Hacker News new | past | comments | ask | show | jobs | submit login

I’m really mixed on this. Anti bot stuff is increasingly a pain point for security research. Working in this space, I have to work against these systems.

Threat actors use Cloudflare and other services to gate their payloads. That’s a problem for our customers who are trying to find/detect things like brand impersonation and credential phish. Cloudflare has been completely unhelpful. They just don’t care.




Seconding this. Evading detection has become a real cake-walk since threat actors are able to sign up for a free Cloudflare account and then put their phishing site on their 2-hours old domain behind a level of protection backed by a $20B company. Funny that you almost never see phishing on Akamai ;)

Disclaimer: We operate in this space so we obviously have an interest in being able to detect these threats going forward.


Other than being the cheapest & easiest to use, is Cloudflare doing a particular evil here?

As a webmaster I don’t want non-user traffic except search engines. It’s a waste of money and often entails security, privacy and commercial risk.

Without Cloudflare I’d achieve only slightly less effective results using an AWS WAF, another CDN, or hand rolling solutions out of ipinfo etc.


Excuse my bias, as I work for IPinfo. Rolling your own bot detection service is something you should explore if you want near-absolute coverage.

We intentionally do not provide an IP reputation service as many sophisticated bots mimic the "good reputational" aspect of IP addresses. Usage of residential connections or essentially being vetted by CDN/cloud services makes making bot detection ambiguous.

That is why we provide accurate IP metadata information. Whenever you detect patterns of bot-like behavior, look up the metadata such as privacy service usage, ASN, or assigned company, and then start blocking them via the firewall.


They could police their content. Or if they don’t want to, they could meaningfully partner with the security industry - create a “security bots” program, respond to takedown requests in days not months, etc.


I suppose that Cloudflare scanning payloads for known malware could potentially be effective if they could make the performance work.

Closed partnerships programs are a bit concerning though. Once they’re up and running there’s an enormous economic incentive for CF to squeeze members with fees that capture the economic upside.


Cloudflare is the ultimate example of creating the problem and selling the solution.


I was under the (naive?) impression that Cloudflare a SaaS startup poster child. Do you mind expanding on your comment?


Among other things, cloudflare hosts DoS services while selling DoS protection.


Can you please elaborate with some examples ?


I think you can get a bot allowed by all of Cloudflare at https://docs.google.com/forms/d/e/1FAIpQLSdqYNuULEypMnp4i5pR.... The blog post I read didn't make it clear if it would apply to all of Cloudflare or just customer sites though.


You can. Sort of. The good bots list is basically driven by a fixed user agent. And customers can set their preference to not allow “good bots”.

Not so good for security work.

It’s similar to their abuse reporting. They give your info to the site owner. Gee thanks, that’s just what I want to do.


Why not Akamai?


Cost.


I feel like we'll eventually arrive to some kind of micro-payment mechanism to solve this issue




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: