without uBlock on. Same browser I've always used. ...

SoFi and Petco both use Cloudflare. I do exactly zero web crawling / scraping / abusive anything from my home connection.

I'm noticing a recent increase in volume of complaints about Cloudflare's human verification filter. I'm starting to wonder if they touched a dial.

I had already started pulling some infra back from Cloudflare after their last appearance in the tech news cycle. Now I've got an additional reason to continue doing that.

That you know about. Your house mates share the internet connection.

I’m guessing you have WiFi, so you may have unintended guests.

You probably have lots of devices, one of which may be infected.

Your ISP may have issued you a different IP which may have a negative reputation score.

You could be using a malware infected browser or browser extension.

There are lots of variables. You haven’t isolated all of the ones in your control, so assuming CloudFlare is the only possible cause isn’t rational.

Scaling to infinity isn't a right, it is a privilege. Any company that builds this sort of no-human-decision systems are abusing that privilege and hoping that anyone who suffers wrongly under their systems doesn't have enough voice (google seems to be the worst for this, though cloudflare seems set to follow).

This is actually the least likely these days... the no.1 cause would be CGNAT, the vast majority of residential endpoints share an IPv4 address with a huge number of users, mobile networks are even worse... that's before we even get to IP recycling for dynamic IPs which happens at high frequency with mobile networks again, so you will inevitably get affected eventually.

This is why it's a bad idea to block IPs outright, because today one IP address never equates to a single individual or the same set of individuals over time. The other problem with blocking IP addresses based on abuse is considering them equal in user weight, yet one IP might have 2 users, another might have 10000 users - Blocking a TOR exit node is a good extreme example of this... people think of it as an effective defence because of the concentration of abuse on that single IP address, but they fail to consider the concentration of users behind that IP address - TOR exit nodes probably are a slightly higher source of abuse per user, but not any where as high as per IP - if you measure abuse per IP you are more likely looking a rough picture of users per IP for highly NATed IPs.

What triggered your reaction? That they terminated a customer with zero notice?

Essentially, for a broad class of web-based businesses, they have made themselves gatekeepers. I'm sure they'll find a profitable use for this position. Charging outright would look bad, but investing in businesses that just happen to not run into Cloudflare-based trouble, but whose competitors do...

I'd guess the intent is unlikely to be anti-competitive or monopolistic, just over-aggressive. However regardless of intent their position does cause an absence of market forces to put pressure on fixing such issues - Similar to how it's become acceptable to have downtime when it's on AWS, because "everyone is affected".

As with any power and control you delegate to any entity, only time and good behavior will earn them your trust. That's theoretically what companies are competing for, your loyalty.

Being milked dry by a single DDoS is a hosting issue in my opinion, there should be sensible limits in place, AWS is notorious for making it very hard to understand and control this...

Even if you disagree and consider it a problem that must be solved with a separate DDoS protection service, this is not what I am talking about, I think it's a good idea - if there is a clear ongoing targeted DDoS attack, that system needs to engage and do it's best to try to filter through only legitimate users (which is the only point in time it makes sense to potentially block regular users - because the alternative is that no one can access the site).

The problem is this is not how cloudflare's protection operates, there is no throughput trigger, it's always on, it attempts to block bots at all times and has a very high false positive rate.

Had they just called AWS and explained the situation, they would likely still be in business.

I keep a backup DDoS mitigation service for my entire network that costs me less than $200/mo to mitigate up to 100 Gbps.

It comes from the Cloudflare blog. https://blog.cloudflare.com/cleaning-up-bad-bots/

There’s a support page about it too. https://developers.cloudflare.com/bots/get-started/free/

Edit: team tells me this idea never got off the ground. Did talk with some potential partners (which did NOT include Google) but didn’t happen. So if Google was throwing CAPTCHAs it wasn’t because of our IP reputation.

