What is the alternative though; we had a millions of requests from 100000s of IPs from all continents a few months ago; literally the only thing that got our site back up was bot fight from cloudflare. How do you do this another way?
Personally, I have no problem with CloudFlare or their verification and protection products. But something's broken if it works in Chrome but not in Firefox (and I'm not doing anything special in Firefox).
So, if somebody so wishes to take down a website they dislike, we should just put up with it? If a state actor DDoSes a journal documenting war crimes, we just ask them nicely to stop?
that's absolutely not what i'm saying. if somebody wishes to take down a website they dislike, we (as website operators) should block their bot traffic. and we should use whatever reasonable methods we have to detect what traffic comes from bots and what traffic doesn't come from bots. that includes putting cloudflare in front of our sites.
and when some legitimate users really, really look like bot traffic because they circumvent whatever methods we use to determine whether traffic is coming from real people, they might sometimes get blocked along with the bots. they're going to complain about that, and the only thing we can do is listen to their complaints.
That only works for you while you're not involved in the second group. We get to complain and make noise and push on both websites and CF, so that the "non-bot" user group doesn't become "latest chrome user on latest windows in the approved country running proprietary CF extention for id verification" one day in the future when it's an easier solution than dealing with the actual issue.
sure, you get to complain. but what you don't get is for your complaints to change anything. unless you have a solution for thia? because that would be great.
Sure. Solution 1: CF starts interacting with the reports of them blocking users and actually fixing those issues. If they can't achieve that, they can relax the rules and refund their customers for failing to provide the advertised service.
It's not a hard concept. Unless you think you're too big to care, you fix issues you cause. (If you are too big to care, I hope the laws regulating anticompetitive behaviours hit you)
Solution 2: Everyone in engineering and management at CF can access internet only while marked as the same level of trust as the lowest one currently assigned to cgnat-s and tor exits. No exceptions, but they can contact support like any external user.
Maybe it could get solved by paying a couple of cents to the website administrator, in the form of cryptocurrency, and in exchange you get a few dozens of requests that the website agrees to reply to.
You don't need additional tracking, every user has a unique IP address. What is missing is a protocol that allows to reject traffic from specific IPs. Imagine if someone with IP address 1.1.1.1 sends 100 Gbit traffic to your host; your provider doesn't want to pay for this traffic so they nullroute you to stop the attack. If there was a protocol, you could simply block all those Gigabits on the upstream provider and if it doesn't comply with protocol then it has to cover all your losses. Then Cloudflare would become unnecessary.
Whenever we get a flood of unwanted traffic dumped on us, it's coming from thousands of different IPs. They hijack everyone's old IoT trash and un-updated printers and wifi routers and Android 3.1 phones and use those to blast traffic. If it were coming from one IP address nobody would be bothered by it, it would be easily solved with rate-limiting rules on the firewall.
Unless you are a small one-man company it is easy to find those IPs. The problem is how to block them because their traffic can use all your upstream bandwidth and blocking them on your host doesn't change anything.
> If it were coming from one IP address nobody would be bothered by it, it would be easily solved with rate-limiting rules on the firewall.
DDOS works by sending more traffic than your upstream bandwidth can carry (e.g. you have 100 Gbit link and they send 40 Tbit of UDP packets to you). Firewall won't help here. The protocol I am talking in a comment above would solve the problem by blocking this traffic close to its source.
I think there are potential alternatives that could evolve.
My preferred solution would be domain validated identities with long lived, global reputation alongside some type of attestation. For example, if I have a GitHub account with 'example.com' as a verified domain, GitHub could attest 'example.com seems to be a real user or organization that behaves well'. It would be similar to the web of trust concept in GPG, but technology is to the point where it could actually be built in a way that makes it usable. Money that you're spending, or the way you interact in well known communities, could have the side effect of bolstering your reputation everywhere.
My most feared solution would be a similar system of attestation, but using Passkey since it would solidify the role of the current big tech companies as the arbiters of everything online. For example:
You look like a bot. How do you want to prove you're human?
Microsoft
Google
Apple
Facebook
Those companies, as Passkey providers, would, for all intents and purposes, be your 'anchor identity' online and they'd be in a good position to attest to you behaving like a normal, non nefarious participant.
I think Apple would be the company that could sell that kind of change to normal users. It could be done in a way that's anonymous because all you really need is an attestation that says 'Apple certifies this user is in good standing'. Apple is very good at selling those kinds of changes as being privacy focused and I think their user base would go for it if it were framed as 'good people' (aka Apple device owners) getting a superior experience that isn't available to the 'bad people' (aka bots, bad actors, and outliers).
If it worked, Google would follow with Android. Anyone else large enough for their opinion of you to count (Microsoft, Facebook, etc.) could probably compete, but it doesn't work for startups or small, less known providers.
In my opinion, as soon as authentication moves to something like domains or digital signatures where 3rd party attestations become simple, we could see a lot of new ideas that focus on reputation and related solutions / services.
But I don't want any of those companies knowing which websites I visit. I only do business with one of them, and even then, they have no need to know what I'm doing outside of interacting with their sites. These companies have enough power already. Leaving it to them to decide whether you're trustworthy or not is just as dystopian as what's happening now. You've just moved the problem from Cloudflare to one of those companies. Plus, if they suddenly decide your account is invalid for some arbitrary reason that you aren't allowed to know, now you're completely fucked.
