> For your small blog with one hundred visitors per month, it's probably the same: "no one will burn their DDoS capabilities on you!"
If this is their core argument for not using CDN, then this post sounds like a terribly bad advice. Hopes and prayers do not make a valid security strategy. Appropriate controls and defenses do. The author seems to be completely missing that it takes only a few bucks to buy DDoS as a service. Sometimes people do DDoS your small blog because some random stranger didn't like something you said somewhere online. Speaking from experience. Very much the reason I'm posting this with a throwaway account. If your website receives DDoS, your hosts will take down your server. Nobody wants to be in this situation even if for a personal, small blog.
If you added up all the outage time caused by DDOS and all the outage time caused by being behind auxiliary services that have their own outages... I wonder which would be larger?
I'm not too worried about someone DDOSing my personal site. Yeah, they could do it. And then what? Who cares?
> I'm not too worried about someone DDOSing my personal site. Yeah, they could do it. And then what? Who cares?
Have you experienced a targeted DDoS attack on your personal site? I have. I too had this attitude like yours when I didn't know how nasty targeted DDoS attacks can get.
If you're not too worried about someone DDoSing your personal site, then your host taking your website down and then you having to run circles around their support staff to bring back the website up again, then I guess, you don't have a problem. It's nice that you don't care. (Honestly speaking. Not being sarcastic at all.)
Personally, I wouldn't mind DDoS on my personal site if the problem was just the DDoS. Unfortunately, mostly it isn't. A DDoS has other repercussions which I don't want to deal with exactly because it's a personal site. I just don't want to spend time with customer support staff to find out if and when I can bring my website back up again. DDoS on my personal website by itself isn't all that bad for me. But having to deal with the fallout is a pain in the neck.
Yeah I suppose by "doesn't work" I should clarify that maybe it is doing something and preventing some attacks, and that it doesn't take down my server. With that being said, it has certainly failed to mitigate attacks on numerous occasions that cf would've.
I'm less scared of the hoster pulling down your site - not the end of the world - then decided to charge you bandwidth fees for all the MS-DOS attacks. The former presumably has no financial impact, the latter, potentially brutal
Off-topic, but there are six different people using the word "hoster" in this thread. I've never heard that word used instead of "host" or "hosting service" before, and yet here it's somehow prevalent. I feel like I'm having a stroke, or I just stepped into an alternate universe. Where did you all pick up that word?
No, in the cases 'throwaway150 and I are talking about, your site is not back up. You (hopefully) got an email in your inbox saying your hosting provider has decided to take your website offline because of anomalous traffic or whatever, and after the attack ends you’ve got at least a couple of days of back and forth with support ahead of you before your downtime is actually over.
So until daddy's credit card runs out, plus two days. A shame, but it still doesn't cause meaningful harm.
Or get a different provider. Some are faster to respond. I had a false positive DDoS detection from netcup once (I was scraping an FTP site in active mode) and they automatically routed my IP through a DDoS scrubbing service, and automatically stopped that when an attack was no longer detected. I don't know what they have set up to be able to reroute a single IP globally like that - they agreed with some of their upstreams, to allow the occasional /32 for DDoS protection purposes.
this is too naive sorry, Hetzner will disconnect (and ban you if DDoS is too long), same as OVH. It works mostly for brutal UDP flooding but sophisticated attacks such as swarm of Puppeteers hosted on infected machines by the millions will not be protected, those "new DDoS mode" are offered by most DDoS providers.
Likely true, but now you can go back to the original statement: the issue isn't really that the service isn't available for a while... It's that the hoster will remove your server.
Your server will keep existing if cloudflare just drops their free service, effectively going down for the ddosrs but still available for your own access directly
Except that Cloudflare is geared towards ddos protection - i.e. you can monitor, get alerts, turn on temporary protection, etc. It can do this because that's it's main business. It's not possible to have the same expectations from infra providers like Hetzner.
Citation needed. I know folks using the free plan that have gotten ddos’d and cloudflare kept them online. Can you point me to an article where cloudflare disconnected someone for getting attacked
Handled hundred of dedicated servers for different projects over the last 20 years. Yes, OVH literally does ban accounts, and Hetzner nullroute your service at first if it's an elaborated attack.
You keep saying stuff like "the fallout" and "the repercussions" but then the only example you can provide is talking to customer service to bring your stuff back online. Is that it? Honestly speaking, not being sarcastic at all.
So the internet is a series of pipes, or tubes, whatever. This quintessential personal blog website is hosted somewhere in this inter connected mess of things. There’s a hierarchy of these pipes/tubes, and they all have some ever diminishing capacity as they head from a mythical center to the personal blog website.
When the bad guys want to DDoS the personal blog website they don’t go and figure out the correct amount they need to send to fill up that pipe/tube that directly connects the personal blog website, they just throw roughly one metric fton at it. This causes the pipes/tubes before the personal blog website to fill up too, and has the effect of disrupting all the other pipes/tubes downstream.
The result is your hosting provider is pissed because their infrastructure just got pummeled, or if you’re hosting that on your home/business ISP they also are pissed. In both cases they probably want to fire you now.
This is incorrect. Any decent host/ISP will instead (automatically, sometimes) emit a blackhole request for the given target IP address to their upstreams, causing the traffic to be filtered there (at the 'larger pipe'). In turn, these upstreams can also pass on the same blackhole request further up if necessary. This means the target is down from the point of view of the Internet, but there is no collateral damage.
Interesting, I didn't realise blackholes were special-cased to allow BGP announcements of /32 instead of the usual /24 or larger. I'd just assumed (like the GP) that the traffic ended up on the target's closest network to the source and only then was it filtered.
Did they put it back up when the DDoS ended? If so, they're not hurting you since it's no worse than the DDoS itself, and they're actually helping you by preventing themselves from having a reason to ban you to save the rest of their sites.
This is mostly scaremongering, not all hosting providers take your site down just because someone you pissed off decided to DDoS you.
In Russia (I have nothing against Russia - I just know this info about “Дождь ТВ”), some news websites have been targeted by state-baked DDoS attacks, but I highly doubt most people are in this category.
How? Isn’t it more like the difference between carrying an umbrella every day and ducking into the corner shop to buy one when you notice it’s raining?
That's a good analogy since the corner shop is going to be sold out of their small stock of umbrellas during the rain storm so you won't be able to buy one until the rainstorm is over but at least you'll have protection for the next storm. If staying dry is important to you, you should buy the umbrella before the rain.
That continues the analogy -- it doesn't rain often in the desert, but almost all deserts receive rain. And since it rains so rarely, you're certainly not going to find an umbrella during the rainstorm.
So again, if staying dry in the rain is important to you, buy an umbrella before the rain, if you don't care about getting wet from time to time, then no need for the umbrella.
While the personal blog owner may not care about DDoS related downtime, he may face extra usage charges due to higher bandwidth, CPU usage, etc that he'd like to avoid.
Depends on the distribution of accidents and the distribution of costs. If P(ddos) * Cost(ddos) < P(no ddos) * P(cloudflare outage) * Cost(cloudflare outage) then you would be better off not using Cloudflare.
This is not considering other issues with Cloudflare, like them MITM the entire internet and effectively being an unregulated internet gatekeeper.
My site being down for a couple days is not an unacceptably large loss, unlike an uninsured car being wrecked.
It also isn't a good analogy because insurance doesn't apply retroactively to wrecks that happened before start of term, and is event-based rather than providing continuous value.
I thought that's why it's a good analogy - DDoS protection doesn't apply retroactively to prior attacks (or even current attacks, it's hard to apply DDoS protection while your site is down due to DDoS). If you want protection from DDoS, you need it before the DDoS. If you want to insure your car in case of accident, you need to insure it before the accident.
Sounds reasonable if the car insurance could magically and near instantly fix your car, undo all the property damage and no one could get injured.
Insurance for physical things is different for services, they don't map as an analogy. A better one would be, Because you buy a new car every hour, it's like buying insurance for every car after someone steals your 700th car. That prevents your car from getting stolen.
No its like saying you should buy a new battery after your battery dies. Yeah, its nice to have a spare battery around i guess but its not like your battery dying will significantly ruin your finances
It's more like buying the plug-in version after the battery dies...
You already experienced the downtime, so if not having downtime was a goal you already failed. If avoiding downtime is not important then there's no reason to add anti-downtime capability to your system. The most charitable modeling of this approach is that the downtime incident may prompt one to realize that avoiding downtime actually is an important property for their system to possess.
The actual charitable model is that you expect close to zero attacks, but if you actually get hit your expected rate of future attacks goes up by an order of magnitude or two. And it's that change in expectations that gets you to buy protection.
You don't care about going down once, you do care about frequent outages. And you know this from the start, you don't realize it later.
That's like saying my personal blog going down is as impactful to my health and finances as getting into an automobile accident.
Assume a "personal" blog or site is not making money for the owner, and they have backups of the site to restore if the VM gets wiped or defaced. Why spend money on DDoS protection if it is unlikely to ever occur, much less affect someone monetarily?
Depending on the host, you may get charged a big bill for traffic. If you're hosting at home, your ISP may blackhole all traffic to your residence (affecting your day job and being a nightmare). When it comes to DDoS, most providers are quick to blackhole, and slow to unfreeze, without getting the run around.
in the cloud you should be able to turnkey this quite easily. i think in a DC this can be a bit more tricky because you will still be getting traffic from the DOS to your network interface after you have flipped the switch to cloudflare. This traffic will cause both you and your provider a problem. but i think the idea is you would have two sets of IPs one for the normal public hosting, and one for cloudflare proxy then when you become under DOS attack you have a process in place for BGP to stop advertising the normal public hosting IPs and you switch to cloudflare. i presume if BGP stops advertising the IPs then eventually you will stop getting the DOS traffic.
> When you become under DOS attack you have a process in place for BGP to stop advertising the normal public hosting IPs and you switch to cloudflare.
You think people hosting personal sites are going to even have the access to manage their IPs with BGP? It's not something I've seen offered at that scale / pricing.
This strategy requires you to be "on-call" for personal stuff. Honestly, I don't want to spend more time on pet projects than I already do. Or cutting some of it away on support instead of spending more on things I would actually be interested in.
And resulting downtime might be even bigger than that with cloudflare.
> then your host taking your website down and then you having to run circles around their support staff to bring back the website up again
These are very different situations. With a DDoS the disruption ends when the attack ends, and your site should become available without any intervention. Your host taking down your site is a whole different matter, you have to take action to have this fixed, waiting around won't cut it.
It is obvious those two are very different situations. I'm not sure I understand your point. Yeah, nobody will be bothered by a short 15 minute DDoS attack. I prolly wouldn't even notice it unless I'm actively checking the logs. Sure, nobody is going to be bothered by that. But what if someone's DDoSing persistently with a purpose? Maybe they're just pissed at you.
My point is... a sustained DDoS attack will just make your host drop you. So one situation directly leads to another and you are forced to deal with both situations, like it or not.
I'm pretty sure in every webhost terms of service I've ever read they leave language in to kick you out if you are degrading the service for others. Turns out a prolonged DDoS attack is degrading the service for others. The bigger cloud providers are drastically less likely to drop you but now you're paying a premium on hosting.
> It is obvious those two are very different situations. I'm not sure I understand point.
Your host taking down the site and forgetting to bring it back up after a DDoS attack isn't a common thing with any host, unless it's the kind that does this routinely even without a DDoS. And then you should look long and hard at your choice of hosting.
Either you suffer from a DDoS attack and come back when it's over, or you have a host that occasionally brings your site down and fails to bring it up until you chase them. But one does not follow the other without a lot of twisting.
How does taking the site down stop the DDOS attack?
Isn't the host network still being bombarded by garbage packets, even if there isn't anything there listening?
Or is routing the destination IP to /dev/null enough to blunt the attack?
I know there are different kinds of attacks (e.g. some that are content based, impacting the individual server), but I thought most of them were just "legit" requests storming through the door that the server can't keep up with.
Having the site taken down after the fact, as a "risk to infrastructure" that the host can't afford, that's a different issue.
Forgiveness not necessary, these are good questions.
Internet packets have to travel through many routers between the source and the attack and the server they're attacking, at each step the routers usually get smaller. the smaller routers are less able to withstand the amount of traffic destined for one server, which means they can't route traffic to all the other servers that are not under attack. a common strategy is to drop the traffic at a much farther away server, thus protecting the smaller routers, thus protecting all the other servers.
The host Network would definitely still be affected by the DDOS, which is why the strategy is often to "blackhole" the traffic farther away from the individual server racks.
I see people say route traffic to /dev/null All the time, but I personally try to reserve that for the individual servers or the nearest router, just to avoid your exact confusion.
depending on how well designed, any specific network is the "hug of death" which has taken down many sites would also degrade the performance of the peers next to that server. Which is why many ISP are quick to block the traffic farther away. To protect not you but their other customers.
To be fair (pedantic), if it's part of a DDOS, it's not a legit request. Depending on the capabilities of the attackers, they will either choose obviously invalid requests because those take longer to process or exclusively valid requests which take longer to process. it is generally speaking much easier to send valid well-formed requests because that's what most libraries exist to do. you're often writing custom code if you want to send an invalid request because that is a bug in other cases.
A good example of an invalid request is setting up TLS transmitting a partial packet and then closing the connection (or leaving the TCP open), This one can be particularly expensive and much harder to detect.
> How does taking the site down stop the DDOS attack?
When people say take the site down, in this context, they often mean one of two things, either changing the DNS configuration to point to a different IP address (or none at all), or "null routing" traffic to the under attack IP, at an edge router, edge in this case meanthing their upstream ISP or other network peer. (farther from the victim server) I object to both uses because the specificity is important. When I say take down the server, I almost always mean quit [nginx] or power off the box.
It sounds like OP is describing a situation where someone persistently DDOS's them as long as it works. In which case DDOS time trivially dominates cloudflare outage time. Note that OP is posting, even now, from an anon account.
Oh sorry, not you. The OP in the chat thread, they were DDOS'ed by someone and are commenting anonymously. Maybe grandparent is the correct word for it, in any event this is the comment I was referring to when I said OP, not your article: https://news.ycombinator.com/item?id=45966683
For our SaaS, the uptime probably isn't much different but the cost definitely is. If any of your stack has usage based billing, things can get very expensive quickly.
The downtime cause by DDoS. It's now an endemic problem in the modern internet. Even relatively tiny communities suffer from it, because it's so damn easy to do.
It's like insurance. If you add up everyone's medical expenses, it's less than we all pay for insurance. But if you're the one getting hit, it matters a lot.
I mean I'm not worried about it either, but I've been on the internet long enough that I know some of the people I used to know will probably do it just to do it. Gamers can be quite toxic.
My blog was constantly going down for unknown reasons, with nothing obvious in the logs. I migrated it to CloudFlare and was able to track down the root-cause of the issue.
I also blocked all the AI crawlers after moving to CloudFlare and have stopped a huge amount of traffic theft with it.
My website is definitely much more stable, and loads insanely faster, since moving to CloudFlare.
I don't give a penny to CloudFlare to be clear, and I would definitely not pay for those services for my blog.
It's not because it's not a criticism that it's a sponsored post.
I happen to have multiple sites that use the same technology (WordPress, with the same few plugins and the same theme) running on the same server, with one behind CloudFlare and one not. Left value is with CloudFlare, right is without:
- First Contentful Paint: 0.4s - 0.7s
- Largest Contentful Paint: 0.8s - 0.9s
- Total Blocking Time: 0 ms - 0 ms
- Cumulative Layout Shift: 0 - 0
- Speed Index: 0.4s - 8.9s
The difference is quite staggering, and I'm located pretty close to my server (a Hetzner VPS), I can't imagine the difference for someone that lives across the world.
There's no CF magic here. If you're improving from 0.4s to 8.9s that means you're not doing basic caching on your side and you could achieve this in your local nginx/whatever as well. The 0.3s saving on first paint is nice, but could be achieved with putting your assets in any kind of distributed provider, not just CF.
I never said the contrary, but there's a lot of "basic" things you need to setup on your own and that CloudFlare (or any equivalent) does out of the box: caching, SSL certificate, basic analytics, filtering bots, etc.
Add all this together and you have an extremely not basic setup at all anymore.
I'm quite sure something else is going on here. Adding another hop generally shouldn't improve performance, especially if you are close by to the server.
What are the response times of requests between CF and accessing them directly?
> Sure, but your post reads like an infomercial, hence the snark.
Re-reading it you're right, but ultimately the last sentence aims at directly answering this question from the parent:
> If you added up all the outage time caused by DDOS and all the outage time caused by being behind auxiliary services that have their own outages... I wonder which would be larger?
The tides are turning against CF it seems.. they used to have a lot of HN support, but lately every thread about them is just a mess of MITM accusations and "too much of the internet is behind them".
> Nobody wants to be in this situation even if for a personal, small blog.
I would gladly be in this situation if it otherwise lets me remove a large source of complexity, avoid paying a few bucks, and increasing the avoidable centralization of the Internet on my personal, small blog.
Maybe I'd change my mind if it continues happening, or if I didn't have unlimited traffic (which is a very bad idea for many reasons other than DDoSes for personal sites), but otherwise, enabling Cloudflare for a hypothetical without consequences seems like pretty extreme premature optimization.
What's the actual cost to me of my blog being offline for a few hours? Basically nothing. Certainly less than the couple of bucks someone might spend on a DDoS service
Usually when a small blog goes down it's not a DDoS, it's that a post has gone viral (e.g. hits the front page of HN), and it going down can absolutely cost a lot (depending on the goal of the blog)
Do you think a world where all the commercial websites are centralized, but personal blogs are not, is that different than a world where blogs are also centralized?
What is the benefit to having small blogs be decentralized?
> If everything is centralized then nobody can discuss topics that have been decided to be off limits by the moderation teams at a few large companies.
Nice, you root caused it too. I couldn't agree more.
If cloudflare decides they don’t want to be your CDN, you could just move off of cloudflare, and be in the same situation you would be in if you never used them. You aren’t locked in.
I am suggesting you host your website on your own server somewhere, and then you put it behind cloudflare. You still have your own host, just the same as you would without cloudflare. You are still providing your non-cloudflare host with the same revenue you would if you didn't use cloudflare, so I am not sure how that would hurt the ecosystem.
The 'Invasive species destroy ecosystems' quote sounds good, but what exactly does it mean in this case? What is the species, and what is it invading?
