> Maybe that's the core of this message. Face your fears. Put your service on the internet. Maybe it goes down, but at least not by yet another Cloudflare outage.
Well I'd rather have my website going down (along with half the internet) be the concern of a billion dollar corporation with thousands of engineers - than mine.
Still a bit weird to pretend we now have cyber weather that takes our webpages down.
The reaction to AWS US-East-1 going down demonstrates this. As so many others were in the same boat, companies got a pass on their infrastructure failing. Everyone was understanding.
But now, when one of these services breaks, everything on the internet goes down. And it is a lot easier to explain to your director of engineering that the whole internet is down than to say that your custom home-rolled storage system fell over, or whatever esoteric infrastructure failure you may run into doing it yourself.
Depends on the frame of reference of “single point-of-failure”.
In the context of technical SPOFs, sure. It’s a distributed system across multiple geographies and failure domains to mitigate disaster in the event any one of those failure domains, well, fails.
It doesn’t fix that technology is operated by humans who form part of the sociotechnical system and build their own feedback loops (whose failures may not be, in fact are likely not going to be, independent events).
SPOFs also need to contemplate the resilience and independence of the operators of the system from the managing organisation. There is one company that bears accountability for operating CF infra. The pressures, headwinds, policies and culture of that organisation can still influence a failure in their supposedly fully distributed and immune system.
For most people hosting behind Cloudflare probably makes sense. But you need to understand what you’re giving up in doing so, or what you’re sacrificing in that process. For others, this will lead to a decision _not_ to use them and that’s also okay.
We once had a cloudflare outage. My CEO asked "mitigate it" I hit him back with, okay, but that'll take me weeks/months potentially, since we're tiny, do you really want to take away that many resources just to mitigate a once every few years half the internet is down issue?
He got it really quickly.
I did mitigate certain issues that were just too common not to, but when it comes to this sort of thing, you gotta ask "is it worth it"
Edit: If you're so small, cloudflare isn't needed, then you don't care if you go down if half the internet does. If you're so big that you need cloudflare, you don't wanna build that sort of feature set. The perfect problem.
If you're using other features like page rules you may need to stand up additional infrastructure to handle things like URI rewrites.
If you're using CDN, your backend might not be powerful enough to serve static assets without Cloudflare.
If your using all of the above, you're work to temporarily disable becomes fairly complicated.
Suddenly you're not blocking bots or malicious traffic. How many spam submissions or fake sales or other kinds of abuse are you dealing with? Is the rest of your organization ready to handle that?
DDoS protection is one nice side effect of privacy, but I'd imagine there are others too.
I have never heard this before. Anonymity from what? From people knowing your Hetzner ip? I don't know what you're keeping private.
And besides, Cloudflare Tunnel is distinct from (though it integrates with) the cdn product.
It certainly isn't.
In fact, IPv4 is the de-facto authorization and authentication system of the Internet. It's stupid but it is what it is.
Cloudflare is the "bitcoin mixer" for laundering IPv4's.
Yes. You don't really want people to know your IP address. It's like giving your phone number to spammers.
Are these common?
I guess by using cloudflare you are pooling your connection with other services that are afraid of being ddosed and actively targetted, whether by politics or by sheer volume. Unless you have volume or political motivations, it might be better not to pool, (or to pool for other purposes)
The last I saw you can hire DDoS as a service for like $5 for a short DDoS, and many hosts will terminate clients who get DDoSed.
Its incredible we took a decentralized model and centralized it with things like cloudflare and social media. I think we need pushback on this somehow, buts hard right now to see how its possible. I think the recent talk about federation has been helpful and with the world falling into right-wing dictatorships, this privacy and decentralization is more important than ever.
As for people… A programming club I attended is filled with people who run homelabs, use Linux and generally dislike anything corporate. The project to switch communication of discord is now more than a year old. I do feel sometimes that resistance against corporate internet is futile.
I am hosted on Cloudflare but my stack is also capable of running on a single server if needed, most libraries are not design with this in mind.
I’m also wondering if all these recent outages are connected to cyber attacks, the timing is strange.
Self hosting will also bring its own set of problems and costs.
Something like TTL 86400 gets you over a lot of outages just because all the caches will still have your entries.
You can also separate your DNS provider from your registrar, so that you can switch DNS providers if your registrar is still online.
> Fair point but you also get exposed if the dns provider has an outage
The usual workaround here is to put two IP addresses in your A record, one that points to your main server on hosting provider A, and the other to your mirror server on hosting provider B.
If your DNS provider goes down, cached DNS should still contain both IPs. And if one of your hosting providers goes down as well, clients should timeout and then fallback to the other IP (I believe all major browsers implement this).
Of course this is extra hassle/cost to maintain, and if you aren't quite careful in selecting hosting providers A and B, there's a good chance they have coordinated failures anyway (i.e. both have a dependency on some 3rd party like AWS/Cloudflare).
I would have shared bleeping computers blog post about the same attack but it's behind Cloudflare haha
But yeah, if you don't need Cloudflare, like, at all, obviously don't use them. But, who can predict whether they're going to be DDOS-ed in advance? Fact is, most sites are better off with Cloudflare than without.
Until something like this happens, of course, but even then the question of annual availability remains. I tried to ask Claude how to solve this conundrum, but it just told me to allow access to some .cloudflare.com site, so, ehhm, not sure...
Seriously: having someone in charge of your first-line traffic that is aware of today's security landscape is worth it. Even if they require an upgrade to the "enterprise plan" before actually helping you out.
I see many people saying this but be honest, do you know this for sure or are you just guessing? I've experienced DDoS so I know I'm not just guessing when I say that if your website gets DDoSed your hosting service would just take your website down for good. Then good luck running circles around their support staff to bring your website back up again. Maybe it won't kill your business but it'll surely create a lot of bad PR when your customers find out how you let a simple DDoS attack spiral out of control so bad that your host is refusing to run your website anymore.
you don't have control about them in the first place
Citation direly needed.
In particular I wonder: Who is that total mass of sites where you consider most being better off using cloudflare? I would be curious on what facts you base your assumption. How was the catalog of "all" procured? How are you so confident that "most" of this catalogue are better off using cf? Do you know lots of internals about how strangers (to you) run their sites? If so, mind sharing them?
Most. A lot of simple sites are hosted at providers that will be taken down themselves by run-of-the-mill DDOS attacks.
So, what will such providers do when confronted with that scenario? Nuke your simple site (and most likely the associated DNS hosting and email) from orbit.