PS: I love all the innovation and engineering stuff you guys regularly share on the Cloudflare blog. It’s [almost] always an interesting read. Even though I’m no fan of the massive centralization your company has caused.

I don’t understand why you saw one minute block screens. That’s not right. Should be seconds.

I’m talking with the team about your other points.

This is the most serious problem with all of the major companies these days. Cloudflare, Google, Apple, etc. When you get on their "bad side", you're just screwed. You'll never even know what got them mad at you, and there's nothing you can do to recover.

The only reasonable way to deal with this is to avoid them all to the greatest extent possible. You have no control over whether or not you deal with Cloudflare, unfortunately, which makes them the worst of the lot.

That doesn't sound right. You shouldn't see a loading page for over a minute. If you're open to providing more details privately I'd love to help troubleshoot. You can drop me an email at amartinetti @ cloudflare.

Edit: see comment above.

Really?

> Once enabled, when we detect a bad bot, we will do three things: (1) we’re going to disincentivize the bot maker economically by tarpitting them, including requiring them to solve a computationally intensive challenge that will require more of their bot’s CPU; (2) for Bandwidth Alliance partners, we’re going to hand the IP of the bot to the partner and get the bot kicked offline; and (3) we’re going to plant trees to make up for the bot’s carbon cost.

Still, it doesn't excuse Cloudflare that there's no redress if you are caught on a block or even a clue on what you can do to reduce it (especially that Spamhaus do have redress procedures).

How about _also_ pointing to a knowledge base article for how an end user could go about working out what network activity from their IP might be flagging Cloudflare’s systems?

One source of that would be a blog post on your company's website that was actually authored by you! Point 2 below:

>"Once enabled, when we detect a bad bot, we will do three things: (1) we’re going to disincentivize the bot maker economically by tarpitting them, including requiring them to solve a computationally intensive challenge that will require more of their bot’s CPU; (2) for Bandwidth Alliance partners, we’re going to hand the IP of the bot to the partner and get the bot kicked offline; and (3) we’re going to plant trees to make up for the bot’s carbon cost. [1]

So it's not such a far-fetched notion is it?

[1] https://blog.cloudflare.com/cleaning-up-bad-bots/

https://developers.cloudflare.com/firewall/recipes/block-ip-...

I was surprised to learn Cloudflare was born out of Project Honeypot, so I am guessing Cloudflare does share data with them:

https://www.projecthoneypot.org/cloudflare_beta.html

This tactic is quite common among BigTech and something I've experienced with both Google and Amazon - once you are hooked onto their product, one day they will suddenly deny some aspect of their service to you and force you to share more personal data with them to get access to it. For example, Amazon will one day start to ask you to click a link sent to your mobile to access their account, or Google or Microsoft will block your account and ask you for your mobile number to "verify" you etc. When you are blocked from using a service suddenly, however privacy conscious you are, in your desperation you will be forced to comply.

I have experienced this with CloudFlare too once when many website were suddenly blocked for me by CloudFlare on all browsers and I was forced to install their extension to access some information I needed from a website urgently. I have no doubt in my mind that even otherwise, they just deliberately and randomly blocked access to some sites and displayed their "captcha" page just for PR and "brand awareness". Now that CloudFlare has realised this is backfiring on them because of the negative emotions being associated with their brand, they have now redesigned their "captcha harassment" page to give less prominence to their branding than before.

That person should start with the assumption they haven't been misclassified and eliminate the possibility that a device on their network is compromised.

I do think Cloudflare could do better here to let the owner of an IP know why they're suffering from poor reputation.

However, it's not immediately clear to me how they could accomplish this without weakening their side of the car vs. mouse game.

[1]: https://easydns.com/blog/2020/07/20/turns-out-half-the-inter...

We did have it working mostly fine for some time back in 2021 but haven't been able to since.

There are multiple open issues reporting this on the GH repo with no real follow-up from maintainers apart from maybe a "should be fixed, open again if still an issue".

ie https://github.com/privacypass/challenge-bypass-extension/is...