> I am suggesting you host your website on your own server somewhere, and then you put it behind cloudflare
I'd rather advocate for a solution that doesn't induce centralization. Because that still does. It's a weird suggestion to pay twice. I'm assuming in your hypothetical, cloudflare not only doesn't ever go down, but also absorbs only malicious traffic, and not any organic? Why should cloudflare do that and not my primary host? I'll assume I have XX to spend on hosting, you don't see how if I have to also allocate some of that to cloudflare, in addition to the real host, how that might limit what the real host can charge? If the real host can't charge enough to fund R&D on services like basic DDoS or other traffic shaping, wouldnt that mean I've then become dependent on cloudflare? And now hey cloudflare has other service, and I don't like the extra overhead of paying multiple services... I'll just move everything to cloudflare because they're bigger and do both... and now the small host is gone.
sigh
> The 'Invasive species destroy ecosystems' quote sounds good, but what exactly does it mean in this case? What is the species, and what is it invading?
I'm comparing cloudflare to any species that enters an existing system that has developed a natural ecological balance that includes diversity. Which then proceeds to grow for the sake of growth, consuming resourcs at an unsustainable rate; destroying the diversity that previously existed.
Destroying that diversity is bad because that diversity is what gives the system as a whole resistance to catastrophic events.
Like huge parts of the Internet going down because someone wanted to ship their project before the holidays, in time for their perf review.
The argument being: we should view cloudflare's growth, and consumption and takeover of the resources of the Internet as a whole, similar to the way we view other invasive species. It destroys the good parts of an existing system in a way that is almost impossible to recover from. Resulting in a much more fragile system. One than's now vulnerable to single events that take down "everything". A healthy system would be able to absorb such an event without destabilizing the whole thing.
The invasive species is cloudflare, and it's consuming and replacing large existing sections of the Internet; which gains much of it's strength and resilience from it being distributed amongst it's peers.
> I'd rather advocate for a solution that doesn't induce centralization. Because that still does. It's a weird suggestion to pay twice. I'm assuming in your hypothetical, cloudflare not only doesn't ever go down, but also absorbs only malicious traffic, and not any organic? Why should cloudflare do that and not my primary host? I'll assume I have XX to spend on hosting, you don't see how if I have to also allocate some of that to cloudflare, in addition to the real host
You don't have to pay cloudflare anything at all for them to act as CDN and provide basic DDoS protections.
> You don't have to pay cloudflare anything at all for them to act as CDN and provide basic DDoS protections.
I object to centralization and consolidation of power, how is this not both?
I'll duplicate my follow up question, from a sister thread.
If I actually start using the DDoS protection or other services... will cloudflare cut me off unless I pay? Will that charge be exorbitant? Does that behavior feel like extortion? Have they done that before?
And thus, the lemmings walk straight off the cliff.
There seems to be two views. One forward looking and one not. The forward looking view appropriate recognizes the threat of centralization. Centralization crushes small businesses (and small blogs), leads to censorship (see youtube et al.), and destroys competition. No one on the planet can compete with cloudflare pound for pound and thus if they decide your site is bad based on $CURRENT_ZEITGEIST you're SOL. You may as well not exist. We already have plenty of evidence from 2016 to now of this occurring via a large conspiracy between big tech and government.
The non-forward looking view naively closes their eyes and says "well we aren't there yet so what does it matter". This is how rights erode. It is a shame people with this view are allowed to vote and breed.
I'm amazed at the responses saying something like, "It's great because when you go down, you can point to the BBC and say, it's not our fault, everyone is down." That should be the clue that this gives them enormous power. It's also bad for overall resilience. Better that businesses go offline more often in an uncorrelated manner, than go offline less frequently but simultaneously. I guess it's great if all you care about is not catching blame.
Do I think people who want to do X should have some modicum of morals? Yes I do, but I can't fully blame them when ethics is not taught in most schools, least of all computer sciences.
First, let's stop perpetuating this destructive meme that running nginx on a VPS is rocket science, and fraught with peril; at least not on a forum of so-called hackers.
Many users not being able to access it simply because of their choice of OS or browser. I regularly can't access websites on my OpenBSD machines running Firefox with "strict" privacy settings, or "resist fingerprinting" enabled. CloudFlare has decided my browser is suspicious :) I can switch to another machine (or even just another browser with more permissive settings) and it lets me through.
Well, if you do that than human people like myself won't be able to load your blog behind cloudflare for as long as it's behind cloudflare. A much longer and more insidious denial of service targeted to those who cloudflare doesn't think are profitable.
Increased downtime due to having an additional component in the loop, having my readers presented with captcha nonsense because the CDN doesn't like their IP address, potentially being taken offline because a giant corporation decides that it doesn't like the content I post or doesn't want to support my use case on their free tier anymore.
No it really doesn't. How are you the product when Cloudflare gives you free tier access? That's not their business model. You aren't the product, but you are an upsell lead for the sales team.
Sales teams don't pay for leads? If you keep me around, exclusively because the sales team wants to show me something... I'm the product.
Follow up question, if I actually start using the DDoS protection or other services... will cloudflare cut me off unless I pay? Will that charge be exorbitant? Does that behavior feel like extortion? Have they done that before?
If the Cloudflare free tier TOS allows them to sell your data then I would agree that "you are the product". IDK if it does, but I would put my money on no.
I have only used CF at the enterprise level so IDK if DDoS protection is free tier. Surprise billing like that is bad behavior, but it's not "you are the product" behavior.
Facebook also doesn't sell your data, but you're definitely still the product when they provide a free service in order to capture attention?
> [...] but it's not "you are the product" behavior.
Discarding the context for the thread, probably. But if we're discarding context, "you're removed when you start to consume resources" isn't you're the customer behavior either.
And if you pay for it, you're still the product. This false notion of Paying = Better is driven entirely by profit seeking companies who want you to pay them for access and then they want to get paid for showing you ads as well.
Oh sure - I mean, bmw heated seats anyone? But even there you’re still not the product, you’re captive audience that might put up with that kind of abuse because of sunken cost fallacy and all that.
Add to that, once an attacker has your server's IP (because it wasn't behind a CDN in the first place), it's basically impossible to fend off the attack unless the attacker is not very bright, or you swap your server's IP.
Genuinely I don't understand how people post under their own name or connect their accounts to their real identities at all. I learned early that my opinion can piss people off (even though I think I'm pretty milquetoast to be honest), and there are people with enough time and hate to make their disagreement with you impact you personally.
I started using a pseudonym about the time my consulting site got taken down by a DDoS attack because I voiced an opinion about a presidential candidate who's name rhymes with Meorge Mush Munior. People are awful.
Well, the first profile I ever had was an Xbox account that was based on my real name, and I just carried that username onto everything else. So I just ended up having a username based on my real name everywhere. And I never bothered to restart my social life to get a new one.
I wish online discourses didn't feel like engaging with possible shills for corporations as it did during 2000s, or maybe it didn't. Maybe, we became too aware and critical or maybe there is absolutely no honest discourse possible when commerce, political or even ideological agendas are involved. The best stance should one that presents varied solutions to a common problem.
Meanwhile the maintainer of Bear Blog - very nearly the poster child for small blogs with 100 visitors per month - recently put up a post talking about how much extra infrastructure it takes to keep the service online in the face of the massive uptick in AI scraper bot traffic we've had over the past few years.
I haven't tried managing my own site in ages, but I get the impression that the modern Internet is pretty much just one big constant DDoS attack, punctuated by the occasional uptick in load when someone decides to do it on purpose instead of out of garden variety apathetic psychopathy.
My small personal blog with tens of readers a month gets thousands of hits a day from bots. The ROI there must be worthwhile for those bots but not for me to self-host
But, yeah, it's gotten way worse to the point where you can't even run legitimate services because sometimes you will be blocked just for not being a known entity. e.g. try running your own email server and sending mail to any major email provider.
Cloudflare does both but some providers do one or the other. You can use any CDN no matter if you use Cloudflare or not (shout-out to Bunny CDN btw, very happy with them - they do one thing and do it well)
Some do, and it depends on what layer the attacks are coming in on.
Low-level attacks most or all providers have some protection against (to protect their network itself) but that may include black holing your IP at the border routers.
Few offer higher level DDoS protection that isn't rewrapped cloud flare or competitor.
Thanks.. Trying to understand the issue bit better if you can bear with me..
Let's say you manage to install some cloudfare equivalent in your Vps so your hands are clean. That still exposes the provider systems up to that point, eating up resources?
Or they'll still knock you off and ban your IP at the first point of entry itself..
Cos where that leads us is subscribing to cloudfare type service almost becomes inevitable.. You can't get around it with some free software running in your own box.
a little niche cuz they're primarily a game server provider but nuclearfallout is the most proactive provider i've seen to do this, on vps or dedicated hardware. there has been many times they've worked with upstream bw providers and automatically holed incoming ddos, noticed packet loss and abnormal routing etc, before even reaching end user interfaces-
been using them for decades and they've been incredible for this, at least for the US options (prem/internap)
> You think someone would DDoS you because you made a comment like this on HN?
Yes. Welcome to the internet! I don't just think someone would do this. I've seen these things happen. It just takes one person to be pissed off who has got nothing better to do and a few bucks to spare to buy DDoS as a service.
Here's your confusion: personal sites don't need a valid security strategy. They don't need nine nines uptime. They don't need CDN, and ability to deploy, etc, etc. That's all (and forgive the origins of the expression but it is the most accurate description) cargo culting. There's no issue if they're down for a couple days. Laugh it off.
Whereas if you put your site behind a defaults of a cloudflare denial of service wall then real human people won't be able to access your site for as long as you use cloudflare. That's much longer and many more actual humans blocked than any DDoS from some script kiddie. Cloudflare is the ultimate denial of service to everyone that doesn't use Chrome or some other corporate browser.
And forget about hosting feeds on your website if you're behind cloudflare. CF doesn't allow feed readers because they're not bleeding edge JS virtual machines.
