And yes I know that there are Cloudflare employees here so spare me with your pinky swears.
https://krebsonsecurity.com/2025/05/krebsonsecurity-hit-with...
I suppose they could rewrite the destination to be your real address, and then send them to you without extra layers; you wouldn't get to know what the original destination address was; maybe if you only have one, it doesn't matter.
While it may not impact your site, it does impact your hosting provider. As their costs go up, your costs go up. Anything on the Internet at this point needs DDoS / scraping protection. If may not drop your service, but your ISP or upstreams may blackhole your route.
The "old web" (current web) was largely based on an open exchange of information.
The "new web", post AI bot scraping, is taking its place. Websites are getting paywalls. Advertising revenue is plummeting. Hosting providers are getting decimated by the massive shift in bandwidth demand and impact to systems scraped by the bots.
https://www.eff.org/deeplinks/2025/06/keeping-web-under-weig...
They are creating a network and application load that in effect, is a DDoS. Tens or hundreds of thousands of hosts hitting the same domain at once.
We have about 400 domains at $dayjob and a decent sized network.
All these domains, even silly ones with a handful of tabs and no dynamic content, are getting absolutely brutalized with traffic non-stop.
Geoblocking did not help.
So much of the "AI scraping" is coming from compromised customer internet connections. Compromised CPE equipment, desktops, phones, etc.
It is a fucking nightmare.
Seems to be very circumstantial at best: we're getting AI scrapers, and at the same time DDoS scrapers, so the DDoS scrapers must also be AI.
Capitalism is a symmetric game (played asymmetrically). If your hosting provider thought something they did would increase your costs, do you think they'd refrain from doing it?
Let's talk economics.
How many monetized webpages are out there, vs free websites?
How many blogs, forums, linktrees, etc?
With what you're suggesting, all of that goes away.
You may want that internet.
I sure as fuck do not.
Everyone hates when I set my app's fonts to courier size 8.
If you aren't doing any business, or not much business, through your site, this can be fine. Your hosting provider may either choose to let your server be overwhelmed with as many packets as its pipe can fit, or it may need to protect its network by discarding traffic to your IP address upstream of itself. It's probably a good idea to reach out to your hosting provider and let them know you're getting DDoSed. Even if they can't do anything about it (though there's a chance they can) they'll hopefully appreciate the heads up.
True story: I ran a Pixelflut client for 38C3 from a Netcup server in Nuremberg (this somehow had better performance than running it on my tablet at the physical location) and they somehow thought 38C3 was DDoSing me and "helpfully" blackholed traffic between 38C3 and my server.
---
It's important to stop thinking of DDoS as some magic hammer of Thor that you can't do anything about. DDoS packets, like all other packets, have source and destination addresses and flow through routers and links.
When Cloudflare receives a 7-terabit DDoS, they aren't receiving 7 terabits through one link. Cloudflare operates a huge number of locations that pretend to be one coherent network. So they're receiving 100 gigabits in London, 100 gigabits in Frankfurt, 200 gigabits in NYC, etc. Their network architecture pretends like it's delivering all these packets to their destination addresses, but really, each location has its own completely different set of servers that all have the same addresses. (This is called anycast.) Each individual packet sender is only sending packets to the nearest Cloudflare node, where they're getting discarded. Likely, no individual node is overloaded by this, but when you aggregate the statistics from all of them, it adds up to a large amount of traffic. This is by the nature of a DDoS - it's devices all over the world attacking you, which means they're all coming by different routes.
It's similar with hosting providers too, at least the big ones. Suppose you're on Hetzner: https://www.hetzner.com/unternehmen/rechenzentrum/ . They're not getting a terabit against your server through one link - they're getting 100Gbps through DE-CIX Frankfurt, 10Gbps through AMS-IX, 50Gbps through Telia in Nuremburg, 50Gbps through Telia in Helsinki, 50Gbps through Core-Backbone, etc.
If they deploy a routing rule to the router on their end of each of those links, which says to discard packets where the destination address is yours, they can protect their network. Your site will still be down, of course.
If one of their pipes does get overloaded (say their full 10Gbps from Baltnet in Frankfurt), they can reach out to that network (pretty much every serious network on the internet has a network operations center, reachable 24/7 by phone) and Baltnet will track it down further and block the traffic even closer to its source (or at a wider part of their network).
If you're lucky and the DDoS traffic is just coming from a few "directions", users whose packets happen to come via a different direction may still be able to access your site.
Suppose you're on Uncle Tom's Tiny Hosting Company Ltd (not real), they're certainly not the scale of Hetzner, and they only have a 10Gbps pipe between them and their ISP which is easily filled by a single attack. They'll have to contact their ISP to block traffic to your server so that the rest can get through, and their ISP will do the above stuff.
None of this information will keep your site up during a DDoS, I just want to show you there's a depth to this DDoS thing and this Internet thing and it's not just magic.
Now I hate Cloudflare with a passion, but even setting that aside, this is journalistic malpractice - it's basically a sponsored post. I was going to say I expected better from Ars Technica, but their glory days are long gone.
However in this case I think we can rely on them to tell us what they did. If they say they got a 7.3 Tbps UDP DDoS, chances are good they actually did.
What I say is that instead of hating on cloudflare one can look up how a DNS server works and start getting into DDOS mitigation ; but even after a couple of month anybody would still just have scratched the surface of it.
I don't think it's Cloudflare "goal" to centralize the internet, neither it is to set up captcha everywhere ; but it's definitely frustrating
They literally are a DDoS mitigation service.
Source: me.
smokel•7mo ago
How is that more complicated than a for-loop?
ukuina•7mo ago
lolinder•7mo ago
saulpw•7mo ago
jjtheblunt•7mo ago
luckylion•7mo ago
PcChip•7mo ago
lolinder•7mo ago
blitq•7mo ago
monster_truck•7mo ago
lolinder•7mo ago
A well-engineered attack would not draw headlines for its scale because it would take down its target without breaking any records.
motorest•7mo ago
You don't hear much about DDoS that are either comparable in size or bring down targets. How do you explain why this one made the news in spite of not having met your arbitrary and personal bar?
lolinder•7mo ago
> in spite of not having met your arbitrary and personal bar?
I'm not sure what you mean by this. I didn't establish any sort of bar for what sorts of DDoS should get headlines, I'm just agreeing with OP that that line in the article doesn't make any sense. There may be other reasons to believe this attack was well-engineered but the article doesn't get into them.
therealpygon•7mo ago