Probably from scam called mail blacklists

[0] https://www.cloudflare.com/bandwidth-alliance/

If two independent sites believe you are a bot, you or something at your address just might be.

Spoiler alert: many websites simply refuse to load at all (e.g. any google service, and lots of websites "protected" by CF). Captchas are everywhere: in many cases, you can't even complete simple GETs of blogs without donating free labor to CF.

And the most infuriating part, you get CF marketing messages right in your face while your browser is calculating hashcash (I guess?)... At this point I can recognize every single one of them: something about bots making up 40% of all internet traffic, something about their web scraper protection racket, something about small businesses (???), etc etc...

To be fair, Tor exit nodes have an awful reputation for sure. Nevertheless, I have a hard time forgiving how CF makes browsing the Internet hell for those who actually need Tor.

Yeah, there's something amazingly aggravating about CF telling you how much traffic is bots while showing that they can't distinguish you from a bot.

The fact that humans are seeing the traffic meant for bots is an unfortunate side-effect.

I personally welcome our future bot overlords (not only because being unwelcome might be unhealthy for me — why would I publicly disagree with an overlord or not want to be their friend?).

The fact is that CloudFlare distinguishes abuse (DDoS at IP layers 3 and 4) completely separately from bot detection. And it allows user controls to domain owners to allow some bots like Google Search Crawler.

So my statement stands: I want to see a citation of evidence that CloudFlare doesn’t have the ability to distinguish abuse.

I have bad news about the most-likely fix for it, longer term, so we can lay off the IP-based reputation stuff and the geo-blocking: it's tying some form of personal ID to your browsing activity, so that bears the reputation instead of the address.

Sorry. Said it was bad news.

Basically, the core problem is digital identities (accounts, IPs, phone #s etc.) are cheap to create (even considering captchas and all) so fraud is easy. The solution could be just to make it "costly" to create new digital identities. For example, you could get a "verified but anonymous" identity issued by locking some assets (could be real world money, or maybe something intangible like community reputation) as collateral with a trusted party (or, for the crypto people, the blockchain). If you misbehave, you lose your reputation on that identity (and essentially your collateral) and have to start over. This lets anyone bootstrap a "minimal" level of trust at the beginning before they can use time to prove themselves trustworthy.

Note: This model might remind some of things like staking in crypto. However the idea is really not anything new... Putting money on the line is really how most low-trust bootstrapping happens.

*: To name a few:(1) this can result in participation being gated by wealth, which can be unfair. (2) it makes accounts more valuable to hack so people need better security practices [re: twitter checkmark]. (3) one would need some authority to decide how accounts lose their collateral or maybe the collateral is just burned to create that initial credibility...

We already use this model in practice. It's why so many services require a phone number verification now - they are hard enough to get en-masse, especially if you block things like Google Voice. They even have a big advantage in that they are comparatively hard to hack, as the SIM card is effectively a weak form of physical security key.

I think the big problems this causes is discussed on HN quite often.

Similar, the internet is already very difficult for the people with limited means. This would make it even harder.

Go down to your local post office.

They physically hand you an identity token on a physical $2 2fa device if you give some evidence you live nearby. You can put down the deposit or hand over the device for an old id which is cleared and reused.

It's traceable to the post office but no further, nothing is recorded other than that the token is deployed and roughly when.

Local communities can be responsible for cleaning up local messes. No need for the scammers two cities over to effect your reputation. No need for a corrupt employee handing out tokens to effect the reputation of the token you got ten years ago.

And the governments of the world are going to do this is an anonymous way?

Who is going to manufacture these 8 billion (Or at least 3 billion if we only count Facebook's MAU) tokens?

And there still needs to be a global database of valid identifiers, else anyone could just create a software token that they can reprogram ever second.

And we expect all people to carry these 2FA tokens perfectly?

