this post was submitted on 02 Jun 2024
130 points (96.4% liked)

No Stupid Questions

35808 readers
1691 users here now

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)


Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.



Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.



Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.



Rule 4- No self promotion or upvote-farming of any kind.

That's it.



Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.



Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.



Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.



Rule 8- All comments should try to stay relevant to their parent content.



Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.



Rule 10- Majority of bots aren't allowed to participate here.



Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

founded 1 year ago
MODERATORS
 

I am a plebe who doesn't understand these things but what exactly does cloudflare do? I see it popping up more and more often redirecting before visiting a site. I assume that this has something to do with bot traffic? It seems like every mention of cloudflare is about how it ruined someone's day.

you are viewing a single comment's thread
view the rest of the comments
[–] rufus@discuss.tchncs.de 27 points 5 months ago* (last edited 5 months ago) (2 children)

Mostly breaking it. They're centralizing stuff and nowadays lots of services depend on that single service provider. And the original idea of the internet was to make everyone equal and have some resilience against single points of failure. That's kind of detrimental to the whole idea.

Secondly, you unencrypt your traffic and send it to them plain so they can read everything. That may or may not be an issue for your use-case, but I like privacy and encryption and no third parties reading my messages.

And the question is: What do you need their service for? I understand that a tunnel is useful if you're behind a NAT. But the DDoS protection and attack prevention is mostly snake-oil for most people. It's often unnecessary, the free tier doesn't include any of the interesting stuff and it's questionable if most people get targeted by DDoS attacks anyways. And as I heard if it comes to that point, they will cease service to you anyways and want to see money ($240 to $2.400 per year.) So I don't see a good reason why you'd use Cloudflare in the first place. Unless you need a tunnel or subscribe to one of the more expensive plans. Otherwise it only has downsides.

[–] You999@sh.itjust.works 11 points 5 months ago (1 children)

But the DDoS protection and attack prevention is mostly snake-oil for most people.

I wouldn't say it's snake oil for most people because of how cheap it costs to execute a DDoS attack, all it takes is for you to piss off one person for it to be worth it. Although you do not have to use cloudflare there are plenty of other protection services out there.

And a side note, I can't believe how hard it is to find statistics on how many DDoS attacks have happened that's not from someone with a vested interest in the matter. I'd figure the FBI/IC3 or CISA would have better statistics on the matter.

[–] rufus@discuss.tchncs.de 1 points 5 months ago* (last edited 5 months ago)

Hmmh, I'd like to - at some point - speak to an admin who has been targeted by a DDoS attack. I know it happened to one Lemmy instance. What I've seen as an admin were some attempts that weren't that bad for us, and that was years ago. It didn't even really stop the service, just cause lots of load on the webserver and made the website open a bit slower than usual. And it was over after a few hours and never happened again. My other servers and websites have never been targeted.

And I wonder if for example the Lemmy instances who use Cloudflare, pay them $240 a year. Because as I read, Cloudflare free ceases service if there is an ongoing DDoS attack.

I think it's mostly Live-Streamers and somewhat high-profile and controversial webservers who get targeted. Like the biggest Lemmy instances. Or if you're successful at messing with the Russian internet trolls. Or play a game in a live stream and your fans like to seriously mess with you, like pay for a virtual attack or swat you. Other than that, I believe 99.9% of people who run internet services will never experience such an attack. And it wouldn't really harm them if their service went down for some time.

[–] WormFood@lemmy.world 9 points 5 months ago (1 children)

I run a small personal blog/portfolio website that doesn't get more than a hundred or so human visits per day, but it gets hammered with bot traffic, not just malicious bots but tons of different search indexers and scrapers, many of which don't respect robots.txt

after setting up cloudflare I noticed a very significant drop in malicious traffic and in bandwidth use, which also corresponded to less bandwidth and CPU usage for my VPS.

I know cloudflare has recently had a few bad customer service stories but for small and medium sized websites their service is invaluable

my own personal criticism of cloudflare is that, as a VPS user, I get hit by cloudflare challenges more. but now that they've moved to hcaptcha it's not too bad

[–] rufus@discuss.tchncs.de 1 points 5 months ago* (last edited 5 months ago)

I think the correct way to handle this is to include a bad-bot blocker in your webserver. There are plenty scripts and addons available for the common software stacks. Is fairly easy to set up and comes with far less side-effects.

There are also local and privacy-respecting Web Application Firewalls like ModSecurity, Janusec, Vulture Project (I haven't yet tested them) which could maybe do the same thing.

We're all subject to these crawlers, bots and vulnerability scanners. I also run 3 small websites including mail and a few other services. I rarely block some bot that downloads images over and over again. And fail2ban blocks a lot of brute-forcing attempts. Other than that, the traffic they cause isn't that much compared to a single other service like Matrix chat or some Fediverse software that causes lots of HTTP requests all day long. It runs without Cloudflare or other third-party services for years on my slow home internet connection. Back then even on a single board computer (like the Raspberry Pi.)

So my experience is a bit different. And that I can run 3 websites on a RasPi on a 15MBit connection just fine and other people need Cloudflare for a 1000MBit VPS makes me think it's snake-oil. But yeah, I agree if you block the bots, they stop after some time. That's also my experience. But the traffic isn't that much in the first place and there are better ways to do it in my opinion.