> Sometimes people do DDoS your small blog because some random stranger didn't like something you said somewhere online.
People come with that argument so often. But then one day I was completely done with something and I put out a rant on Reddit in my real name. Hundreds op people disagreed and told me "Why do you do that under your own name?! Are you crazy? This will lead to many problems."
Guess what. This was months ago and nothing happened. Nada. Zero. Null. I have many servers running and nothing was taking down. Maybe one day it will. If that happens then I'll find a fix. It will probably not be a nice day, but it is what it is. The world will keep spinning. I'm done giving in to the fear.
"I must not fear. Fear is the mind-killer. Fear is the little-death that brings total obliteration. I will face my fear. I will permit it to pass over me and through me." -Frank Herbert, Dune
> Guess what. This was months ago and nothing happened. Nada. Zero. Null.
Just because it didn't happen to you does not mean that it doesn't happen to others. You can see a few anecdotes in this thread itself where people commented that they did get attacked for pissing people off. Like check this: https://news.ycombinator.com/item?id=45968219
> Hopes and prayers do not make a valid security strategy
It’s not “hopes and prayers” to actively decide a particular attack vector is unlikely enough that the the costs and risks are not worth it.
My local cafes and bars do not employ bouncers, but the local concert venues and nightclubs do.
All these places want to keep out outside food and drink and avoid violence among patrons. The local cafes and bars decided it’s not worth having a bouncer for that. That’s a valid decision.
And if my blog with a few hundred visitors goes down because of a Clourdflare outage ... so what?
People act as if outages are some solvable problem and each outage should never have happened and we need to act (cloud no cloud, firewall rules, and so on) each time.
Rather I think history has shown this stuff happens and if the impact is terrible ... fine.
> Sometimes people do DDoS your small blog because some random stranger didn't like something you said somewhere online.
I've received death threats. Do I engage in charged political commentary on my site? Not really. Just vaguely left-of-centre stuff in a way that I feel moves the discussion forward (and not even that often). The internet is fun: you're instantly connected to every unhinged asshole lunatic in the world.
> The author seems to be completely missing that it takes only a few bucks to buy DDoS as a service. Sometimes people do DDoS your small blog because some random stranger didn't like something you said somewhere online.
thank you. thank you. thank you.
we are tired of hot takes on the internet due to opportunism.
yeah even the small sites are being tested everday by bots. how the bots know your site just came online - I don't know. so yeah cloudflare is nice. we hate centralization on the internet - but to be naive that they're no bad actors on the internet is pure stupidity.
DDoS is not a security issue for a small blog. It's a reliability issue, and reliability probably isn't that important. And to the extent that it is important, it's not at all obvious which choice is going to get me better reliability.
I'm not going to YOLO an actual security issue and, say, use my zip code as the password on a publicly-facing ssh service or something. But DDoS protection? Meh.
If we're talking about putting static assets (like basic websites) on their CDN, or moving your backend to Workers, (etc...) you are by definition moving _away_ from single point-of-failure.
> Maybe that's the core of this message. Face your fears. Put your service on the internet. Maybe it goes down, but at least not by yet another Cloudflare outage.
Well I'd rather have my website going down (along with half the internet) be the concern of a billion dollar corporation with thousands of engineers - than mine.
We once had a cloudflare outage. My CEO asked "mitigate it" I hit him back with, okay, but that'll take me weeks/months potentially, since we're tiny, do you really want to take away that many resources just to mitigate a once every few years half the internet is down issue?
He got it really quickly.
I did mitigate certain issues that were just too common not to, but when it comes to this sort of thing, you gotta ask "is it worth it"
Edit: If you're so small, cloudflare isn't needed, then you don't care if you go down if half the internet does. If you're so big that you need cloudflare, you don't wanna build that sort of feature set. The perfect problem.
I think that really depends on feature usage. You can use Argo/Cloudflare tunnels to route to private backends that are normally unroutable. In such a setup, it might be quite difficult to remove Cloudflare since then you have no edge network and no ability to reach your servers without another proxy/tunnel product.
If you're using other features like page rules you may need to stand up additional infrastructure to handle things like URI rewrites.
If you're using CDN, your backend might not be powerful enough to serve static assets without Cloudflare.
If your using all of the above, you're work to temporarily disable becomes fairly complicated.
It depends. The site is up, but now you're pumping 10x/100x the traffic. What are you scaling up?
Suddenly you're not blocking bots or malicious traffic. How many spam submissions or fake sales or other kinds of abuse are you dealing with? Is the rest of your organization ready to handle that?
I self-host my blog on a server in my home. Instead of opening a port to my home network, I'm using Cloudflare Tunnel to expose the blog to the internet.
That's not really anonymity or privacy in all likelihood, though. Your residential IP is already anonymous. Knowing it tells me nothing other than your general region. The benefit there is that you don't need to have a static IP.
And besides, Cloudflare Tunnel is distinct from (though it integrates with) the cdn product.
> you are by definition moving _away_ from single point-of-failure
Depends on the frame of reference of “single point-of-failure”.
In the context of technical SPOFs, sure. It’s a distributed system across multiple geographies and failure domains to mitigate disaster in the event any one of those failure domains, well, fails.
It doesn’t fix that technology is operated by humans who form part of the sociotechnical system and build their own feedback loops (whose failures may not be, in fact are likely not going to be, independent events).
SPOFs also need to contemplate the resilience and independence of the operators of the system from the managing organisation. There is one company that bears accountability for operating CF infra. The pressures, headwinds, policies and culture of that organisation can still influence a failure in their supposedly fully distributed and immune system.
For most people hosting behind Cloudflare probably makes sense. But you need to understand what you’re giving up in doing so, or what you’re sacrificing in that process. For others, this will lead to a decision _not_ to use them and that’s also okay.
Definitely has similarities. I think we do not realize how most top websites and services rarely go down anymore, and we use them 100 times more than we did 20 years ago. Building your own networking, compute, storage, CDN, or database solutions to avoid dependencies on AWS or Cloudflare would almost certainly lead to more service downtime than relying on highly sophisticated third parties.
But now, when one of these services breaks, everything on the internet goes down. And it is a lot easier to explain to your director of engineering that the whole internet is down than to say that your custom home-rolled storage system fell over, or whatever esoteric infrastructure failure you may run into doing it yourself.
> That's a bit like the 'nobody was fired for choosing Oracle' argument, but it does make sense.
The reaction to AWS US-East-1 going down demonstrates this. As so many others were in the same boat, companies got a pass on their infrastructure failing. Everyone was understanding.
I just paused cloudflare on a site of mine. On a normal day, it would be pretty easy to unpause it if it gets hit by a DDOS. Now cloudflare is down and the site is up again. Small sites do not benefit much from the performance effects of cloudflare either. Site won't be in their cache.
I guess by using cloudflare you are pooling your connection with other services that are afraid of being ddosed and actively targetted, whether by politics or by sheer volume. Unless you have volume or political motivations, it might be better not to pool, (or to pool for other purposes)
I administer a PHP website with very little legit traffic per month, but a few thousand pages probably. The bot traffic is crazy. We're not using Cloudflare for that site, but we're using a local static-page cache... and without it, the site simply can't function.
You don't need to be the target of a dDoS to use a CDN.
Also, using CDNs (Fastly via Github pages, not Cloudflare, in this case) once allowed us to be featured in a very large newspaper without worries, extra expenses, or extra work.
Simply put, in order for moving off of Cloudflare (or similar) to be practical, bot and scraper traffic is going to have to be reigned in heavily.
Getting bots under control would be better for the health of the web anyway, but the chances of that happening are practically zero. Even if the AI bubble collapses entirely, there's still going to be loads of ill-behaved scrapers and exploit sniffers roaming about.
I don't know if it's possible to fix this issue, short of the entire world enacting strict regulations mandating that scrapers and bots be well-behaved, which is never going to happen and even if it did could end up being just as or more destructive than rogue bots.
Usually it's big actors like Facebook, Azure and OpenAI who bombard my servers without any respect or logic. I need to update my access rules constantly to keep them away (using Cloudflare) Sometimes it's clustered traffic, more classic DDoS, from China, Russia or America. That I could easily filter with the DDos protection from my hosting (which is cheaper than cloudflare anyway)
What should I do if not Cloudflare to block with "complex rules" that is strong enough to survive hundreds of concurrent requests by big companies?
Concurrent and constant. This is nothing like real traffic, nothing like the good old hug of death.
It seems to find the slowest endpoints (well it does like my search and category pages, but sometimes it really hammers a single page for an hour), builds up until your site goes into its knees and instead of going slower it starts to hammer from other IP ranges until you have them all banned. This can go on for hours (or days even) if I don't create new rules to ban it.
It reminds me of a slowloris dos but at large scale and concurrency.
Sure if my website didn't have any dynamic content, or not millions of database lines it would be less of an issue :)
OpenAI bots are relentless. I used to see some random requests every time I requested LE cert for making a service public but now, it's always "gptbot"
?? It's free, and it protects you from all sorts of nasty things.
I can't think of any reason not to use cloudflare. It's _dead easy_ to set up too.
I can't help but think that the author understands what cloudflare actually does, or just has a poor understanding of what goes on on the internet. Probably a bit of just being in a bad mood about cloudflare being down too.
The biggest argument against using it is that if everyone uses it, there is no Internet but Cloudflare; and so CLoudflare is the decider and arbiter of Internet access for all.
I get these arguments and I see the appeal. But should this be the primary reason to use them, this way the web is being massively centralized. Everything running through them doesn't seem that smart to me.