Recovering from that will take several days, if not weeks, if not forever.
Dud(ett)e, it's a message board comment, not a scientific study.
But do you really doubt that most ISPs will gladly disable your 1Gb/s home-slash-SMB connection for the rest of the month in face of an incoming 1Tb/s DDOS? Sure, they'll refund your €29,95, but... that's about it, and you should probably be happy they don't disconnect you permanently?
There's no but... - just claims you made that I dared to question just for fundamentals, which obviously you want to dodge. I won't go as far as questioning your intellectual honesty here, but I really have a hard time seeing it. So now for reals, good day
In fact, I expect my host to kick weird porn websites from their servers so that I don't have any bad neighbours, we're running legitimate businesses here sir.
Maybe they'd push me into upgrading my server, as a sort of way of charging me for the increased resources, which is fine. If I'm coasting on a 7$ VPS and my host tanks a DDoS like a hero, sure, let's set up a 50-100$ dedicated server man.
In business loyalty pays and it goes both ways.
I have more than 1 hosting provider though, so I can reroute if needed, and even choose not to reroute to avoid infecting other services, isolating the ddosed asset.
If this is their core argument for not using CDN, then this post sounds like a terribly bad advice. Hopes and prayers do not make a valid security strategy. Appropriate controls and defenses do. The author seems to be completely missing that it takes only a few bucks to buy DDoS as a service. Sometimes people do DDoS your small blog because some random stranger didn't like something you said somewhere online. Speaking from experience. Very much the reason I'm posting this with a throwaway account. If your website receives DDoS, your hosts will take down your server. Nobody wants to be in this situation even if for a personal, small blog.
I'm not too worried about someone DDOSing my personal site. Yeah, they could do it. And then what? Who cares?
Have you experienced a targeted DDoS attack on your personal site? I have. I too had this attitude like yours when I didn't know how nasty targeted DDoS attacks can get.
If you're not too worried about someone DDoSing your personal site, then your host taking your website down and then you having to run circles around their support staff to bring back the website up again, then I guess, you don't have a problem. It's nice that you don't care. (Honestly speaking. Not being sarcastic at all.)
Personally, I wouldn't mind DDoS on my personal site if the problem was just the DDoS. Unfortunately, mostly it isn't. A DDoS has other repercussions which I don't want to deal with exactly because it's a personal site. I just don't want to spend time with customer support staff to find out if and when I can bring my website back up again. DDoS on my personal website by itself isn't all that bad for me. But having to deal with the fallout is a pain in the neck.
These are very different situations. With a DDoS the disruption ends when the attack ends, and your site should become available without any intervention. Your host taking down your site is a whole different matter, you have to take action to have this fixed, waiting around won't cut it.
It is obvious those two are very different situations. I'm not sure I understand your point. Yeah, nobody will be bothered by a short 15 minute DDoS attack. I prolly wouldn't even notice it unless I'm actively checking the logs. Sure, nobody is going to be bothered by that. But what if someone's DDoSing persistently with a purpose? Maybe they're just pissed at you.
My point is... a sustained DDoS attack will just make your host drop you. So one situation directly leads to another and you are forced to deal with both situations, like it or not.
Your host taking down the site and forgetting to bring it back up after a DDoS attack isn't a common thing with any host, unless it's the kind that does this routinely even without a DDoS. And then you should look long and hard at your choice of hosting.
Either you suffer from a DDoS attack and come back when it's over, or you have a host that occasionally brings your site down and fails to bring it up until you chase them. But one does not follow the other without a lot of twisting.
I'd love to see someone suing the host for damages. The contract binds them as much as it binds you.
Sounds like a good way to have your next gaming rig financed.
How does taking the site down stop the DDOS attack?
Isn't the host network still being bombarded by garbage packets, even if there isn't anything there listening?
Or is routing the destination IP to /dev/null enough to blunt the attack?
I know there are different kinds of attacks (e.g. some that are content based, impacting the individual server), but I thought most of them were just "legit" requests storming through the door that the server can't keep up with.
Having the site taken down after the fact, as a "risk to infrastructure" that the host can't afford, that's a different issue.
Internet packets have to travel through many routers between the source and the attack and the server they're attacking, at each step the routers usually get smaller. the smaller routers are less able to withstand the amount of traffic destined for one server, which means they can't route traffic to all the other servers that are not under attack. a common strategy is to drop the traffic at a much farther away server, thus protecting the smaller routers, thus protecting all the other servers.
The host Network would definitely still be affected by the DDOS, which is why the strategy is often to "blackhole" the traffic farther away from the individual server racks.
I see people say route traffic to /dev/null All the time, but I personally try to reserve that for the individual servers or the nearest router, just to avoid your exact confusion.
depending on how well designed, any specific network is the "hug of death" which has taken down many sites would also degrade the performance of the peers next to that server. Which is why many ISP are quick to block the traffic farther away. To protect not you but their other customers.
To be fair (pedantic), if it's part of a DDOS, it's not a legit request. Depending on the capabilities of the attackers, they will either choose obviously invalid requests because those take longer to process or exclusively valid requests which take longer to process. it is generally speaking much easier to send valid well-formed requests because that's what most libraries exist to do. you're often writing custom code if you want to send an invalid request because that is a bug in other cases.
A good example of an invalid request is setting up TLS transmitting a partial packet and then closing the connection (or leaving the TCP open), This one can be particularly expensive and much harder to detect.
> How does taking the site down stop the DDOS attack?
When people say take the site down, in this context, they often mean one of two things, either changing the DNS configuration to point to a different IP address (or none at all), or "null routing" traffic to the under attack IP, at an edge router, edge in this case meanthing their upstream ISP or other network peer. (farther from the victim server) I object to both uses because the specificity is important. When I say take down the server, I almost always mean quit [nginx] or power off the box.
I was thinking more things being done to the actual machine the site was hosted on.
Assume a "personal" blog or site is not making money for the owner, and they have backups of the site to restore if the VM gets wiped or defaced. Why spend money on DDoS protection if it is unlikely to ever occur, much less affect someone monetarily?
That's a very big stretch. Worst case you need to stretch to wifi tethering from you phone, which isn't much more than mildly annoying.
This is not considering other issues with Cloudflare, like them MITM the entire internet and effectively being an unregulated internet gatekeeper.
