CloudFlare - the pain of the Internet

Started by Abhinavjain, Aug 16, 2022, 02:33 AM

Previous topic - Next topic

AbhinavjainTopic starter

When CloudFlare first appeared, it was a real revolution in web hosting: by two clicks, without moving to another server, you could connect a professional CDN to your site, which saved a lot of traffic, accelerated the loading of static files and also protected from DDoS. Previously, only companies for big money could afford this, but now it has become available to everyone, also for free!

Since then, CloudFlare has grown a lot and today proxies a third of the Internet through its framework. Because of this, problems appeared that did not exist before. In the post, we will analyze how CloudFlare threatens the normal operation of the Internet, prevents ordinary people from using websites, has access to encrypted traffic, and what to do about it.

How to break a third of the Internet

On July 4, 2020, as a result of a bug, CloudFlare completely broke. As a result, all services that somehow use their network were unavailable. Among the most famous: Discord, Reddit, Twitch. This affected not only sites, but also games, mobile applications, terminals, etc. At the same time, even those services that do not directly use CloudFlare experienced problems due to third-party APIs that became unreachable.

In most cases, in order to use CloudFlare, customers point their domains to their DNS servers. At the time of the accident, the control panel and API also became unreachable, which prevented clients from redirecting their domains around the CloudFlare network, thus becoming trapped: it was impossible to quickly turn off proxying and return to their infrastructure. The only way out was to delegate the domain to their own DNS servers, but such an update could take more than a day, and most customers were not ready for this and did not have spare master DNS servers for such an eventuality.

Despite the fact that the downtime was small, only a few hours, it had a significant impact on the entire industry. Due to non-functioning payment services, companies suffered direct losses. This incident exposed an obvious problem, which until then had been discussed only in theory: if the Internet is so dependent on one service provider, at some point everything can break.

    If one company controls such a large portion of the Internet, it threatens the sustainability of the network both technically and economically.

The very concept of the Internet implies decentralization and resistance to such errors. Even if part of the network goes down, the routing system is automatically rebuilt. But when one company controls such a large portion of the traffic, the network becomes vulnerable to its mistakes, sabotage, hаcks, as well as unscrupulous actions for profit. This idea is important for understanding the rest of the problems that we will discuss next.

you look suspicious

If CloudFlare's proprietary algorithms for detecting malicious traffic consider that you are an unworthy Internet user, web surfing will turn into torment: on every fifth site you will see requirements to pass a humiliating captcha.

The author of these lines accesses the Internet from an office IP address, which is used by hundreds of other employees. Apparently CloudFlare thought that we all looked like bots and started showing everyone a very evil captcha. Sometimes it comes to the point of absurdity when some mobile applications cannot log in. As a result, in order to surf the Internet normally, you have to connect a VPN.

It turns out that CloudFlare at any time can disconnect you personally from a large part of the Internet if it does not like you, or due to erroneous detection, turn ordinary use of services into torment.

We can see through HTTPS

To properly cache and filter content, CloudFlare servers must be able to see the decrypted HTTP traffic. To do this, they constantly
 work in MiTM (Man-in-the-middle) mode, substituting their SSL certificate for the final site visitor.

Pictures in the instructions for configuring HTTPS can be misleading, as if in Full mode, encryption is used throughout the traffic path. In fact, the CloudFlare server decrypts the traffic from the server and encrypts it again with its certificate for the site visitor.

Even if you have a valid SSL certificate on your side, CloudFlare will still have access to all transmitted data. This discredits the whole idea of SSL, which is to encrypt from the client to the final server without decryption along the way.

In the event of an error or hаcking of CloudFlare servers, all confidential traffic will be accessible to attackers. Suffice it to recall the memory leak vulnerability, due to which the CloudFlare servers spat out random memory contents directly into the page content. Such data could include cookies, accounts, credit card numbers, etc.

You also need to keep in mind that the security services of the country in whose jurisdiction Cloudflare Inc operates may request access to decrypted traffic, even if the original server is located in another jurisdiction. This turns the basic idea of SSL into a sham.

Not only infrastructure, but also censorship

Initially, Cloudflare stated that it would only provide framework for customers and did not plan to censor content resources, promising to be limited only to legal requirements from government agencies. This was the case with the site of the famous LulzSec group, which coordinated hаcks and DDoS attacks. Cloudflare has released a statement regarding that.