But of course I understand that for most users this isn't really a concern and the benefits that cf provides are much more important rather then the centralization problem.
Yeah, for me this is the main reason. I don't need it (even though I self host many websites, some having 100k requests/day, which is reasonable for a homelab). But most importantly, and don't want all the traffic to my websites being MITM by a company, even more so when it's foreign
Many also put their personal stuff behind CloudFlare because it's a good way to learn a tool that they might need professionally later.
I'm all for decentralizing and I don't feel the need for CloudFlare personally, but yes, arguing that people really shouldn't be doing it, period, requires some good technical reason or a more convincing political stance.
The problem is, we need to. It’s simply insane how many stupid, malicious requests we get without it, and we honestly are a small, unimportant site.
If we don’t filter all this crap out, our metrics become basically meaningless, and our Data Warehouse, whose analyses we need to do business with our partners, would be one big „shit in, shit out“ travesty.
And on the other hand, becoming non-affected by today’s Cloudflare incident was a single DNS update away, and effective in under a minute.
I’m not saying we are perfectly happy, and I don’t exactly love the Cloudflare bill, but just slapping them in front of our loadbalancer and have them filter out the bad guys has been a good deal so far.
> becoming non-affected by today’s Cloudflare incident was a single DNS update away
Except you've now leaked your origin IP so expect increased junk being pointed straight at it. Sure you can firewall it off but even dropping packets burns CPU.
The lesson I learned is it's OK to put your site with Cloudflare. It's not ok to put your DNS on a registrar who is also on Cloudflare. We got locked out because our registrar is also on Cloudlfare, and now I can't even switch DNS to get the site back up. Keep your domain name registrar, DNS service provider and application infrastructure provider separately.
> > Keep your domain name registrar, DNS service provider and application infrastructure provider separately.
> Fair point but you also get exposed if the dns provider has an outage
The usual workaround here is to put two IP addresses in your A record, one that points to your main server on hosting provider A, and the other to your mirror server on hosting provider B.
If your DNS provider goes down, cached DNS should still contain both IPs. And if one of your hosting providers goes down as well, clients should timeout and then fallback to the other IP (I believe all major browsers implement this).
Of course this is extra hassle/cost to maintain, and if you aren't quite careful in selecting hosting providers A and B, there's a good chance they have coordinated failures anyway (i.e. both have a dependency on some 3rd party like AWS/Cloudflare).
Traditional non-cloud, non-weird DNS providers have sufficiently long TTLs, not the "60 seconds and then it's broken" crap that clouds do to facilitate some of their services.
Something like TTL 86400 gets you over a lot of outages just because all the caches will still have your entries.
Yes, of course. But you usually don't put your important webserver doing bazillions of requests per short interval on dynamic IPs. Especially if you need to avoid any downtimes.
Use multiple DNS providers. Some secondaries have thousands of anycast nodes that are provided for free. One can also condition their user-base to know of multiple domains that are on different registrar accounts and of course a few .onion domains.
But yeah, if you don't need Cloudflare, like, at all, obviously don't use them. But, who can predict whether they're going to be DDOS-ed in advance? Fact is, most sites are better off with Cloudflare than without.
Until something like this happens, of course, but even then the question of annual availability remains. I tried to ask Claude how to solve this conundrum, but it just told me to allow access to some .cloudflare.com site, so, ehhm, not sure...
> Fact is, most sites are better off with Cloudflare than without
Citation direly needed.
In particular I wonder:
Who is that total mass of sites where you consider most being better off using cloudflare? I would be curious on what facts you base your assumption. How was the catalog of "all" procured? How are you so confident that "most" of this catalogue are better off using cf? Do you know lots of internals about how strangers (to you) run their sites? If so, mind sharing them?
> total mass of sites where you consider most being better off using cloudflare?
Most. A lot of simple sites are hosted at providers that will be taken down themselves by run-of-the-mill DDOS attacks.
So, what will such providers do when confronted with that scenario? Nuke your simple site (and most likely the associated DNS hosting and email) from orbit.
Recovering from that will take several days, if not weeks, if not forever.
I was hoping you could share some of the factual evidence you apparently possess to make such bold claims, alas it seems my hopes will go unfulfilled. Have a good rest of the day!
Dud(ett)e, it's a message board comment, not a scientific study.
But do you really doubt that most ISPs will gladly disable your 1Gb/s home-slash-SMB connection for the rest of the month in face of an incoming 1Tb/s DDOS? Sure, they'll refund your €29,95, but... that's about it, and you should probably be happy they don't disconnect you permanently?
Hi ZeroConcerns, I'm doing fine, thanks, hope you too!
There's no but... - just claims you made that I dared to question just for fundamentals, which obviously you want to dodge.
I won't go as far as questioning your intellectual honesty here, but I really have a hard time seeing it. So now for reals, good day
I have no idea. I've been running my own web site without any CDN for nearly 25 years, and I don't have any idea what my host would do if I got DDoSed, because it has never happened.
It comes down to politics, if I'm hosting a weird porn website, I'm sure my host would drop me. But since I have a run of the mill SaaS website or a landing page for a business hosted. I'm sure my host would see no point in dropping my service, if I get DDosed, my neighbours got ddosed as well similarly I'm sure. Maybe they charge me extra or rate limit the connection, idk.
In fact, I expect my host to kick weird porn websites from their servers so that I don't have any bad neighbours, we're running legitimate businesses here sir.
Maybe they'd push me into upgrading my server, as a sort of way of charging me for the increased resources, which is fine. If I'm coasting on a 7$ VPS and my host tanks a DDoS like a hero, sure, let's set up a 50-100$ dedicated server man.
In business loyalty pays and it goes both ways.
I have more than 1 hosting provider though, so I can reroute if needed, and even choose not to reroute to avoid infecting other services, isolating the ddosed asset.
Most sustained DDOS attacks will cause your hosting provider to drop you. Sure, you can recover from that in 72 hours or so, but that's not as simple as "turning on Cloudflare" at that point.
Seriously: having someone in charge of your first-line traffic that is aware of today's security landscape is worth it. Even if they require an upgrade to the "enterprise plan" before actually helping you out.
But imagine right now vs you only being down. It sucks right now but most customers are aware of why and we can just say "hey its everyone, just not us". If you had a DDOS attack only on you, imagine dealing with customers then. It is a double edged sword.
Being able to link to a BBC article (Or whatever major news source you prefer) to a customer is the best type of outage. "Look, this is so big it made the news - this isn't our fault"
I see many people saying this but be honest, do you know this for sure or are you just guessing? I've experienced DDoS so I know I'm not just guessing when I say that if your website gets DDoSed your hosting service would just take your website down for good. Then good luck running circles around their support staff to bring your website back up again. Maybe it won't kill your business but it'll surely create a lot of bad PR when your customers find out how you let a simple DDoS attack spiral out of control so bad that your host is refusing to run your website anymore.
Stop encouraging centralization and non-private web. Cloudflare's famous mitm also puts everyone's data under their watch. Remember how cloudflare leaked secrets in 2017 on every major search engine?
I use Cloudflare tunnels to expose lots of small projects to the internet that I host on my home server. I don't want my home internet to be knocked offline because someone decides to hammer my network and knock me offline for a while.
Cloudflare handles caching of static resources, rate limiting, and blocking of bots with very little configuration.
Also, my ISP here in the UK doesn't provide static IP addresses, so Cloudflare allows me to avoid using a dynamic DNS service, and avoid exposing ports on my router.
This is my worry. What is cloudflare exactly? What regulations are they under? Am I and my privacy protected? How much of my privacy do I need to give up for whats essentially part of a protection racket, be it intentional or not. What happens when I use their SSL, can they sniff my packets? What intelligence and law enforcement do they work with? As someone with vulnerable and targeted identities its a lot harder to hand over my autonomy to what's essentially the modern 1980s IBM or whatever. This is a closed for-profit company that exists to maximize shareholder value, not protect me.
Its incredible we took a decentralized model and centralized it with things like cloudflare and social media. I think we need pushback on this somehow, buts hard right now to see how its possible. I think the recent talk about federation has been helpful and with the world falling into right-wing dictatorships, this privacy and decentralization is more important than ever.
Cloudflair is what happens when a platonic idea of the internet clashes with market realities. All the questions posed are very important but most websites are run by businesses with motives about as pure as Cloudflair’s.
As for people… A programming club I attended is filled with people who run homelabs, use Linux and generally dislike anything corporate. The project to switch communication of discord is now more than a year old. I do feel sometimes that resistance against corporate internet is futile.
Cloudflare is what happens when the internet as a platonic idea fails to come up with a sensible answer to ddos attacks. When there's no pipe fat enough to take the traffic a moderate DDoS can bring to bear, you need means of filtering in a distributed fashion, and in way the internet is organised that takes connections and hardware which are essentially impossible for a small operation to muster.
I ran a highly trafficked adult website for 18 years. In the early days, CDNs were unattainable for me and I managed my own rudimentary network by hosting bare metal servers in data centres around the world, using geo-ip aware DNS servers to send traffic to the closest data centre to them.
My most significant running expense was bandwidth cost. So I never switched to cloud since the bandwidth costs would have instantly bankrupted me. Cloudflare, on the other hand, was the single most significant development when it came to my bottom line. Adding a basic, $200 / month business account saved me thousands per month on bandwidth + server costs.
DDoS protection was just a nice perk.
Most small websites are hosting with cloud providers these days. If their websites are at all media rich (and most are these days), and those assets can be cached by a CDN ... the cost savings on bandwidth are not marginal. They are often the difference between being able to afford to host your website or not having one at all.
