It is extremely hard to stop DDOS attacks without CF; my hoster has DDOS protection, but when there was a very large attack on our site, only CF could remedy it, and did so immediately when we panicked-moved dns and switched on bot fight. Entire attack that my hoster couldn't stop was gone. How do you do this without CF if you are a small company?
There are *so* many options out there. Saying you don't know how to do it without using an evil, monopolistic company is like saying you can't host email without using Google. It's lazy, untechnical and just plain untrue.
Enlighten me please; I have asked many times and everyone keeps sending me to cloudflare, even some hosters. When you search for anything like this, it ends up being very expensive which is not lazy; we cannot afford it. Botfight is free.
Maybe if people knew about alternatives, they would use CF less. I wouldn't use them at all (and don't; I switch when my hoster cannot handle the attack which happened once only).
I don't use them myself, but I only choose colocation providers that have a good handle on their own protections. A quick search, though, shows lots of reviews and options:
No idea about the content of those links, but considering the amount of research I do before selecting a colo provider, it'd be trivial in comparison to research a DDoS protection service.
But you didn't check those sites; they all recommend cloudflare or either very expensive (we all know what it means when there are no prices on the site and sales can call me) solutions, hard to use solutions or solutions you cannot use unless you are a certain type of site (the google one).
So basically the choice is cloudflare if you are not cashed up enough. So nothing to do with lazy; there are no other viable options for most if it's a large attack.
You're right that I didn't check them. I said that.
It's like doing research for colo, like my example. If you have the need, then a couple of hours of research is well worthwhile. I don't have the need, so I'm not going to do it now, but that's how one starts.
The colo example is apt - colo providers that don't have pricing are invariably too expensive, so I skip them, but there are plenty of others to check out that aren't Cloudflare. The one article I skimmed even says whether the providers are pricy or affordable.
Nobody needs Cloudflare. If (most) people were aware of how much Cloudflare breaks visibility across the world, they'd likely avoid Cloudflare, too.
I would avoid cloudflare and i did this research before; there simply aren't any affordable competitors. That is why everyone keeps coming back to them.
Like what? When I last tried to DIY it, weeks of work resulted in maybe a 20% decrease in spam traffic. Then we tried Cloudflare and overnight it pretty much went to zero.
That was like ten years ago though. What are some good alternatives?
You should design your site to be resilient to spam traffic, not try to filter until it's gone. By filtering, you've become unreachable by much of the world, spammers or not.
Well, that sounds easier said than done. Do you have any advice or tutorials on how to do that effectively?
We did try, casually at first over the years, then intensely as a focused effort over several weeks, to little effect. We tried blocklists, fail2ban, firewall rules, heuristics, CDNs, other non-Cloudflare services, etc. It cost us dozens of hours of labor and thousands of dollars of other service provider fees, but the spam didn't abate much. It was causing excessive server load, many credit card authorization attempts (they didn't go through, thankfully), sometimes fake PO orders, screwing up our analytics, etc.
Then out of desperation, we found Cloudflare. It took maybe half an hour to set up, cost $20/mo at the time, and overnight all our spam problems stopped. For a small business, it was a godsend, freeing up our devs to work on actual features instead of fighting bots all the time, and saving us thousands of dollars in hosting fees.
> By filtering, you've become unreachable by much of the world, spammers or not.
But... that's the whole point! We weren't some huge enterprise SaaS trying to advertise to the whole world, just a small US-only business. We had no business in China, Russia, India, etc., where most of the spam was from. We tried in vain to block that traffic on purpose, but couldn't easily do it until Cloudflare.
Then Cloudflare let us flip a toggle... and it all magically worked. Our staff was much happier, our actual customers never noticed (they were all US/Canada based, or rarely Europe), nobody ever complained, and we saved thousands of dollars a year.
It's not just about DDoS (which we did get on occasion, and our host did help us with) but the consistent drive-by bot scraping, pen testing, port scanning, etc.
Cloudflare sometimes gets a lot of hate here, but for small website operators, they are a HUGE lifesaver. I've never actually heard a complaint from a real customer about this, but even if we hypothetically lost a handful, the time and money saved not dealing with spammers is worth it to many businesses.
The internet has long since stopped being the open wonderland where everyone is nice and contributes positively. The overwhelming majority of it is worthless bot traffic, and you could make an entire career out of trying to prevent it... or just give Cloudflare a few dollars and a few minutes. Sorry, I don't see them as evil, just... practical? Useful?