And what happens when someone looses this token? The post office has way to prove you owned that token in your proposal.

Same thing for revoking a token. There is no identity out of the token, so how do you revoke it after it is lost? People are not willing to store a piece of paper in a security deposit box.

This "easy" solution is impossible in practice.

The only purpose is to provide evidence of not being a bot. Not to log in or verify identity. You don't need a server or proof that a particular token is owned by a particular person, just a cert chain and a list of postcodes with current public keys. The post office has a private key. They sign a message saying 'the holder of this token walked into the store'. Let servers make whatever judgements they wish about the chain's credibility. If a particular key signs lots of bots then you know where to look for the source of the bot farm and the people that live there know where to look to fix their reputation.

It doesn't need to roll out simultaneously. Just be an alternative to captcha that isn't as abusive as device attestation.

The manufacturers will be the same ones that manufacture the hundreds of billions of usb drives and phones and smart light bulbs.

The only problems are it's not as useful for abusing users or spying on citizens as revoking access to general purpose computing, and idiots who project problems onto it that come from use cases that are not proposed or say 'big number make thing impossible'.

As for identity theft, it's actually not that common/easy except in the US (which has no centralized national ID issuer and largely depends on hacks building on the SSN).

An besides, protecting digital identity is already important even without this bootstrapping.

> Imagine if your Twitter gets hacked and your digital identity makes it so your Gmail gets blocked.

Flip the services around and you have the reality of today.

I hear that porn tends to be officially frowned on in a fair number of places.

Reading non-approved news is dangerous in some places.

Honestly debating political topics can be super dangerous if you're identifiable.

Sometimes even having a login on a site is dangerous, I think I heard about this after a non-mainstream discussion site got hacked like a hear and a half ago.

- A user bearing a client cert with the name "Jonathan Grant", signed by a U.S. government agency which is known to verify that its signees' certs are a citizen of the United States.

- A user bearing a client cert with the name "Michael Black", signed by Alice, who is known to only sign certs after verifying that the real-world identity of the signee matches the name on the cert.

- A user bearing a client cert with the pseudonym "c00ln4m3", signed by Bob, who is known to only sign a single cert for any given real-world person. (To do so, he verifies the person's real-world identity but does not reveal which cert corresponds to which person.)

- A user bearing a client cert with the pseudonym "hunter217", signed by Charlie, who is known to sign certs without verifying the real-world identity of his signees at all, but who is also known to revoke his signature on certificates if a service provider complains about the user bearing that cert.

- A user bearing a client cert with the pseudonym "cypr3ss", signed by David, who is known to charge $1000/year for a cert bearing his signature but performs no other identity verification.

The point of listing out these different scenarios is that the underlying mechanism (client certs) is the same, but the end-user and the service provider don't actually have to trust each other: they only have to agree on a CA with mutually acceptable policies.

This also reminds me of the anxiety of Google deciding to just ban my account for some reason. They can't be bothered to commit resources to making sure mistakes can be resolved. They don't care to lose a fleetingly small percentage of customers.

Not sure I have an answer. Just a thought.

I'm not understanding the generalized sentiment here. How would, for example, a retailer benefit from this strategy? How does it protect their bottom line?

I can see how a particular kind of "facilitated user economy," such as games, gambling and promotional companies could benefit, but it doesn't seem that broadly applicable to what most people would consider a "mainstream" business.

> so we can lay off the IP-based reputation stuff and the geo-blocking: it's tying some form of personal ID to your browsing activity

And a new market for identity theft is born.

Also, as someone who serves content and geo blocks it, that's not up to me, that's up to the owner of the content or whoever happens to be licensing it for them. So, even if you sent me a picture of your government ID, it changes nothing.