There are, of course, ways to optimize and reduce those expenses without a 3rd party CDN. But if Cloudflare still has their free plans for smaller traffic volumes, it is often a financial decision to use them over your cloud provider's CDN options.
> Most of these sites are not even that big. I expect maybe a few thousand visitors per month.
Incidentally, if you can make a site "static", so far I'm mostly liking AWS CloudFront loaded from S3. After many years serving my site from a series of VPSs/hosters/colo/bedroom. It's fast and inexpensive, and so far perfectly solid.
Deploying consists of updating S3, and then triggering a CloudFront invalidation, which takes several seconds. The two key fragments of my deploy script (not including error checking, etc.), after the Web site generator has spat all the files into a staging directory on my laptop where I can test them as `file:` URLs, are:
The main thing I don't like about it (other than the initial setup wizards having a couple bugs) is that it doesn't automatically map `foo/` URLs to `foo/index.html` S3 objects. The recommended solution was to use AWS Lambda, which I did temporarily, and it works. But when I get a chance, I will see whether I can make my deploy script duplicate S3 `foo/index.html` as S3 `foo/` and/or `foo`, so that I can get rid of the worse kludge of using Lambda. Unless CloudFront offers a feature to do this before then.
As far as I remember S3 makes a distinction between the paths /folderLikeResource /folderLikeResource/subResource, so you can basically map "foo/index.html" to distinct resource "foo".
All the people posting all their reasons why they use Cloudflare ("it's free!"/"it's easy!"/"my site won't go down!") makes me realize this apparent arms race is going to effectively result in the total centralization of all web content. Cool. Seems like a great idea to rely on a singular US service rather than diversify the risk across hundreds/thousands of services around the world. What could possibly go wrong?
Cloudflare is still down and now its been 5+ hours. Having said that, the thing about "if you don't need to" is not that simple. FOr personal sites/blogs, I can agree but then it really doesnt matter for those. For a real business, the value of cloudflare (As centralized as it gets) is the proxy especially against attacks. The other stuff like CDN/Caching etc are bonus on top.
Unless there is a better option, just asking real businesses (no matter how small) to not use cloudflare is not an option.
5+ hours. It's amusing to reflect on all the "leaders" I've seen jumping on people's heads because a single feature of some unknown product was unavailable for 30 minutes.
Do put your DNS at cloudflare for your blog, as it can more effectively block all unwanted traffic. Dropped my bandwidth usage on personal blog from 4-5Gb/day to less than 500Mb by putting DNS through cloudflare and enabling their bot/ai blocks.
I get your gripe, but the free protection that Cloudflare offers automatically often far exceeds the effort required to thwart some random script kiddie’s attacks on my client’s Wordpress site. Add easy caching, tunnels, automated certificate management, etc. to that and it’s obvious why a lot of sites use them.
I get it... but you can pry my cloudflare-tunnel from my cold dead hands.
I'm no stranger to hosting things 'the hard way', but I am not going back from my happy casual hosting where I just spin up a docker container, and point the cloudflare tunnel at the local port and opt out of worrying over DDOS, SSL termination and certs, and everything else that goes with it.
With tailscale, I don't even keep port 22 open to the world.
>"no one will burn their DDoS capabilities on you!"
You don't need to burn a DDoS capability to launch a DDoS attack. You just need to pay a few bucks to a booter service. A few minutes of searching turned up these:
The massive centralisation going through cloudflare, especially their dns, is good reason to reconsider using them. It doesn't matter how good their product or ethos is, 10s of %s of the Internet traffic going through one company is a bad thing for the Internet.
Problem is, new adopters of digital presence do so by standardized convention set by market and market incentivise faster and efficient adoption and cloudflare is/has become that standard as what wordpress became decades ago, for bloggers. The boogeyman hackers pose uncertainity and cloudflare standard promised a solution against it, especially ddos. I usually reverse dig new companies and almost all of them are behind cloudflare. It is just a learned helplessness.
Even my tiny little personal sites got hammered by bots. I was very reluctant, but I feel like I had no choice but to go to Cloudflare. It was the only free option, and for tiny little sites it’s not worth paying for a solution.
I have a small blog with a few hundred visitors per month (not including the AI scrapers), and I use Cloudflare because it lets me run everything on a box in my home office with Cloudflare tunnel in the way and I don't have to worry about a static IP or anything. The best part about Cloudflare is how unintrusive it is. It's properly a layer over everything that you have.
I run my stuff as quadlets on Linux, and `cloudflared` just forwards requests to a specific port. It's a reverse proxy. If I wanted to move off Cloudflare, I'd need to run Nginx (or Traefik/Caddy which I'm less familiar with) + certbot and switch DNS.
I like this layering approach, and when I decided to move from a cheap VPS to my own homeserver, I found it very easy to do so by just swapping a few things. I do have Google Fiber who don't mind when you host stuff so that's nice.
Of all the cloud services that are a problem, I'd say Cloudflare is particularly well-designed as a non-lock-in service and is very generous with the terms. So I am quite happy putting Cloudflare in between.
After all, if I'm only receiving a few hundred visits a month, it's not that important if Cloudflare is down. It's not like I'm providing an essential service except to my wife, who relies on some of the apps I've made for her Custom GPTs[1] and she is quite the forgiving user.
If you have a blog with 100 visitors per month why would you worry about being hit by an 4-8 hours outage once every year or two? I like Cloudflare because it is easy to setup and manage and because the amount of value you get for free or just a few bucks per month can’t be matched by any other company. Sure, if my income depends on my website/service uptime then I would probably consider other options. I think for most folks that’s not the case. Just chill and wait it out.
Adding Cloudflare to my site would actually cause more denial of service to legitimate users than it would if I never added CF. As someone using OpenBSD + Firefox with strict privacy settings and "resist fingerprinting", I am frequently blocked from sites because CF erroneously identifies my browser as suspicious (with no way for me to resolve this except use a different browser or computer). I'm not interested in blocking visitors because they use a different browser. Case in point: https://www.theregister.com/2025/03/04/cloudflare_blocking_n...
will always champion the notion of keeping things as simple as possible. however this take seems a bit overreactive.
their stack has been some of the easiest low-hanging fruits for enhancing self-managed web stuff. almost everyone who agrees with this sentiment is also relying on someone else in the chain to keep their sites up. in my limited experience, the latter ended up being less reliable in the past decade or so.
funnily enough the site was (momentarily) not loading for me, but instantly did right after.
We mainly use cloudflare due to the first class DNS experience. Free and super easy to work with.
Anyone have a suggestion for an alternative? I don’t want to pay per domain but I would pay an agency fee for like 100 domains for a few hundred bucks sorta think, like migadu offers for email.
Worst thing is when local municipality is using Cloudflare on their pages and unintentionally breaks their RSS feeds, because they restrict foreign traffic. And RSS readers usually are running on some server in different country.
CDNs and reverse proxies are important part of internet infrastructure. Problem here is not that webservers use CloudFlare, but that use only CloudFlare.
Let's assume that i could easily use multiple CDNs/proxies and put them all in my DNS record. It would be nice if web browsers would use happy-eyeballs like logic to switch between multiple IP addresses, but i don't think this is default behavior with multiple A/AAAA records.
The one time my company suffered a denial-of-service attack we were able to get support from our colo provider to stop the attack. This was years ago and our provider has been bought a couple of times and while the company has grown the staff are more remote and fewer in number so I'm not sure if we'd get the same support today.
So, every now and then I think about at least putting our assets on a cdn with the option of using it in the case of a ddos attack but then I see things like today and the recent Aws problems and I just get the feeling I should keep everything close.
Comparing burning a zero day to flexing DDoS capabilities is absolutely insane.
I dislike CloudFlare for their extremely hostile stance against VPNs and for collecting a near autocratic control of a large part of the “world wide” web. I think that there are very valid concerns regarding that. And yes, that power is given to them by service providers, however also essential services use it and as a user I can not choose to not use your service without CF, so it’s still very much asymmetric.
Can't find the following argument in the replies: respect your visitors by not showing cloudflare's spinners and other bs in their faces.
If your site is static, a VPS would carry it a long way. I once hosted a tiny video site - 500 daily visitors, 100GB, 10$/month. Worked better than youtube, 0 issues.
Very naive comment here but how is this traffic grinding sites to their knees? I would think that modern hardware is easily capable of handling the high traffic. I would only expect a DDoS attack to be bringing down servers.
I don't use even close to all the services they offer, mostly just DNS and some web workers but the convenience of it as opposed to rolling my own is, excluding down time, an incredible free offering.
Way back years ago when I used to roll my own, any problems I had to fix took extremely long and painful. Could I do it again today ? Yeah sure, but I know I couldn't do a better job than Cloudflare.
I've learned this the hard way, by putting an Arweave gateway behind Cloudflare.
The gateway was checked regularly for random data and the client would stop a download after 1MB, causing the gateway to stop sending the rest of the file.
However, Cloudflare CDN wouldn't stop when the client stop, causing the gateway to send the whole file. Some files are multiple GBs big, so I suddenly got an invoice of 600€.
I'm running a Raspberry Pi 5 at home as a lightweight web server. I put it behind `cloudflared` as to not leak my home IP address, and today I got to pay for it.
Should I just stop being paranoid about "leaking my IP address" and self-host it 100%? All I fear is that my family will have to live with degraded internet experience because some script kiddie targeted me for fun.