You already experienced the downtime, so if not having downtime was a goal you already failed. If avoiding downtime is not important then there's no reason to add anti-downtime capability to your system. The most charitable modeling of this approach is that the downtime incident may prompt one to realize that avoiding downtime actually is an important property for their system to possess.
You don't care about going down once, you do care about frequent outages. And you know this from the start, you don't realize it later.
The person you were describing in your "most charitable" version above was not being reasonable. They didn't just underestimate the petty anger of the internet, they were being fundamentally foolish about their own desires. That's why I replied, to show you a different way someone could end up in this position.
So again, if staying dry in the rain is important to you, buy an umbrella before the rain, if you don't care about getting wet from time to time, then no need for the umbrella.
While the personal blog owner may not care about DDoS related downtime, he may face extra usage charges due to higher bandwidth, CPU usage, etc that he'd like to avoid.
https://lasvegassun.com/news/2016/jan/19/fast-moving-storm-b...
And the rain still causes problems, even (or maybe especially in) a desert:
https://nypost.com/2022/07/29/las-vegas-braces-for-more-rain...
Similarly Cloudflare has a giant button marked “I’m Under Attack!” in its signup flow, if I remember correctly…
It also isn't a good analogy because insurance doesn't apply retroactively to wrecks that happened before start of term, and is event-based rather than providing continuous value.
Why? with cloudflare it's very easy, just put your site behind a reverse proxy, change the dns and disable direct access. Am I missing something?
Insurance for physical things is different for services, they don't map as an analogy. A better one would be, Because you buy a new car every hour, it's like buying insurance for every car after someone steals your 700th car. That prevents your car from getting stolen.
And resulting downtime might be even bigger than that with cloudflare.
You think people hosting personal sites are going to even have the access to manage their IPs with BGP? It's not something I've seen offered at that scale / pricing.
When the bad guys want to DDoS the personal blog website they don’t go and figure out the correct amount they need to send to fill up that pipe/tube that directly connects the personal blog website, they just throw roughly one metric fton at it. This causes the pipes/tubes before the personal blog website to fill up too, and has the effect of disrupting all the other pipes/tubes downstream.
The result is your hosting provider is pissed because their infrastructure just got pummeled, or if you’re hosting that on your home/business ISP they also are pissed. In both cases they probably want to fire you now.
See: BGP Blackhole Community (usually 65535:666).
Instead it will protect me for free:
Sure maybe you'll get lucky and they waive it.
But sometimes going down is a feature if you're not a multi m/billion dollar business
Hoster is new to me too.
But I get it as a pattern. (If you dine at the party then you are a diner.)
In either case you just wait for the attacker to reach daddy's credit card limit and then your site is back up.
Or get a different provider. Some are faster to respond. I had a false positive DDoS detection from netcup once (I was scraping an FTP site in active mode) and they automatically routed my IP through a DDoS scrubbing service, and automatically stopped that when an attack was no longer detected. I don't know what they have set up to be able to reroute a single IP globally like that - they agreed with some of their upstreams, to allow the occasional /32 for DDoS protection purposes.
Especially when you are facing "infected machines by the millions".
Your server will keep existing if cloudflare just drops their free service, effectively going down for the ddosrs but still available for your own access directly
In Russia (I have nothing against Russia - I just know this info about “Дождь ТВ”), some news websites have been targeted by state-baked DDoS attacks, but I highly doubt most people are in this category.
I temporarily got around it by blocking the subnet of their IPs.
I have since put it behind Cloudflare.
This is a good essay: https://inoticeiamconfused.substack.com/p/ive-never-had-a-re...
Lol I didn't even notice that my submission reached the front page. What is your evidence for that claim?
Your host, assuming you're hosting your site on a VPS. Many of them have a policy of terminating clients who get DDoSed.
I also blocked all the AI crawlers after moving to CloudFlare and have stopped a huge amount of traffic theft with it.
My website is definitely much more stable, and loads insanely faster, since moving to CloudFlare.
It's not because it's not a criticism that it's a sponsored post.
I happen to have multiple sites that use the same technology (WordPress, with the same few plugins and the same theme) running on the same server, with one behind CloudFlare and one not. Left value is with CloudFlare, right is without:
- First Contentful Paint: 0.4s - 0.7s
- Largest Contentful Paint: 0.8s - 0.9s
- Total Blocking Time: 0 ms - 0 ms
- Cumulative Layout Shift: 0 - 0
- Speed Index: 0.4s - 8.9s
The difference is quite staggering, and I'm located pretty close to my server (a Hetzner VPS), I can't imagine the difference for someone that lives across the world.
NARRATOR:
- "Has THIS ever happened to you?"
CUT TO:
Black-and-white. Some guy stares in frustration and confusion at a terminal. Output of 'cat /usr/bin/gcc | xxd' or whatever scroll by.
NARRATOR:
- "Introducing CloudFlare™!"
CUT TO:
Full color. Sunlight. The same guy now sprawled on grass at a park. Two dogs tackle him with adoration. His kids hand him ice cream.
NARRATOR:
- "Stop debugging. Start living."
Re-reading it you're right, but ultimately the last sentence aims at directly answering this question from the parent:
> If you added up all the outage time caused by DDOS and all the outage time caused by being behind auxiliary services that have their own outages... I wonder which would be larger?
What are the response times of requests between CF and accessing them directly?
Add all this together and you have an extremely not basic setup at all anymore.
It used to be apple.
less reliable (more hops -> less reliable)
dependence on the US regime
What is the benefit to having small blogs be decentralized?
Did you consider and discard the eventuality that all the other ISP have gone out of business because everyone just uses cloudflare?
Invasive species destroy ecosystems.
The 'Invasive species destroy ecosystems' quote sounds good, but what exactly does it mean in this case? What is the species, and what is it invading?
I'd rather advocate for a solution that doesn't induce centralization. Because that still does. It's a weird suggestion to pay twice. I'm assuming in your hypothetical, cloudflare not only doesn't ever go down, but also absorbs only malicious traffic, and not any organic? Why should cloudflare do that and not my primary host? I'll assume I have XX to spend on hosting, you don't see how if I have to also allocate some of that to cloudflare, in addition to the real host, how that might limit what the real host can charge? If the real host can't charge enough to fund R&D on services like basic DDoS or other traffic shaping, wouldnt that mean I've then become dependent on cloudflare? And now hey cloudflare has other service, and I don't like the extra overhead of paying multiple services... I'll just move everything to cloudflare because they're bigger and do both... and now the small host is gone.
sigh
> The 'Invasive species destroy ecosystems' quote sounds good, but what exactly does it mean in this case? What is the species, and what is it invading?