The amount of automated and apparently-manual attempted credit card fraud (and exploit attempts, for that matter) any halfway-prominent site with a CC form is subjected to is hard to appreciate if you've never seen it. It's a whole lot. They aren't even necessarily trying to buy what you have, but to validate that their stolen cards work. And they're quite busy. If too much of that gets through—really, any more than a very tiny amount of it gets through—you're gonna have an extremely bad time.

Various CC service providers like Stripe do provide tools to try to block those attempts, but defense in depth is usually a very good idea, including fairly aggressive firewall-level blocking.

A couple of examples I can think of is blocking bots from scraping their site for pricing and details and from resellers from buying up all of the stock (see sneakers, electronics, etc). The last example doesn't directly impact their bottom line, but it will make customers go elsewhere.

That wouldn't just be bad news, it would be disastrous news. It would immediately render the entirety of the web worthless to me.

And once your spammer has been identified then that's them banned/removed, unable to sign up again.

Would you have to submit a dispute with the internet credit agencies? Maybe join a class action suit against the entity that leaked your ID so that they're forced to give you a year of free internet identity monitoring?

We should be reforming our current credit agency system, not empowering it with a new mandate of judging somebody's social or political creditworthiness.

Keeping with the cloudflare topic, if Cloudflare only permits you 10 requests per second (HTML + JS/images) that's still usable for web browsing, but someone running a cloud of hundreds of bots would be effectively shut down. Similarly with email, an individual probably doesn't need to send more than one email per 10 seconds but email spammers wouldn't find any ROI at that rate - business needs being different might necessitate a different registry or something in that case.

A few months ago I got on Akamai's naughty list (with my other ISP) for some very light automated website downloading. That was a straight block with HTTP errors and I had to use a proxy to access the Web. It cleared up after a few days.

The lack of any user feedback or support for this situation is really annoying. Reminds you how much power the CDNs have. It'd be really bad if loading websites got as difficult as sending email through all the layers of spam filtering.

Things you might use an internet connection for in your Tesla include triggering air con remotely, live traffic and satellite maps, streaming music or online radio, web browsing, or YouTube/Netflix/Disney+ clients.

It completely refuses to use IPv6 over mobile or wi-fi. Also it refuses to access anything over IPv4 (apart from DNS) which resolves to an RFC1918 address, even if it's connected to said RFC1918 network.

So yes, Starlink and Tesla are different companies, but I see cultural parallels which I'm sure surprises nobody.

FWIW there've been hints from time to time that Starlink was working on IPv6; users reported being given working addresses. That mostly stopped though when they handed over ISP operations to Google last year.

I've been noticing this too, and it's why Starlink remains my secondary ISP/bulk transfer connection. If I had to drop one connection, I'd drop Starlink for this reason alone.

There are some sites that I simply can't browse, and it's not Cloudflare errors, either. Lowes, in particular, simply returns error pages for anything but the main landing page on a regular enough basis. Of course, my observed public IP changes so it's not consistent, but it's genuinely annoying.

Could cloudflare legally charge them a bribe to captcha their users less? It isnt good to have a company in this position of power if so.

Why are you using Starlink at all if you have other options?

I've had several area WISP connections, as there's no wired infrastructure to my area, and they vary in quality. I work full time remote, so I need two connections as a general habit - I can work with one, but when that one is down for a week straight, I have problems. I like being able to fail over.

I typically keep one connection for "interactive" traffic, and one for "bulk transfer/failover" - things like my local Ubuntu repo mirror, offsite backup traffic, etc. And I can fail to it if needed, which I do often enough.

On a good day, Starlink is far better than my WISP connection, and I have some machines routed out it persistently. On a bad day, I can't hit much from it, because that particular public IP has been blocked from large parts of the internet. It's very hit and miss, and overall bandwidth has definitely dropped from the early days, though reliability of getting packets where they need to go is drastically improved.

I could do a range of things to solve it, but as I have two ISPs, I typically just switch to the one that works better for the solution. I'm aware it's not a technically fancy solution, but it's quick and easy (change the gateway on the machine), and works fine.