You have other options besides leaking your home IP. You could use a VPN like Wireguard or a WG product like Tailscale, which is what I do. My Tailnet IPs are in public DNS, too, because it doesn't matter, they're not routable publicly. You could also get a cheap VPS in The Cloud and proxy requests to your home.
I would honestly not want to ever get targeted for a ddos attack on my home network ip. It's 5 bucks to buy a stresser online. Maybe you can even find one for free. People used to do that for fun when skype was around since you could resolve people's IP addresses due to a bug in skype. The worst possible outcome is they disconnect your network or block your port forwarding privileges outside of your own network being down for your family. I wouldn't wish ISP support on anyone, much less ISP support that would rather just terminate you than help you protect your homelab server.
It is mentioned in the article that round-robin DNS is an alternative to this setup, however, in reality, it is not the same thing, and that's the reason load-balancers exist, and it is not feasible to provide something very similar due to the very nature of a distributed and cached DNS system.
Cloudflare tunnels makes it dead simple these days. Like some others in the comments it seems; I'd rather Cloudflare fighting the war against hacker armies than me. Once our networks become compromised from opening our firewalls (possibly even not) our routers and IOT devices become unwillingly complicit in the army that's bringing the internet down.
one way to mitigate DDoS is to enforce source IP checks on the way OUT of a datacenter (egress).
sure there are botnets, infected devices, etc that would conform to this but where does the sheer power of a big ddos attack come from? including those who sell it as a service. they have to have some infrastructure in some datacenter right?
make a law that forces every edge router of a datacenter to check for source IP and you would eliminate a very big portion of DDoS as we know it.
until then, the only real and effective method of mitigating a DDoS attack is with even more bandwidth. you are basically a black hole to the attack, which cloudflare basically is.
All the sites that I'm personally aware of are either NOT behind Cloudflare, are large and targeted, or are behind Cloudflare because they have actually experienced a DDOS attack(s). I don't know of anyone that is just sticking themselves behind Cloudflare willy-nilly.
I actually would argue against this idea, it is quite resource intensive to keep your sites up-to-date with latest security patches (think something like webservers, openssl, tls cipher suites ...). Putting your site behind a CDN makes you not so vulnerable to these attacks.
These days Cloudflare offers more than network (CDN) and security (WAF). I guess there's - workers and containers for backend/fullstack, pages for severless/frontend/fullstack, storage and database solutions, and Ai and stuffs.
Cloudflare has saved me from a bunch of "Hacker News Hug of Death". It also works around the world, including China, where I have a lot of friends and family. Quite nice.
Thanks for all the discussion here. I use cloudflared to proxy a bunch of small sites I serve from home. I will take a look a other solutions mentioned in this thread.
The lesson for me here is the round robin DNS configuration.
I had an issue with the theme of your site probably not being important anyway. If your site probably isn’t important then it’s probably ok that it’s down too.
I'd happily use Cloudflare's proxy as it does a good job of serving static assets. The problem I have is the root certificate that it uses doesn't seem to be universally trusted.
I'm waiting for my first DDoS attack at which point I will hide behind Cloudflare. I have all the bits in place to make that a smooth transition but would hate every aspect of it.
Lets solve the problem. Why should some IP address be on the internet when it is being used for malicious activity. Everyone seems to assume there is no fix for this. Really?
The discussion is here is sort of which way do you want to let DDos sites damage you? By signing up for Cloudflare or not signing up for Cloudflare. In both case normal users suffer harm.
1. Put a moderate amount of money toward having the world's experts in uptime keep your site performing fast, and accept that occasionally your service goes down at the same time as everyone else.
2. Roll your own service, hire a large number of expensive experts to try to solve these problems yourself, and be responsible for your own outages and failures which will happen eventually and probably more frequently.
If no one is going to die from your service going down, it seems like this is a perfectly reasonable third-party dependency. And if the issue is just your contract's SLA or a financial customer, the saving that comes from using Cloudflare can probably be worked through via negotiations.
this. despite all the ghost stories and war stories. it’s how apple sells you the watch to save you from that bear attack or that time you got trapped somewhere.
the stories are real, and in some cases you may need it — in most cases you don’t. and it clearly doesn’t always protect you.
Cloudflare is a little like Google, they're doing a lot of really cool and amazing things to better the internet but they're frontend interface to use the services kind of sucks, they're raising the bar though so that everyone gets better. It's like when backend developers do really cool shit and also make your frontend.
These threads always make me think what percentage of the commenters are commenting due to FUD, and how many are shilling. "My home ip address might leak", "hacker armies will attack me", "only cloud flare with its billion dollar engineers can protect you on the internet", "if the attacker gets your server ip it's GAME OVER", "rampant run of the mill ddos attacks that will make your provider NUKE YOU FROM ORBIT".
Meanwhile CF is closing in on monopolizing the internet.
Yep, my websites are up and running. No AWS, no CloudFlare, no problem.
We get excited by KPIs like uptime or scale while in truth for most of us those are not the key metrics. We think like BigTech because that's the metrics they sell us. It's a mistake that is profitable for them.
> Most of these sites are not even that big. I expect maybe a few thousand visitors per month.
> This demonstrates again a simple fact: if you put your site behind a centralized service, then this service is a single point of failure. Even large established companies make mistakes and can go down.
I'm guessing sites with a few thousand visitors a month don't much care about single points of failure. Seems like kind of a circular argument - if they're too small to care about needing a proxy in front of their service, then they are also probably too small to care about the handful of events that cause it to go down every so often.
People talk about "single points of failure" like invoking that phrase in and of itself means something is bad. There are many areas where avoiding single points of failure is essentially impossible. It's about how much risk and impact you are willing to tolerate with those points of failure.
Don’t trust your traffic to autopilot, get a it back in your hands, take a look into your bots (1), perhaps there is no real need for CloudFlare at all.
I would not need Cloudflare for personal projects if lack of IPv6 support in random places would not make connecting to services I run on little VMs difficult.
Everything is a "single point of failure" if you play around enough with the definition of "single". Your custom server with backup solution is a "single" thing, which is really not that far off from what Cloudflare is. From a technical point of view it's hard to get more redundant than things like Cloudflare; it's really not that centralised beyond being one organisation.
It's just that if your server fails no one hears about it. But as a rule, your custom server will fair more often than Cloudflare.
And you "need" it quicker than you think. DaemonForums is a small (no longer very active) forum; I ran the site for the first few years from 2008 to 2013. I served it off a small Intel Atom server. I haven't been involved in over a decade, but last year the current admin added Cloudflare because traffic from bots was getting out of control. He helpfully posted some stats:
Period Usage Maximum Expected Overusage
July 2025 5 GB ∞ 5 GB No overusage
June 2025 63 GB ∞ 63 GB No overusage
May 2025 788 GB ∞ 788 GB No overusage
April 2025 1038 GB ∞ 1038 GB 38 GB
March 2025 540 GB ∞ 540 GB No overusage
February 2025 379 GB ∞ 379 GB No overusage
January 2025 397 GB ∞ 397 GB No overusage
December 2024 401 GB ∞ 401 GB No overusage
November 2024 484 GB ∞ 484 GB No overusage
October 2024 328 GB ∞ 328 GB No overusage
September 2024 357 GB ∞ 357 GB No overusage
August 2024 355 GB ∞ 355 GB No overusage
July 2024 326 GB ∞ 326 GB No overusage
June 2024 189 GB ∞ 189 GB No overusage
May 2024 238 GB ∞ 238 GB No overusage
April 2024 225 GB ∞ 225 GB No overusage
March 2024 125 GB ∞ 125 GB No overusage
February 2024 76 GB ∞ 76 GB No overusage
January 2024 68 GB ∞ 68 GB No overusage
December 2023 34 GB ∞ 34 GB No overusage
November 2023 31 GB ∞ 31 GB No overusage
October 2023 31 GB ∞ 31 GB No overusage
September 2023 24 GB ∞ 24 GB No overusage
August 2023 22 GB ∞ 22 GB No overusage
July 2023 22 GB ∞ 22 GB No overusage
June 2023 22 GB ∞ 22 GB No overusage
May 2023 18 GB ∞ 18 GB No overusage
April 2023 20 GB ∞ 20 GB No overusage
March 2023 21 GB ∞ 21 GB No overusage
February 2023 20 GB ∞ 20 GB No overusage
January 2023 34 GB ∞ 34 GB No overusage
December 2022 38 GB ∞ 38 GB No overusage
November 2022 28 GB ∞ 28 GB No overusage
October 2022 25 GB ∞ 25 GB No overusage