I'm comparing cloudflare to any species that enters an existing system that has developed a natural ecological balance that includes diversity. Which then proceeds to grow for the sake of growth, consuming resourcs at an unsustainable rate; destroying the diversity that previously existed.
Destroying that diversity is bad because that diversity is what gives the system as a whole resistance to catastrophic events.
Like huge parts of the Internet going down because someone wanted to ship their project before the holidays, in time for their perf review.
The argument being: we should view cloudflare's growth, and consumption and takeover of the resources of the Internet as a whole, similar to the way we view other invasive species. It destroys the good parts of an existing system in a way that is almost impossible to recover from. Resulting in a much more fragile system. One than's now vulnerable to single events that take down "everything". A healthy system would be able to absorb such an event without destabilizing the whole thing.
The invasive species is cloudflare, and it's consuming and replacing large existing sections of the Internet; which gains much of it's strength and resilience from it being distributed amongst it's peers.
You don't have to pay cloudflare anything at all for them to act as CDN and provide basic DDoS protections.
I object to centralization and consolidation of power, how is this not both?
I'll duplicate my follow up question, from a sister thread.
If I actually start using the DDoS protection or other services... will cloudflare cut me off unless I pay? Will that charge be exorbitant? Does that behavior feel like extortion? Have they done that before?
There seems to be two views. One forward looking and one not. The forward looking view appropriate recognizes the threat of centralization. Centralization crushes small businesses (and small blogs), leads to censorship (see youtube et al.), and destroys competition. No one on the planet can compete with cloudflare pound for pound and thus if they decide your site is bad based on $CURRENT_ZEITGEIST you're SOL. You may as well not exist. We already have plenty of evidence from 2016 to now of this occurring via a large conspiracy between big tech and government.
The non-forward looking view naively closes their eyes and says "well we aren't there yet so what does it matter". This is how rights erode. It is a shame people with this view are allowed to vote and breed.
Nice, you root caused it too. I couldn't agree more.
First, let's stop perpetuating this destructive meme that running nginx on a VPS is rocket science, and fraught with peril; at least not on a forum of so-called hackers.
Follow up question, if I actually start using the DDoS protection or other services... will cloudflare cut me off unless I pay? Will that charge be exorbitant? Does that behavior feel like extortion? Have they done that before?
I have only used CF at the enterprise level so IDK if DDoS protection is free tier. Surprise billing like that is bad behavior, but it's not "you are the product" behavior.
> [...] but it's not "you are the product" behavior.
Discarding the context for the thread, probably. But if we're discarding context, "you're removed when you start to consume resources" isn't you're the customer behavior either.
Maybe, it's you're the patsy behavior?
Here's your confusion: personal sites don't need a valid security strategy. They don't need nine nines uptime. They don't need CDN, and ability to deploy, etc, etc. That's all (and forgive the origins of the expression but it is the most accurate description) cargo culting. There's no issue if they're down for a couple days. Laugh it off.
Whereas if you put your site behind a defaults of a cloudflare denial of service wall then real human people won't be able to access your site for as long as you use cloudflare. That's much longer and many more actual humans blocked than any DDoS from some script kiddie. Cloudflare is the ultimate denial of service to everyone that doesn't use Chrome or some other corporate browser.
And forget about hosting feeds on your website if you're behind cloudflare. CF doesn't allow feed readers because they're not bleeding edge JS virtual machines.
As you say, the risk is not a temp outage for small users, the risk is your isp or host or whatever disowning you.
I haven't tried managing my own site in ages, but I get the impression that the modern Internet is pretty much just one big constant DDoS attack, punctuated by the occasional uptick in load when someone decides to do it on purpose instead of out of garden variety apathetic psychopathy.
But, yeah, it's gotten way worse to the point where you can't even run legitimate services because sometimes you will be blocked just for not being a known entity. e.g. try running your own email server and sending mail to any major email provider.
True, but they are free and effortless, unlike "appropriate controls and defenses"
It might overwhelm their routers etc too?
Low-level attacks most or all providers have some protection against (to protect their network itself) but that may include black holing your IP at the border routers.
Few offer higher level DDoS protection that isn't rewrapped cloud flare or competitor.
been using them for decades and they've been incredible for this, at least for the US options (prem/internap)
Let's say you manage to install some cloudfare equivalent in your Vps so your hands are clean. That still exposes the provider systems up to that point, eating up resources?
Or they'll still knock you off and ban your IP at the first point of entry itself..
Cos where that leads us is subscribing to cloudfare type service almost becomes inevitable.. You can't get around it with some free software running in your own box.
Yes. Moderation can only do so much.
Yes. Welcome to the internet! I don't just think someone would do this. I've seen these things happen. It just takes one person to be pissed off who has got nothing better to do and a few bucks to spare to buy DDoS as a service.
I would gladly be in this situation if it otherwise lets me remove a large source of complexity, avoid paying a few bucks, and increasing the avoidable centralization of the Internet on my personal, small blog.
Maybe I'd change my mind if it continues happening, or if I didn't have unlimited traffic (which is a very bad idea for many reasons other than DDoSes for personal sites), but otherwise, enabling Cloudflare for a hypothetical without consequences seems like pretty extreme premature optimization.
I'm currently unfortunately also behind double NAT, and my home server has been unreachable ever since as a result. I've been torn between using Tailscale Funnel, Cloudflare Tunnel, possibly a VPN with public IPs, or rolling my own thing based on reverse SSH forwarding to a Linux server with a public IP.
I'm not going to YOLO an actual security issue and, say, use my zip code as the password on a publicly-facing ssh service or something. But DDoS protection? Meh.
thank you. thank you. thank you.
we are tired of hot takes on the internet due to opportunism.
yeah even the small sites are being tested everday by bots. how the bots know your site just came online - I don't know. so yeah cloudflare is nice. we hate centralization on the internet - but to be naive that they're no bad actors on the internet is pure stupidity.
I started using a pseudonym about the time my consulting site got taken down by a DDoS attack because I voiced an opinion about a presidential candidate who's name rhymes with Meorge Mush Munior. People are awful.
People act as if outages are some solvable problem and each outage should never have happened and we need to act (cloud no cloud, firewall rules, and so on) each time.
Rather I think history has shown this stuff happens and if the impact is terrible ... fine.