Edit: spelling

Starlink is at least 10 better (fewer captchas).

I'm really hoping cloudflare gets busted for having backroom deals with big ISPs or something. (For instance, if the cgnat had a cloudflare CDN cache endpoint behind / accociated with it, I suspect the IP would be white listed.)

I told it before and tell it now again: Cloudflare is dividing the World between first and second/third World countries with their captchas. I call it discrimination of second/third World countries! If you are from US and Europe you will never notice it but if you travel a little bit more you see these blocking captchas everywhere.

I do these things as well. It’s been months since I’ve seen a CloudFlare challenge page.

You are complaining about the use of IP as an imperfect signal. Everyone involved knows that. But it’s still better than the current alternatives.

You would be surprised to see how easy it is to hack domestic routers.

1. Find and disinfect the devices, including the router. If you don’t have enough technical knowledge, then buy a new router.

2. Use 30 character long random password on the router.

3. Disable UPnP.

4. Anything with WI-FI and weak password can be hacked within minutes, so check your other devices as well, especially IOT ones.

Tarpitting (serving content slowly from the edge, in order to slow down bots) is necessarily one of the most expensive tools in a WAF/CDN's toolbox.

It's much more likely that something on his network is sending sketchy traffic to CF-fronted/Google sites, and the slow loading he's experiencing elsewhere is because his upstream is being saturated by whatever is happening on his network.

https://google.com/search?q=mikrotik+botnet

These things are the absolute scourge of the internet.

I don't recommend them to anyone who doesn't enjoy and are familiar with the lower-level intricacies of network operations.

It's almost certainly compromised.

UPnP allows devices inside your network to open ports to the outside world without your knowledge. I think everyone should avoid it if they can get by without it

So what's your alternative for peer to peer connections? Static routing that the common end user can't figure out? Re-centralize connections?

UPnP is necessary.

There is no "perfect" solution here because the real world is a messy place with devices that you cannot personally vouch for.

I know they haven't done anything like that yet. But the technical capability is there, and we all know how short is the distance between technical capability and doing it, when the appropriate pressure is applied. So I wonder, how long before activists start demanding for CF to boot people from the internet, and how long before CF caves in to that...

Fact-less conspiranoia.

The CIA has the operators, equipment, and info to be able to kill almost any US citizen in a couple of hours for arbitrary reasons. How many times have they done it?

You are overweighing how much technical capability factors in and very much underweighing the costs of doing something like that. Opportunity costs, collateral damage, unintended consequences, reputation costs, brand harm.

Hell even ethics and morals of those involved. Who do you know would want to work for a company that did that? Who do you know would program that feature and not say anything about it? Why do you believe that CloudFlare would have so many of those kinds of people working there, but you know so few?

Why not make the same complaint about your ISP, your hardware manufacturer, your OS manufacturer? You have exactly the same amount of evidence they are doing this or could do this.

Remember that US criminal system attributes 3 elements to a crime: {means, motive, and opportunity} and even then we use evidence and an assumption of innocence. You just threw out every part except “means”.

I’m not defending CloudFlare here so much as tired of conspiracy theories and paranoia and social panics. We have enough of those things right now.

Pretty much anyone who works for Twitter, Facebook, Google, Paypal, Venmo, Amazon, Microsoft, Gofundme, Mailchimp, Tiktok, Reddit, Nextdoor, and many other tech companies routinely engaging in censorship and unpersoning. The idea that people in tech are some kind of high morals freedom lovers that would never work for a company that censors doesn't suffer even minimal scrutiny. If anything, they'd refuse to work for a company that doesn't censor enough - Twitter workers were in utter screaming panic when they thought Musk could but Twitter and relax the censorship a bit. So if anything you just disproven your own argument - maybe what will force CF to censor is not external pressure but the internal one. I don't see why Cloudflare workers would be any better than Twitter ones.

How would we know?