September 2022 18 GB ∞ 18 GB No overusage
August 2022 36 GB ∞ 36 GB No overusage
July 2022 84 GB ∞ 84 GB No overusage
June 2022 71 GB ∞ 71 GB No overusage
May 2022 91 GB ∞ 91 GB No overusage
April 2022 89 GB ∞ 89 GB No overusage
March 2022 88 GB ∞ 88 GB No overusage
February 2022 89 GB ∞ 89 GB No overusage
January 2022 89 GB ∞ 89 GB No overusage
December 2021 98 GB ∞ 98 GB No overusage
November 2021 101 GB ∞ 101 GB No overusage
October 2021 97 GB ∞ 97 GB No overusage
September 2021 92 GB ∞ 92 GB No overusage
August 2021 94 GB ∞ 94 GB No overusage
July 2021 84 GB ∞ 84 GB No overusage
June 2021 83 GB ∞ 83 GB No overusage
May 2021 92 GB ∞ 92 GB No overusage
April 2021 91 GB ∞ 91 GB No overusage
March 2021 76 GB ∞ 76 GB No overusage
February 2021 68 GB ∞ 68 GB No overusage
January 2021 82 GB ∞ 82 GB No overusage
December 2020 74 GB ∞ 74 GB No overusage
November 2020 76 GB ∞ 76 GB No overusage
October 2020 71 GB ∞ 71 GB No overusage
September 2020 65 GB ∞ 65 GB No overusage
August 2020 75 GB ∞ 75 GB No overusage
July 2020 71 GB ∞ 71 GB No overusage
June 2020 65 GB ∞ 65 GB No overusage
May 2020 71 GB ∞ 71 GB No overusage
April 2020 56 GB ∞ 56 GB No overusage
March 2020 59 GB ∞ 59 GB No overusage
February 2020 56 GB ∞ 56 GB No overusage
January 2020 61 GB ∞ 61 GB No overusage
December 2019 55 GB ∞ 55 GB No overusage
November 2019 51 GB ∞ 51 GB No overusage
October 2019 54 GB ∞ 54 GB No overusage
September 2019 51 GB ∞ 51 GB No overusage
August 2019 49 GB ∞ 49 GB No overusage
July 2019 49 GB ∞ 49 GB No overusage
June 2019 46 GB ∞ 46 GB No overusage
May 2019 63 GB ∞ 63 GB No overusage
April 2019 46 GB ∞ 46 GB No overusage
March 2019 46 GB ∞ 46 GB No overusage
February 2019 43 GB ∞ 43 GB No overusage
January 2019 83 GB ∞ 83 GB No overusage
December 2018 52 GB ∞ 52 GB No overusage
November 2018 53 GB ∞ 53 GB No overusage
October 2018 49 GB ∞ 49 GB No overusage
September 2018 45 GB ∞ 45 GB No overusage
August 2018 46 GB ∞ 46 GB No overusage
July 2018 20 GB ∞ 20 GB No overusage
July 2018 34 GB ∞ 34 GB No overusage
June 2018 59 GB ∞ 59 GB No overusage
May 2018 51 GB ∞ 51 GB No overusage
April 2018 59 GB ∞ 59 GB No overusage
March 2018 49 GB ∞ 49 GB No overusage
February 2018 44 GB ∞ 44 GB No overusage
January 2018 47 GB ∞ 47 GB No overusage
December 2017 49 GB ∞ 49 GB No overusage
November 2017 43 GB ∞ 43 GB No overusage
October 2017 46 GB ∞ 46 GB No overusage
September 2017 47 GB ∞ 47 GB No overusage
August 2017 43 GB ∞ 43 GB No overusage
July 2017 42 GB ∞ 42 GB No overusage
June 2017 46 GB ∞ 46 GB No overusage
May 2017 42 GB ∞ 42 GB No overusage
April 2017 59 GB ∞ 59 GB No overusage
March 2017 46 GB ∞ 46 GB No overusage
February 2017 45 GB ∞ 45 GB No overusage
January 2017 46 GB ∞ 46 GB No overusage
December 2016 43 GB ∞ 43 GB No overusage
November 2016 38 GB ∞ 38 GB No overusage
October 2016 41 GB ∞ 41 GB No overusage
September 2016 32 GB ∞ 32 GB No overusage
August 2016 34 GB ∞ 34 GB No overusage
July 2016 33 GB ∞ 33 GB No overusage
June 2016 41 GB ∞ 41 GB No overusage
May 2016 46 GB ∞ 46 GB No overusage
April 2016 51 GB ∞ 51 GB No overusage
March 2016 53 GB ∞ 53 GB No overusage
February 2016 39 GB ∞ 39 GB No overusage
January 2016 42 GB ∞ 42 GB No overusage
December 2015 36 GB ∞ 36 GB No overusage
November 2015 35 GB ∞ 35 GB No overusage
October 2015 32 GB ∞ 32 GB No overusage
September 2015 38 GB ∞ 38 GB No overusage
August 2015 36 GB ∞ 36 GB No overusage
July 2015 35 GB ∞ 35 GB No overusage
June 2015 34 GB ∞ 34 GB No overusage
May 2015 35 GB ∞ 35 GB No overusage
April 2015 55 GB ∞ 55 GB No overusage
March 2015 44 GB ∞ 44 GB No overusage
February 2015 28 GB ∞ 28 GB No overusage
January 2015 36 GB ∞ 36 GB No overusage
December 2014 38 GB ∞ 38 GB No overusage
November 2014 41 GB ∞ 41 GB No overusage
October 2014 64 GB ∞ 64 GB No overusage
September 2014 44 GB ∞ 44 GB No overusage
August 2014 43 GB ∞ 43 GB No overusage
July 2014 42 GB ∞ 42 GB No overusage
June 2014 27 GB ∞ 27 GB No overusage
May 2014 31 GB ∞ 31 GB No overusage
April 2014 40 GB ∞ 40 GB No overusage
March 2014 38 GB ∞ 38 GB No overusage
February 2014 37 GB ∞ 37 GB No overusage
January 2014 24 GB ∞ 24 GB No overusage
The traffic increased by an order of a magnitude, to the point where it was causing problems.
Does it "need" Cloudflare? Probably not – you can just expand your hardware, or maybe fiddle with some other stuff. But Cloudflare is simple, cheap, and easy.
I have no great love for Cloudflare, but posts like this are not in sync with the state of the modern internet.
Clearly there is plenty of DDOS capacity out there so your argument is invalid. One ten millionth of the current traffic would be enough to bring a small blog or service down.
Also if you aren’t practiced at diagnosing a DDOS or if your monitoring is not tuned for it, diagnosing it can be supremely difficult. Answering as someone who has successfully diagnosed ddos at 11pm on a Sunday night without access to the logs or monitors (mostly because the necessary monitoring did not exist)
And I could only do that because I had a decade of experience and I had the clarity of emotional distance (not my site, not my server, not my fault).
As someone who maintains/hosts a lot of small business sites, allow me to inform this thread that the author of this post is as wrong as any person can be wrong.
If you're not behind Cloudflare, the level of effort required to impact your operations goes down, not up. Yes, of course, you're not impacted by massive outages like this, but you will be affected by other outages, and you will have a harder time recovering.
Counterpoint, my personal project sites aren't that important, but are self-hosted. My blog being inaccessible for for half a day is preferable, to having to figure out my own protections, and why not just use their free CDN while I'm at it.
Do i need to? Definitely not. Am i going to stop using cloudflare? Also no.
When it comes to bigger sites, i think having someone to blame for an outage (especially when these big ones are effectively "the whole Internet broke") is still probably preferable to managing it all yourself.
I have several tiny blogs behind Cloudflare. I'm not going to change a thing because of an exceptional event happening, and I think knee-jerk pontificating or being reactionary is extremely unproductive.
And DDOS is hardly my concern, and was never the reason I went to CF in the first place, so the whole foundation of this seems to be a strawman.
Unless these sites are your personal pages, oftentimes these decisions to use cloudflare or not are made by the business and money and risk people, not by the operations and other technically-minded employees. They see every other site using cloudflare and ask why they aren't as well.
"No one was fired for buying IBM (or cloudflare)."
Fat chance arguing against the people holding the purse strings.
> As they say in security, "no one will burn a zero day on you!". For your small blog with one hundred visitors per month, it's probably the same: "no one will burn their DDoS capabilities on you!"
The last I saw you can hire DDoS as a service for like $5 for a short DDoS, and many hosts will terminate clients who get DDoSed.
A couple of weeks ago my apprentice put a demo of ours behind cloudflare, I had him remove it. His explanation was interestingly "it hides our IP, if we remove it, they'll know our IP", yup, that's fine buddy, consider our IP to be a public piece of data.
I put my personal website behind Cloudflare, and I recommend that you do too.
Why?
Pretty simple, really. My personal website, along with some other services, can run successfully from a $10/mo VPS on Digital Ocean because I can be assured that anything I post will have its traffic primarily absorbed by Cloudflare.
This lets me do things I want to do without having to consider the consequences or eating the direct cost myself, like having a gallery of my travel photography where I post nearly full-sized images that can be arbitrarily crawled. I have no concerns about my images being "stolen", because for the most part there'd be no reason to do so, but I'd have to stop doing that if I didn't have Cloudflare in front of my site because of AI crawlers and other things that will abuse the shit out of my little VPS.
Do I think I'm on the target list for a DDoS? Not at all. Do I think badly behaved crawlers and the general tom-fuckery of the Internet will destroy my little VPS and/or cause me outage bills? Absolutely. Cloudflare prevents all that, and as a bonus lets me geo-block bad actors to minimize the likelihood of even that happening.
See, my entire website is static, and for most people, so should yours be. The greatest thing about a static website is that the entire surface area is cacheable via a CDN. I /built/ my site with the idea of putting it behind Cloudflare in mind, specifically so I could do whatever I wanted (as long as it didn't need to query a database) and be entirely out of the woods.
It's worked great for over a decade, and I expect it to continue working great for a decade more. The fact it is currently down is not a big deal because I get maybe one organic visitor every week that's not my mom.
If this is their core argument for not using CDN, then this post sounds like a terribly bad advice. Hopes and prayers do not make a valid security strategy. Appropriate controls and defenses do. The author seems to be completely missing that it takes only a few bucks to buy DDoS as a service. Sometimes people do DDoS your small blog because some random stranger didn't like something you said somewhere online. Speaking from experience. Very much the reason I'm posting this with a throwaway account. If your website receives DDoS, your hosts will take down your server. Nobody wants to be in this situation even if for a personal, small blog.
reply