People come with that argument so often. But then one day I was completely done with something and I put out a rant on Reddit in my real name. Hundreds op people disagreed and told me "Why do you do that under your own name?! Are you crazy? This will lead to many problems."
Guess what. This was months ago and nothing happened. Nada. Zero. Null. I have many servers running and nothing was taking down. Maybe one day it will. If that happens then I'll find a fix. It will probably not be a nice day, but it is what it is. The world will keep spinning. I'm done giving in to the fear.
"I must not fear. Fear is the mind-killer. Fear is the little-death that brings total obliteration. I will face my fear. I will permit it to pass over me and through me." -Frank Herbert, Dune
Just because it didn't happen to you does not mean that it doesn't happen to others. You can see a few anecdotes in this thread itself where people commented that they did get attacked for pissing people off. Like check this: https://news.ycombinator.com/item?id=45968219
It’s not “hopes and prayers” to actively decide a particular attack vector is unlikely enough that the the costs and risks are not worth it.
My local cafes and bars do not employ bouncers, but the local concert venues and nightclubs do.
All these places want to keep out outside food and drink and avoid violence among patrons. The local cafes and bars decided it’s not worth having a bouncer for that. That’s a valid decision.
Did you mean reliability? At this point I don't care if my server gets DDoS, but may be more convinced by security practices.
I've received death threats. Do I engage in charged political commentary on my site? Not really. Just vaguely left-of-centre stuff in a way that I feel moves the discussion forward (and not even that often). The internet is fun: you're instantly connected to every unhinged asshole lunatic in the world.
Cloudflare does both but some providers do one or the other. You can use any CDN no matter if you use Cloudflare or not (shout-out to Bunny CDN btw, very happy with them - they do one thing and do it well)
"No one was fired for buying IBM (or cloudflare)."
Fat chance arguing against the people holding the purse strings.
I had an issue with the theme of your site probably not being important anyway. If your site probably isn’t important then it’s probably ok that it’s down too.
Unless there is a better option, just asking real businesses (no matter how small) to not use cloudflare is not an option.
Don’t trust your traffic to autopilot, get a it back in your hands, take a look into your bots (1), perhaps there is no real need for CloudFlare at all.
So, every now and then I think about at least putting our assets on a cdn with the option of using it in the case of a ddos attack but then I see things like today and the recent Aws problems and I just get the feeling I should keep everything close.
Usually it's big actors like Facebook, Azure and OpenAI who bombard my servers without any respect or logic. I need to update my access rules constantly to keep them away (using Cloudflare) Sometimes it's clustered traffic, more classic DDoS, from China, Russia or America. That I could easily filter with the DDos protection from my hosting (which is cheaper than cloudflare anyway)
What should I do if not Cloudflare to block with "complex rules" that is strong enough to survive hundreds of concurrent requests by big companies?
Back in 2001/2002 my personal website was “slashdotted” several times…
… which I learned about after the fact by seeing myself on slashdot.
It was not noticeable as it occurred and my services were not impacted.
So perhaps you need a p3-500 with 64 megabytes of ram and Apache 1.x and an old copy of cgi-lib.pl ?
It seems to find the slowest endpoints (well it does like my search and category pages, but sometimes it really hammers a single page for an hour), builds up until your site goes into its knees and instead of going slower it starts to hammer from other IP ranges until you have them all banned. This can go on for hours (or days even) if I don't create new rules to ban it.
It reminds me of a slowloris dos but at large scale and concurrency.
Sure if my website didn't have any dynamic content, or not millions of database lines it would be less of an issue :)
And DDOS is hardly my concern, and was never the reason I went to CF in the first place, so the whole foundation of this seems to be a strawman.
the stories are real, and in some cases you may need it — in most cases you don’t. and it clearly doesn’t always protect you.
I don't think it is fair to characterize Cloudflare as a single point of failure, at least in the tradition sense.
I can't think of any reason not to use cloudflare. It's _dead easy_ to set up too.
I can't help but think that the author understands what cloudflare actually does, or just has a poor understanding of what goes on on the internet. Probably a bit of just being in a bad mood about cloudflare being down too.
But of course I understand that for most users this isn't really a concern and the benefits that cf provides are much more important rather then the centralization problem.
I'm all for decentralizing and I don't feel the need for CloudFlare personally, but yes, arguing that people really shouldn't be doing it, period, requires some good technical reason or a more convincing political stance.
The gateway was checked regularly for random data and the client would stop a download after 1MB, causing the gateway to stop sending the rest of the file.
However, Cloudflare CDN wouldn't stop when the client stop, causing the gateway to send the whole file. Some files are multiple GBs big, so I suddenly got an invoice of 600€.
Do i need to? Definitely not. Am i going to stop using cloudflare? Also no.
When it comes to bigger sites, i think having someone to blame for an outage (especially when these big ones are effectively "the whole Internet broke") is still probably preferable to managing it all yourself.
Way back years ago when I used to roll my own, any problems I had to fix took extremely long and painful. Could I do it again today ? Yeah sure, but I know I couldn't do a better job than Cloudflare.
Cloudflare went down for 5 hours this year. That’s 99.94% uptime.
For real, who cares? Get a life and take a nice walk or something.
Let the big enterprises worry about their backup plan.
Anyone have a suggestion for an alternative? I don’t want to pay per domain but I would pay an agency fee for like 100 domains for a few hundred bucks sorta think, like migadu offers for email.
And we all lived happily ever after.
Should I just stop being paranoid about "leaking my IP address" and self-host it 100%? All I fear is that my family will have to live with degraded internet experience because some script kiddie targeted me for fun.
Same here for years (Pi 4) but without the cloudflare part. It's been painless.
1. Put a moderate amount of money toward having the world's experts in uptime keep your site performing fast, and accept that occasionally your service goes down at the same time as everyone else.
2. Roll your own service, hire a large number of expensive experts to try to solve these problems yourself, and be responsible for your own outages and failures which will happen eventually and probably more frequently.
If no one is going to die from your service going down, it seems like this is a perfectly reasonable third-party dependency. And if the issue is just your contract's SLA or a financial customer, the saving that comes from using Cloudflare can probably be worked through via negotiations.
Cloudflare handles caching of static resources, rate limiting, and blocking of bots with very little configuration.
Also, my ISP here in the UK doesn't provide static IP addresses, so Cloudflare allows me to avoid using a dynamic DNS service, and avoid exposing ports on my router.
Incidentally, if you can make a site "static", so far I'm mostly liking AWS CloudFront loaded from S3. After many years serving my site from a series of VPSs/hosters/colo/bedroom. It's fast and inexpensive, and so far perfectly solid.