However, after a while, Cloudflare decides to deny service to 8chan on the basis of their morality. At the same time, there were no court decisions or other formal reasons for this - they just decided so. This caused a public discussion about whether the provider himself can decide which service is worthy of being served on his framework and which is not.


Although Cloudflare is an incredibly useful service and helps to significantly speed up the delivery of content, as well as develop the Internet, its dangerous growth and coming monopoly threatens the stability of the entire Internet. Let's try to summarize all of the above in simple theses:

    You can't keep all your eggs in one basket. This is simply unsafe, the cost of a mistake in this case is too high. If one company has all the secrets of the world, it can always be hаcked, make a fault, or simply act dishonestly to squeeze competitors out of the market.
    A commercial company is constantly interested in one thing - making money. If the key elements of the Internet nodes are captured by one company, it will be able to monopoly control the prices of services, destroy competitors and dictate its own rules, crushing competitors in the bud.
    SSL no longer protects data from third parties. All your encrypted data transmitted over the Cloudflare network is accessible to this very third party - CloudFlare. This gives unlimited approach to the sensitive data of millions of users.

This post does not call for abandoning Cloudflare, but only describes what threatens such a rapid growth and influence of that company in the future. Think about whether using Cloudflare is really necessary for your tasks, and if you can't do without it, consider a plan B in case of an emergency move.
    The following users thanked this post: Sevad


I did not know about the full mode, thank you.
Otherwise, everything is correct, monopolization is bad, you need a backup plan of action.
But for small amateur websites there is no alternative, they cannot afford other options financially, even with 3 free months.


And how is it any forceful in comparison with CF? As I understand it, the strength of CF is precisely in size. Controlling 12% of the world's traffic, they

1) They have such a total bandwidth on the edge servers that no DDOSer will be able to put the CF network (although it can put the victim's infrastructure through the CF servers, but at the moment when the victim's infrastructure is down, the victim will still have access to the admin panels, and there will be opportunities to tighten the screws by giving everyone a captcha, cut off network segments, give whitelists to key clients, and so on). Correspondingly, CF is the absolute leader in terms of brute force.

2) They have the largest and most up-to-date database in the world about the IP addresses of attacking botnets and their behavior. Correspondingly, CF is also the absolute leader in terms of the quality of decisions made.
It is logical that the anti-ddos of small players, lagging behind by orders of magnitude by both criteria, it is not clear how they can provide any effective protection. Or is there something I don't know?

Colin Clark

Over the past 5 years, cybersecurity issues have begun to be approached many times more seriously. If earlier such terms as "mirror barrier" or "DDoS filter" were approached with disdain, now any normal hosting cannot do without these tools. Essentially, cloudflare provides both a CDN package and cloud solutions. After 2014, when big companies were under attack and cloudflare just couldn't keep up, users started thinking about alternatives or replacements. I discovered Sukuri for myself, which provides both a protective screen that protects against both DDoS attacks, SQL injection, and XSS-JavaScript hаcks.


DDoS protection is also different. And everybody understands something of their own by it.
Someone just blocks those ip addresses whose traffic overcomes some boundaries. Someone uses reputation databases of ip addresses. Someone detects common attacks with increased traffic.
Somebody builds a model of interaction with the protected service and with the help of machine learning and determines what is normal traffic for the service and what is not. Most often it is not clear what this anti-DDoS means, for which you need to pay extra.

Caching HTTP traffic, dropping malicious HTTP, rate limits on the number of requests, JavaScript browser checks, load balancing - any anti-DDoS server peeking inside HTTP can also be a DDoS protection strategy.
Only this is no longer L4, but L7 protection. Any CDN, any hosting provider that offers such protection will terminate TLS and look inside HTTPS.

You can't just scold Cloudflare for reading traffic in plain text. If the hosting provider's anti-DDoS does not do the same, then it simply does not provide L7 DDoS protection (WAF).
In general, the arguments that some WAF has access to open traffic make sense only as long as you do not trust the WAF, but trust web hosting provider who controls the hypervisor of your VPS and has physical access to the iron server.