
Flowtrackd: DDoS Protection with Unidirectional TCP Flow Tracking - jgrahamc
https://blog.cloudflare.com/announcing-flowtrackd/
======
invokestatic
Cloudflare essentially centralizing the Internet is disturbing to me. They
have the capability to MITM huge swathes of internet traffic, and coupled with
the fact they’re a US company, I’m pretty wary of them receiving some sort of
order from the NSA.

Every time I’ve used Cloudflare, it’s been on a dedicated, cookieless
subdomain serving static content only. Call me paranoid, but this company may
be doing serious damage to our privacy online.

~~~
stiray
It is the same thing as google, amazon or microsoft - they are all
centralizing the internet.

I have written a mitming proxy that is capable of blocking by ASN
([https://en.wikipedia.org/wiki/Autonomous_system_(Internet)](https://en.wikipedia.org/wiki/Autonomous_system_\(Internet\))),
beside blocking domains and other things we are used from the times of
proxomitron. I have once tryed to block all 3 companies to see what will
happen.

Nothing worked any more. From CDNs breaking pages of those rare occurances
where they werent hosted on some cloud owned by those 3 companies. Even
duckduckgo wasnt accessible anymore.

The funny thing was that yandex and baidu were still working flawlessly.

Welcome to dark ages of internet, we blew it. Instead of beeing capable of
surviving third world war (as it was designed for) it is now in hands of 3
companies out of pure lazyness, lack of knowlidge and greed.

(I will release the proxy in next 2-3 months)

~~~
fivre
Is this stuff news to people? Having worked in that segment of industry, yes,
that is how things largely work now, and that's largely how they've always
worked, even if perhaps there's a bit more consolidation now (market factors
do that somewhat automatically, if not always in the same direction).

This may be my relative youth, but I don't really recall people complaining
that Akamai or--well, I don't know as good an analog to the modern major cloud
providers, but maybe, say, Equinix or Rackspace--handled so much of the
internet back in the day.

Cloudflare may have more of a consumer brand presence because they
intentionally market that with their free plan, branded error pages (the
"Intel Inside" of CDN services), and ancillary services (1.1.1.1 and their
phone VPN), but it's not like the internet of yore was some decentralized
collaboration of freeholder fiber owners running their little own 1-person ISP
cum hosting provider. Maybe in the early, early, more academic and hobbyist
days, but I don't think it's surprising that those were more of an anomalous
landscape after the internet's birth than the norm.

------
njsubedi
More and more of the internet is now moving behind Cloudflare, one feature at
a time. I saved some serious amount of money by just by using free service
they offer. I am astonished every time Cloudflare comes up with a solution for
the problems of the internet.

~~~
cremp
> More and more of the internet is now moving behind Cloudflare

This is a big double-standard here on HN. Everyone hates Google for making
decisions on behalf of the internet as a whole; yet Cloudflare has done the
_exact_ same thing with a different OSI layer.

I'm not very trusting of Google, but I certainly dont trust Cloudflare any
more-so, because they keep things much closer to the chest.

~~~
infogulch
> double-standard

Meanwhile upthread...

> Cloudflare essentially centralizing the Internet is disturbing to me.

Maybe different people have different standards, and HN isn't a completely
homogeneous group with a single viewpoint. _Just like every other group where
individuals are free to express themselves._

------
gruez
This seems like a marketing piece light on technical details. For instance

>flowtrackd is then able to determine if a packet is part of a new connection,
an open one, a connection that is closing, one that is closed, or if it’s an
out of state packet.

How?

~~~
xmichael0
That is common with Cloudflare... Never understood why so many tech. praise
them when clearly many of their claims are false. You would think that 99% of
the internet was under a ddos attack 99% of the time.

~~~
jgrahamc
_Never understood why so many tech. praise them when clearly many of their
claims are false._

Which of our claims are false according to you?

~~~
fapjacks
We can start with DNS ANY queries. Cloudflare lied their way through this
whole process, with the claim that CF were just following standards, when in
fact it was exactly the opposite: Not conforming to the standard while
simultaneously pushing through draft changes to the standard in order to
support CF's business decision. I'm a trusting guy, and took CF's claims of
championing privacy to heart, but this move completely blew that out of the
water. Nowadays, I genuinely wonder sometimes how long until someone blows the
whistle and it turns out CF is building dossiers just like Google, and renting
out access to governments and law enforcement and adtech, shoveling even more
crap onto the pile.

~~~
majke
It was me who was pushing for DNS ANY changes, and I'm pretty proud of it. If
you worked on any DNS software, you would see how messy handling ANY was.

Fundamentally the question is about Zones. I personally don't believe "zones"
in the modern internet make sense. Modern DNS is not pure-bind/flat file. It's
autogenerated labels, managed and pulled from different sources.
Fundamentally, answering ANY is at least super hard if not impossible.

I'm sorry you think we were not transparent. I wrote two blog posts, and
helped with the draft to promote the deprecating on ANY. But the real push to
do something about ANY wasn't us - it was firefox who tried to query resolvers
for ANY in order to save AAAA query for IPv6. This is totally bonkers. Proved
that nobody understands ANY and that it only brings cost and confusion.

[https://blog.cloudflare.com/deprecating-dns-any-meta-
query-t...](https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/)

[https://lists.dns-oarc.net/pipermail/dns-
operations/2015-Mar...](https://lists.dns-oarc.net/pipermail/dns-
operations/2015-March/012899.html)

[https://blog.cloudflare.com/rfc8482-saying-goodbye-to-
any/](https://blog.cloudflare.com/rfc8482-saying-goodbye-to-any/)

[https://tools.ietf.org/html/rfc8482](https://tools.ietf.org/html/rfc8482)

~~~
fapjacks
What you've done here is demonstrate why Cloudflare cannot be trusted: You do
not get to decide for the rest of the internet which use cases are valid and
which are "bonkers" \-- you probably just thought to yourself "Oh, but I did".
This is a pattern of behavior at Cloudflare (cf. Cloudflare CEO waking up one
morning to remove a domain from the internet because he didn't like the
contents -- which is a polite way of saying he caved to the Twitter mob). You
and Cloudflare made a business decision that supporting the DNS standard was
too costly, despite DNS being a core offering of Cloudflare. You appear to be
saying that you personally made a value judgment about someone else's use
case, used that as an argument to drop support for the standard, then pushed
draft changes so that Cloudflare could retroactively claim to support the
standard.

You have forced changes in the DNS standard based on your own personal value
judgment, and Cloudflare was duplicitous in its support of this relative moral
position. I could not have made the argument against trusting Cloudflare
better, myself.

~~~
majke
> You and Cloudflare made a business decision that supporting the DNS standard
> was too costly,

No, I made a decision that it was time to fix an obscure feature that was
impossible to use correctly, and caused real damage to the internet - see
firefox ANY saga.

Fun fact. We kept on supporting ANY until the RFC was ratified.

> You have forced changes in the DNS standard based on your own personal value
> judgment

No, we worked on the standard in the working group. I'm not the one assigning
RFC numbers. This is a process.