Deploying consists of updating S3, and then triggering a CloudFront invalidation, which takes several seconds. The two key fragments of my deploy script (not including error checking, etc.), after the Web site generator has spat all the files into a staging directory on my laptop where I can test them as `file:` URLs, are:
aws s3 sync \
--profile "$AwsProfile" \
--exclude "*~" \
--delete \
"$WebStagingDir" \
"s3://${S3Bucket}/"
aws cloudfront create-invalidation \
--profile "$AwsProfile" \
--distribution-id "$CloudFrontDistId" \
--paths "/*" \
< /dev/null 2>&1 | cat
https://docs.aws.amazon.com/AmazonCloudFront/latest/Develope...
You don't need to be the target of a dDoS to use a CDN.
Also, using CDNs (Fastly via Github pages, not Cloudflare, in this case) once allowed us to be featured in a very large newspaper without worries, extra expenses, or extra work.
Getting bots under control would be better for the health of the web anyway, but the chances of that happening are practically zero. Even if the AI bubble collapses entirely, there's still going to be loads of ill-behaved scrapers and exploit sniffers roaming about.
I don't know if it's possible to fix this issue, short of the entire world enacting strict regulations mandating that scrapers and bots be well-behaved, which is never going to happen and even if it did could end up being just as or more destructive than rogue bots.
Meanwhile CF is closing in on monopolizing the internet.
The discussion is here is sort of which way do you want to let DDos sites damage you? By signing up for Cloudflare or not signing up for Cloudflare. In both case normal users suffer harm.
Why? This is a serious question.
If you're not behind Cloudflare, the level of effort required to impact your operations goes down, not up. Yes, of course, you're not impacted by massive outages like this, but you will be affected by other outages, and you will have a harder time recovering.
Do not listen to this author.
Why?
Pretty simple, really. My personal website, along with some other services, can run successfully from a $10/mo VPS on Digital Ocean because I can be assured that anything I post will have its traffic primarily absorbed by Cloudflare.
This lets me do things I want to do without having to consider the consequences or eating the direct cost myself, like having a gallery of my travel photography where I post nearly full-sized images that can be arbitrarily crawled. I have no concerns about my images being "stolen", because for the most part there'd be no reason to do so, but I'd have to stop doing that if I didn't have Cloudflare in front of my site because of AI crawlers and other things that will abuse the shit out of my little VPS.
Do I think I'm on the target list for a DDoS? Not at all. Do I think badly behaved crawlers and the general tom-fuckery of the Internet will destroy my little VPS and/or cause me outage bills? Absolutely. Cloudflare prevents all that, and as a bonus lets me geo-block bad actors to minimize the likelihood of even that happening.
See, my entire website is static, and for most people, so should yours be. The greatest thing about a static website is that the entire surface area is cacheable via a CDN. I /built/ my site with the idea of putting it behind Cloudflare in mind, specifically so I could do whatever I wanted (as long as it didn't need to query a database) and be entirely out of the woods.
It's worked great for over a decade, and I expect it to continue working great for a decade more. The fact it is currently down is not a big deal because I get maybe one organic visitor every week that's not my mom.
We get excited by KPIs like uptime or scale while in truth for most of us those are not the key metrics. We think like BigTech because that's the metrics they sell us. It's a mistake that is profitable for them.
I think that for most sites the DDOS attack is more likely.
https://hn.algolia.com/?q=cloudflare+outage
Cloudflare apparently has outages every 1-2 years or so.
https://daniel.es/blog/cloudflare-vs-la-liga/
https://harro.com/2025/06/06/is-blanket-ip-blocking-justifie...
https://cybersecurityadvisors.network/2025/04/15/la-liga-blo...
https://www.techradar.com/vpn/vpn-privacy-security/cloudflar...
I dislike CloudFlare for their extremely hostile stance against VPNs and for collecting a near autocratic control of a large part of the “world wide” web. I think that there are very valid concerns regarding that. And yes, that power is given to them by service providers, however also essential services use it and as a user I can not choose to not use your service without CF, so it’s still very much asymmetric.
> This demonstrates again a simple fact: if you put your site behind a centralized service, then this service is a single point of failure. Even large established companies make mistakes and can go down.
I'm guessing sites with a few thousand visitors a month don't much care about single points of failure. Seems like kind of a circular argument - if they're too small to care about needing a proxy in front of their service, then they are also probably too small to care about the handful of events that cause it to go down every so often.
People talk about "single points of failure" like invoking that phrase in and of itself means something is bad. There are many areas where avoiding single points of failure is essentially impossible. It's about how much risk and impact you are willing to tolerate with those points of failure.
Good luck with your bill if you have a DDOS attack. If they don't close your account at least.
I don't think that is correct that's why most people use Cloudflare
Also if you aren’t practiced at diagnosing a DDOS or if your monitoring is not tuned for it, diagnosing it can be supremely difficult. Answering as someone who has successfully diagnosed ddos at 11pm on a Sunday night without access to the logs or monitors (mostly because the necessary monitoring did not exist)
And I could only do that because I had a decade of experience and I had the clarity of emotional distance (not my site, not my server, not my fault).
I'm no stranger to hosting things 'the hard way', but I am not going back from my happy casual hosting where I just spin up a docker container, and point the cloudflare tunnel at the local port and opt out of worrying over DDOS, SSL termination and certs, and everything else that goes with it.
With tailscale, I don't even keep port 22 open to the world.
sure there are botnets, infected devices, etc that would conform to this but where does the sheer power of a big ddos attack come from? including those who sell it as a service. they have to have some infrastructure in some datacenter right?
make a law that forces every edge router of a datacenter to check for source IP and you would eliminate a very big portion of DDoS as we know it.
until then, the only real and effective method of mitigating a DDoS attack is with even more bandwidth. you are basically a black hole to the attack, which cloudflare basically is.
My most significant running expense was bandwidth cost. So I never switched to cloud since the bandwidth costs would have instantly bankrupted me. Cloudflare, on the other hand, was the single most significant development when it came to my bottom line. Adding a basic, $200 / month business account saved me thousands per month on bandwidth + server costs.
DDoS protection was just a nice perk.
Most small websites are hosting with cloud providers these days. If their websites are at all media rich (and most are these days), and those assets can be cached by a CDN ... the cost savings on bandwidth are not marginal. They are often the difference between being able to afford to host your website or not having one at all.
