The only time I still get asked to click motorcycles is not Cloudflare, it's Google. They absolutely hate when you try to do a search in an incognito window and will give you an unpassable captcha until you give up and use DDG instead.
The shorter the average interaction with the site, the worse the burden cloudflare becomes. E.g. looking up a definition is usually a 5-10 second job, Cloudflare can make it take almost an order of magnitude longer.
In defence of motorcylces and traffic lights, those captchas are annoying too, but they do help humanity in a tiny, tiny way. By contrast, watching a cloudflare loading spinner is stupefyingly useless.
(apologies for ranting. I find it disproportionately irritating even though it's only a few minutes per day, possibly due to the sheer repetition involved).
You should choose one so things like caching will work properly, also search engines really want you to keep to a single domain hostname for the same content.
add tfd = http://web.archive.org/web/2026if_/https://www.thefreedictio... as a search engine. (This is our internet now.)
This may be one reason:
https://blog.cloudflare.com/ddos-threat-report-2025-q3/
Top 10 largest sources of DDoS attacks: 2025 Q3
1. Indonesia
2. Thailand
3. Bangladesh
Vietnam and Singapore also make it into the top 10. The latter is a bit of an outlier being rich and having a small population.
What's the better solution? I certainly don't know.
using a less retarded system, perhaps? forcing a max difficulty recaptcha upon the first (!!!) request from client_IP to server_IP in hours/days/ever makes no fucking sense whatsoever.
Cloudflare is a piece of shit, and people only use it because it's free.
Even sites that I manage with Cloudflare, I see the same. Even if I use relaxed mode on, If I visit the site via mobile, it can trigger the Cloudflare human validation.
Yes, every one-pager running on Vercel/Netlify sits behind Cloudflare now because no one wants to risk an insane cloud bill in case of an attack. People have become hopelessly dependent on managed cloud services.
However, to be fair, there's less captcha solving nowadays, since they introduced their one-click challenge (but that's not always the case).
I'm in the same situation. Linux, Firefox, Sweden, with a residential IP that has been mine for weeks/months. Who's massively DDoS'ing with residential Telia IPs?!
The difference is: I can't get past Cloudflare's captcha for the past 2-3 years (on Firefox), have to use Chrome for the few sites I do need/want to see behind this stupid wall.
By now I've sent hundreds of feedback through their captcha feedback link, I keep doing it in the hopes at some point someone will see those...
Businesses were perfectly fine to accept the low security of 1990s email, webserver, and all the other configurations and software. They did not suddenly out of nowhere ask for more restrictions (such as email sending restricted to using the email server "officially responsible" for that domain- it used to be you could do the same as with physical mail, where you can drop letters into mailboxes writing a "From" address that was not in the same city as the mailbox location). They certainly did not volunteer to make everything much more difficult -- and expensive -- to set up and use. It also leads to a lot more work for their IT staff and a lot more user problems to respond to.
All these annoying restrictions were forced to be implemented by attacks of all kinds.
Because it is so difficult, compromises needed to be made. CFs methods are of course full of them, such as taking country and IP ranges into account. Feel free to make practical and implementable and affordable suggestions for alternative solutions. You may even get a reward from CF if you can come up with something good that allows them to cut back on restrictive policies while at least maintaining the current level of security. It is in the interest of CFs customers to be as accessible as possible, after all.
Spammers have been around since forever and it used to be the webmaster/sysadmin's responsibility to deal with spam in a way that would not hinder user experience. With Cloudflare all that responsibility is aggressively passed on to the user, cumulatively wasting _years_.
As for attackers, I wonder if Cloudflare publishes data showing how many of the billions of websites it "protects" have experienced a significant attack. They don't offer free protection to save the internet, but rather for control -- and no single company should have this much control.
Is the fallacy here not obvious? Yes, spammers have been around since forever, but it's not the same amount of spammers. Whether it's two spammers or two million spammers does make a difference.
I remember some clients in the mid 2000s. They got several spam emails per minute on some accounts. Not kidding. I haven't seen anything like that in recent years.
In my SMTP server logs, most of the spam comes from legitimate @gmail.com, @outlook.com, @protonmail.com accounts -- that all pass SPF/DKIM checks.
The phishing emails have subjects such as: "This message confirms that your recent wire transfer request has been successfully processed."
I don't know how the spammers/phishers are using those legit cloud email accounts at scale because Google/Microsoft etc have rate limits for new email account creations and also limits on sending out bulk emails. I suppose they may be using the "business/enterprise" paid plans of Gmail/Outlook which have higher sending limits than the free plans but that still doesn't seem to fully explain it. The spammers are really sophisticated in how they bypass the abuse checks that Google and Microsoft have in place.
Well this is where your argument goes a little wrong IMO. When you're on something more niche (eg Firefox on Linux) they just don't care as much about making it work for you because there's so few of us blocked in the process.
And this problem should really be solved with a proper solution, not this fiddly black magic ruleset stuff. The email thing you mention is a good example. DKIM and SPF are good things that makes things more secure in an understandable way. Specifying your legit mail handlers is not a workaround, it's good security. In some ways Altman has a good idea with his WorldCoin eyeballs. But I don't support it for obvious reasons. I don't want my internet identity tied to a single tech bro and some crypto. If we do this kind of thing it has to be a proper government or NGO effort with proper oversight and appeals process.
I've tried to make my Linux Firefox identify as edge on windows and that makes it a lot better on some sites (especially Microsoft breaks a lot of M365 functions on purpose if you're not using the "invented here" browser). And many sites don't give me captchas then. But in some cases Cloudflare goes even more nasty and blocks me outright which is really annoying. If I use Linux a lot more sites break but Cloudflare sticks with captchas.
Anyway I think the age of the captcha is soon over anyway. AI will make it unviable.
> All these annoying restrictions were forced to be implemented by attacks of all kinds.
Ps it's not always attacks but also to block things that are good for consumers but bad for the sites' business model. Like preventing screen scraping which can legit help price comparison sites.
The user would know that each pageview is $0.001.
The website owner would know each pageview pays for itself.
We probably could get there with some type of crypto approach. Probably one that is already invented, but not popular yet. I don't know too much about crypto payments, but maybe the Bitcoin Lightning network or a similar technology.
binaryturtle•2h ago
It's also the entire blockage of older or less mainstream systems that no longer can access, sometimes critical, websites at all when the Cloudflare check blocks things entirely because the "browser is out of date" or not on their whitelist. Therefore causing excessive discrimination of poorer folks that can't afford upgrading to never/ other systems that still are legible to pass Cloudflare's "grace".
inferiorhuman•1h ago
grim_io•1h ago
inferiorhuman•34m ago
hombre_fatal•26m ago
azalemeth•1h ago
Egor3f•1h ago
hombre_fatal•28m ago
akst•1h ago
Is there any data that’s supports this suggestion users with older devices are actually being discriminated? (% of users actually using older devices incapable of upgrading to browser versions supported by cloud flare)
I just find it hard to believe users are actually getting denied access because their device are old. Surely you can still run new versions of Chrome and Firefox on most things [1].
——————
[1] Don’t get me wrong I use Safari and I find it inflammatory when a site tells me to use a modern browser because they doesn’t support safari (the language more so). But I wouldn’t call it discrimination seeing as I have an opinion to run firefox/chrome from time to time.