Non-falsifiable claims are easy and limitless. Their credibility without evidence should be proportional.

I think the eschaton would be pretty hard to miss, what with the rapture and the final battle at Armageddon and the horsemen and whatnot.

The CIA’s entire bailiwick is covert operations. A government agency that’s been specially trained to engage in illegal covert operations involving lethal force without getting caught isn’t going to leave too much evidence, which means a lack of evidence doesn’t really tell you anything either way.

That having been said, the CIA was involved in the Obama-era drone strike program that ended up killing four US citizens (only one of whom was deliberately targeted). Frank Olson also died in suspicious circumstances connected to MKULTRA in 1953.

I love how people reflectively answer with cries of "no evidence!" to something that presents the evidence about exactly the thing they are claiming has no evidence. I get a distinct impression that the only person they're trying to convince is themselves, by self-hypnotically denying the reality in public.

There's a fact of CF booting sites, there's a fact of CF having IP blacklist, there's a fact of getting into IP blacklist being a very frustrating experience, there's a fact of various activists itching to make the lives of their political enemies a very unpleasant experience and launching successful pressure campaigns to do exactly that.

Did that happen with CF and IP blocking? No, I explicitly said it didn't, at least - I don't know any cases of it. But there's a lot of facts confirming there's a capability and motivation to do so. You may not believe it would happen, and you have a right to believe so, but when you are denying known facts, I don't think your beliefs are based on anything but wishful thinking. Your argument would be strong if you showed that, despite the known facts, it still couldn't happen. But instead to claim it couldn't happen you have to deny the facts.

> How many times have they done it?

Probably more than I know, but it's too big to bother with me, so I'm not too concerned about it right now. Maybe if I was in the same business as Assange, I'd be worried more.

> very much underweighing the costs of doing something like that.

Like what costs? You mean to say, no major provider would dare to boot the person from the Internet? Like Facebook, Twitter, Paypal, Venmo, Gofundme, Google, Amazon, Microsoft, Mailchimp, Tiktok, etc. would not dare to block people for political dissent and expressing unpopular opinions? Because, you know, opportunity costs, collateral damage, unintended consequences, reputation costs, brand harm. That' just couldn't happen. All that is fact-less conspiranoia.

> Why not make the same complaint about your ISP, your hardware manufacturer, your OS manufacturer

I can buy different hardware. I can install different OS. With some effort, but I can connect to a different ISP. Any of that won't help if Cloundflare would refuse to talk to me.

> Remember that US criminal system attributes 3 elements to a crime

Oh, but that's not a crime. That's the beauty of it - remember, it's a private action of a free enterprise, and you have no rights there. And even if the government would hold weekly meetings with Cloudflare suggesting them who exactly needs to be banned, it's still free enterprise, right? I mean, excluding the fact that the government would never do something like that, because reputation costs, brand harm, etc. That's another instance of fact-less conspiranoia, of course.

> I’m not defending CloudFlare here so much as tired of conspiracy theories and paranoia and social panics.

That's nothing. Imagine how tired you'd be when it turns out everything you thought is "paranoia" is actually happening. Of course, it would never happen to you - you'd never disagree with the government, or any people in power, or voice any unpopular opinions in public, would you now?

> That's nothing. Imagine how tired you'd be when it turns out everything you thought is "paranoia" is actually happening.

Every genius and every crackpot experience this. The sad fact is that crackpots outnumber geniuses by a factor of hundreds.

You missed my point about means, motive, and opportunity by a mile.

None of the web services/app you mention block specific visitors; only accounts. Again, my entire comment was specific to the hypothetical capability and desire to block per visitor, not domain/account or IP.

> None of the web services/app you mention block specific visitors; only accounts

So? How the situation with visitors is specifically different? Yes, they didn't want to block visitors for now, but what if they feel like it?

[1] https://www.derstandard.at/story/1389860104020/eu-gerichtsho...