There are, of course, ways to optimize and reduce those expenses without a 3rd party CDN. But if Cloudflare still has their free plans for smaller traffic volumes, it is often a financial decision to use them over your cloud provider's CDN options.
If we don’t filter all this crap out, our metrics become basically meaningless, and our Data Warehouse, whose analyses we need to do business with our partners, would be one big „shit in, shit out“ travesty.
And on the other hand, becoming non-affected by today’s Cloudflare incident was a single DNS update away, and effective in under a minute.
I’m not saying we are perfectly happy, and I don’t exactly love the Cloudflare bill, but just slapping them in front of our loadbalancer and have them filter out the bad guys has been a good deal so far.
Except you've now leaked your origin IP so expect increased junk being pointed straight at it. Sure you can firewall it off but even dropping packets burns CPU.
Running behind something like Cloudflare doesn't just protect against DDoS, it protects against surprise traffic spikes.
If your site ends up on the Hacker News frontpage it's nice for it not to fall over right as people are trying to check it out.
Let's assume that i could easily use multiple CDNs/proxies and put them all in my DNS record. It would be nice if web browsers would use happy-eyeballs like logic to switch between multiple IP addresses, but i don't think this is default behavior with multiple A/AAAA records.
dig NS huijzer.xyz +short
fay.ns.cloudflare.com.
gerardo.ns.cloudflare.com.If your site is static, a VPS would carry it a long way. I once hosted a tiny video site - 500 daily visitors, 100GB, 10$/month. Worked better than youtube, 0 issues.
I run my stuff as quadlets on Linux, and `cloudflared` just forwards requests to a specific port. It's a reverse proxy. If I wanted to move off Cloudflare, I'd need to run Nginx (or Traefik/Caddy which I'm less familiar with) + certbot and switch DNS.
I like this layering approach, and when I decided to move from a cheap VPS to my own homeserver, I found it very easy to do so by just swapping a few things. I do have Google Fiber who don't mind when you host stuff so that's nice.
Of all the cloud services that are a problem, I'd say Cloudflare is particularly well-designed as a non-lock-in service and is very generous with the terms. So I am quite happy putting Cloudflare in between.
After all, if I'm only receiving a few hundred visits a month, it's not that important if Cloudflare is down. It's not like I'm providing an essential service except to my wife, who relies on some of the apps I've made for her Custom GPTs[1] and she is quite the forgiving user.
0: https://wiki.roshangeorge.dev/w/One_Quick_Way_To_Host_A_WebA... a description of how I host, but mostly structured as a note to myself
1: https://wiki.roshangeorge.dev/w/Blog/2025-10-17/Custom_GPTs
Just like most internet nonsense...
"I like privacy, but it's convenient"
"I don't like amazon policies, but it's convenient"
etc...
so luxuries become necessities...
It's just that if your server fails no one hears about it. But as a rule, your custom server will fair more often than Cloudflare.
And you "need" it quicker than you think. DaemonForums is a small (no longer very active) forum; I ran the site for the first few years from 2008 to 2013. I served it off a small Intel Atom server. I haven't been involved in over a decade, but last year the current admin added Cloudflare because traffic from bots was getting out of control. He helpfully posted some stats:
Period Usage Maximum Expected Overusage
July 2025 5 GB ∞ 5 GB No overusage
June 2025 63 GB ∞ 63 GB No overusage
May 2025 788 GB ∞ 788 GB No overusage
April 2025 1038 GB ∞ 1038 GB 38 GB
March 2025 540 GB ∞ 540 GB No overusage
February 2025 379 GB ∞ 379 GB No overusage
January 2025 397 GB ∞ 397 GB No overusage
December 2024 401 GB ∞ 401 GB No overusage
November 2024 484 GB ∞ 484 GB No overusage
October 2024 328 GB ∞ 328 GB No overusage
September 2024 357 GB ∞ 357 GB No overusage
August 2024 355 GB ∞ 355 GB No overusage
July 2024 326 GB ∞ 326 GB No overusage
June 2024 189 GB ∞ 189 GB No overusage
May 2024 238 GB ∞ 238 GB No overusage
April 2024 225 GB ∞ 225 GB No overusage
March 2024 125 GB ∞ 125 GB No overusage
February 2024 76 GB ∞ 76 GB No overusage
January 2024 68 GB ∞ 68 GB No overusage
December 2023 34 GB ∞ 34 GB No overusage
November 2023 31 GB ∞ 31 GB No overusage
October 2023 31 GB ∞ 31 GB No overusage
September 2023 24 GB ∞ 24 GB No overusage
August 2023 22 GB ∞ 22 GB No overusage
July 2023 22 GB ∞ 22 GB No overusage
June 2023 22 GB ∞ 22 GB No overusage
May 2023 18 GB ∞ 18 GB No overusage
April 2023 20 GB ∞ 20 GB No overusage
March 2023 21 GB ∞ 21 GB No overusage
February 2023 20 GB ∞ 20 GB No overusage
January 2023 34 GB ∞ 34 GB No overusage
December 2022 38 GB ∞ 38 GB No overusage
November 2022 28 GB ∞ 28 GB No overusage
October 2022 25 GB ∞ 25 GB No overusage
September 2022 18 GB ∞ 18 GB No overusage
August 2022 36 GB ∞ 36 GB No overusage
July 2022 84 GB ∞ 84 GB No overusage
June 2022 71 GB ∞ 71 GB No overusage
May 2022 91 GB ∞ 91 GB No overusage
April 2022 89 GB ∞ 89 GB No overusage
March 2022 88 GB ∞ 88 GB No overusage
February 2022 89 GB ∞ 89 GB No overusage
January 2022 89 GB ∞ 89 GB No overusage
December 2021 98 GB ∞ 98 GB No overusage
November 2021 101 GB ∞ 101 GB No overusage
October 2021 97 GB ∞ 97 GB No overusage
September 2021 92 GB ∞ 92 GB No overusage
August 2021 94 GB ∞ 94 GB No overusage
July 2021 84 GB ∞ 84 GB No overusage
June 2021 83 GB ∞ 83 GB No overusage
May 2021 92 GB ∞ 92 GB No overusage
April 2021 91 GB ∞ 91 GB No overusage
March 2021 76 GB ∞ 76 GB No overusage
February 2021 68 GB ∞ 68 GB No overusage
January 2021 82 GB ∞ 82 GB No overusage
December 2020 74 GB ∞ 74 GB No overusage
November 2020 76 GB ∞ 76 GB No overusage
October 2020 71 GB ∞ 71 GB No overusage
September 2020 65 GB ∞ 65 GB No overusage
August 2020 75 GB ∞ 75 GB No overusage
July 2020 71 GB ∞ 71 GB No overusage
June 2020 65 GB ∞ 65 GB No overusage
May 2020 71 GB ∞ 71 GB No overusage
April 2020 56 GB ∞ 56 GB No overusage
March 2020 59 GB ∞ 59 GB No overusage
February 2020 56 GB ∞ 56 GB No overusage
January 2020 61 GB ∞ 61 GB No overusage
December 2019 55 GB ∞ 55 GB No overusage
November 2019 51 GB ∞ 51 GB No overusage
October 2019 54 GB ∞ 54 GB No overusage
September 2019 51 GB ∞ 51 GB No overusage
August 2019 49 GB ∞ 49 GB No overusage
July 2019 49 GB ∞ 49 GB No overusage
June 2019 46 GB ∞ 46 GB No overusage
May 2019 63 GB ∞ 63 GB No overusage
April 2019 46 GB ∞ 46 GB No overusage
March 2019 46 GB ∞ 46 GB No overusage
February 2019 43 GB ∞ 43 GB No overusage
January 2019 83 GB ∞ 83 GB No overusage
December 2018 52 GB ∞ 52 GB No overusage
November 2018 53 GB ∞ 53 GB No overusage
October 2018 49 GB ∞ 49 GB No overusage
September 2018 45 GB ∞ 45 GB No overusage
August 2018 46 GB ∞ 46 GB No overusage
July 2018 20 GB ∞ 20 GB No overusage
July 2018 34 GB ∞ 34 GB No overusage
June 2018 59 GB ∞ 59 GB No overusage
May 2018 51 GB ∞ 51 GB No overusage
April 2018 59 GB ∞ 59 GB No overusage
March 2018 49 GB ∞ 49 GB No overusage
February 2018 44 GB ∞ 44 GB No overusage
January 2018 47 GB ∞ 47 GB No overusage
December 2017 49 GB ∞ 49 GB No overusage
November 2017 43 GB ∞ 43 GB No overusage
October 2017 46 GB ∞ 46 GB No overusage
September 2017 47 GB ∞ 47 GB No overusage
August 2017 43 GB ∞ 43 GB No overusage
July 2017 42 GB ∞ 42 GB No overusage
June 2017 46 GB ∞ 46 GB No overusage
May 2017 42 GB ∞ 42 GB No overusage
April 2017 59 GB ∞ 59 GB No overusage
March 2017 46 GB ∞ 46 GB No overusage
February 2017 45 GB ∞ 45 GB No overusage
January 2017 46 GB ∞ 46 GB No overusage
December 2016 43 GB ∞ 43 GB No overusage
November 2016 38 GB ∞ 38 GB No overusage
October 2016 41 GB ∞ 41 GB No overusage
September 2016 32 GB ∞ 32 GB No overusage
August 2016 34 GB ∞ 34 GB No overusage
July 2016 33 GB ∞ 33 GB No overusage
June 2016 41 GB ∞ 41 GB No overusage
May 2016 46 GB ∞ 46 GB No overusage
April 2016 51 GB ∞ 51 GB No overusage
March 2016 53 GB ∞ 53 GB No overusage
February 2016 39 GB ∞ 39 GB No overusage
January 2016 42 GB ∞ 42 GB No overusage
December 2015 36 GB ∞ 36 GB No overusage
November 2015 35 GB ∞ 35 GB No overusage
October 2015 32 GB ∞ 32 GB No overusage
September 2015 38 GB ∞ 38 GB No overusage
August 2015 36 GB ∞ 36 GB No overusage
July 2015 35 GB ∞ 35 GB No overusage
June 2015 34 GB ∞ 34 GB No overusage
May 2015 35 GB ∞ 35 GB No overusage
April 2015 55 GB ∞ 55 GB No overusage
March 2015 44 GB ∞ 44 GB No overusage
February 2015 28 GB ∞ 28 GB No overusage
January 2015 36 GB ∞ 36 GB No overusage
December 2014 38 GB ∞ 38 GB No overusage
November 2014 41 GB ∞ 41 GB No overusage
October 2014 64 GB ∞ 64 GB No overusage
September 2014 44 GB ∞ 44 GB No overusage
August 2014 43 GB ∞ 43 GB No overusage
July 2014 42 GB ∞ 42 GB No overusage
June 2014 27 GB ∞ 27 GB No overusage
May 2014 31 GB ∞ 31 GB No overusage
April 2014 40 GB ∞ 40 GB No overusage
March 2014 38 GB ∞ 38 GB No overusage
February 2014 37 GB ∞ 37 GB No overusage
January 2014 24 GB ∞ 24 GB No overusage
The traffic increased by an order of a magnitude, to the point where it was causing problems.
Does it "need" Cloudflare? Probably not – you can just expand your hardware, or maybe fiddle with some other stuff. But Cloudflare is simple, cheap, and easy.
I have no great love for Cloudflare, but posts like this are not in sync with the state of the modern internet.
You don't need to burn a DDoS capability to launch a DDoS attack. You just need to pay a few bucks to a booter service. A few minutes of searching turned up these:
https://hardstresser.org/ (this one looks like it offers a free trial)
their stack has been some of the easiest low-hanging fruits for enhancing self-managed web stuff. almost everyone who agrees with this sentiment is also relying on someone else in the chain to keep their sites up. in my limited experience, the latter ended up being less reliable in the past decade or so.
funnily enough the site was (momentarily) not loading for me, but instantly did right after.
Also, if my little blog gets posted on Reddit or somewhere and gets a huge spike.. it won't go down or cost me money in overages.
This actually happened two years ago. I had massive DDOS style traffic that Cloudflare totally was able to mitigate.
People (or bots) using cloudflare ips to probe for exploited files.
I block the cloudflare cidr they are coming from.
Website backup (wordpress using updraft free) - fails.
Logs show failure to connect to updraft's web site.
I lookup the website's dns and see cloudflare ips.
Those ips are in the CIDR I blocked.
I temp undo the block, run the updraft backup, and go back to blocking millions of cloudflare ips.
Scratching my head on why updraft needs to connect to it's home site to run a backup, and why a better failure notice was not presented.
thejazzman•2mo ago
You’d see those same errors if someone took their own site down while working on it , probably accidentally