It’s against copyright laws too, unless you get the right holders’ go-ahead first.

Some regional differences, but it’s mostly not allowed with a few exceptions for some institutions.

1) refuse to take responsibility for content they host by claiming they don't host

2) discriminate against huge parts of the Internet with no publicly known rules, nor methods to change that discrimination

3) make the abuse reporting process intentionally difficult and time-consuming

4) want to aggregate all the DNS data they can by making a deal with Firefox to turn on DNS-over-https by default without asking or even informing end users

5) want to re-centralize the Internet, in part so they can mix bad actors with good, in ways that make blocking next to impossible

How many of them do the discrimination we're all writing about here?

Hosting is providing services without which a presence on the Internet won't work. Hosting was around before the web, so how is it that you think you can magically come along and declare, "this is now the definition of hosting"? Only through bullshit.

If by "scammy and attacky parts of the internet" you mean whole countries, good for you for being an elitist.

I'm happy that you've "had an answer back within 24 hours", but that doesn't address the fact that it's time consuming and arduous. Notice that you didn't respond to that part at all. Their reporting site doesn't have an option for spam (because they don't care), the Javascript allows more text to be entered than the form will accept (so you have to know to go and delete some), and it doesn't allow nearly enough in the first place. For someone who wants to forward abuse to abuse@cloudflare, it's shitty and it's a way to discourage abuse reporting.

So tell me about how Google, Facebook and Amazon have never lied about what they're doing with data. Then go ahead and explain to me how it is that we're just supposed to trust Cloudflare. Audited by whom? When? How is there conclusive, testable proof that the data isn't analyzed or siphoned off somewhere else? Are you ignoring the fact that this is in part an attempt to become a monopoly, and in part an attempt to make it so that network-level filtering next to impossible? You didn't reply to any of this, which makes you seem all the more like a paid shill than someone who actually cares about an exchange of ideas.

But then you say, "every cdn centralizes the internet", which means you're either willfully ignoring the points brought up here, or you're really, really clueless and don't know how to respond to point brought up, so you talk about other things instead.

We don't need any more paid shills. If you really don't understand the points brought up about how Cloudflare is working tirelessly to become a monopoly in ways that are measurably different from regular CDNs, then ASK. If you don't understand how we (the Internet collectively) are going to assume that Cloudflare cares more about making money than about doing the right thing, then please look at all the privacy nightmares we've learned about Amazon, Google, Microsoft, Facebook, et cetera.

If you're just here to tell us how much you love Cloudflare, that's fine, too, but you don't do that by just randomly disputing points with irrelevant responses.

PS Proud user of Firefox + resistFingerprinting=true PPS Ain't nothing better than CF guard page constantly-reloading on 20% of sites if you open some url :( No, fella, you first have to open the root '/' page so that guard page finally can either pass me through or show the cloudflare captcha. Ugh. Progress, they say.

I get that this sucks for the end user, but I wonder how much we should blame Cloudflare vs the wider systemic challenges of managing DDOS protection on the web.

Or are you suggesting that if you're having trouble visiting sites because of Cloudflare, you should become an enterprise customer? (slightly sarcastic, but not completely)

I'm wondering (genuinely!) if you are speaking as an enterprise customer or a free plan, or what.... both for the sake of meaningful discussion and potentially learning about even better options for my own work.

As to the article - I fully believe the responsibility lies with site owners to pick and choose how they want to serve their sites. Nobody is forcing them to use Cloudflare on a free plan, or to ignore any analytics it provides and make sure it is serving their customers correctly. Cloudflare is one piece of a delivery solution, and only works as well as you configure it. If your decision for your app is "I'll just use the free plan, and let Cloudflare decide everything for me" then you get what you pay for.

If Cloudflare is getting in their way, they can go somewhere else.

1. Packet routing

In other words, I wish services like Cloudflare were made illegal.

I'm from Hong Kong and suspect the whole territory is on the naughty list.