What’s the alternative solution? We also don’t want to have critical services DDoS’d or spammed.
Then maybe don’t put critical services on the open internet. I know most tech people would balk at such a possibility, but the status quo isn’t really compatible with either long-term goal:
* If we want the internet to be a place of anonymity and free speech, then we shouldn’t be putting critical services on the public internet - or we need to stop using intermediaries like Cloudflare where a single court order could disrupt legal services
OR
* If we want critical services online and widely available, then verifiable identity is a must from the outset, such that these sorts of blocks can be highly targeted when enforced.
Piracy exists between those two forces: an anonymous internet would be rife with piracy, while an authenticated internet would see minimal amounts of it because it’s so easily eradicated. Coexistence of both worked because the internet was optional, which is no longer the case.
But nobody wants to talk about that, I find. Everyone wants the status quo to continue unabated forever, because it’s familiar. Familiarity does not mean permanent, though.
I think the status quo exists as a more-or-less stable equilibrium between those forces. (Plus another equilibrium of people wanting to get paid for content and the people who don't want to give cash but will sell their attention and privacy.)
It's more than just familiarity. It's what works.
If someone had a significantly better alternative I think the world would jump on it. But many have tried to disrupt this equilibrium and failed.
What if there’s no singular “we” and different people / companies have different needs?
That’s basically what I was getting at, albeit in (deliberately) far more inflammatory terms. There’s this misconception at a very fundamental level that the internet is a “place” that can be regulated, or obstructed, as human needs change and evolve.
It is little more than a multitude of computers talking to each other in a similar “language”. It is not a singular place or entity, and attempting to regulate the entirety of it as such is fundamentally impossible.
And the sooner people and governments understand that, the sooner we can resume difficult discussions on its use.
Simple: Connect larger NICs and do "dumb" DDoS filtering at your fattest point.
Consider an HTTP daemon serving static content on a physical server. If that physical server has a 10Gig NIC it will withstand 90%[0] of the real-world DDoS attacks which would affect the same server with a 1Gig NIC.
"Dumb" DDoS filtering means blocking UDP and SYN floods, and other simple attacks. Your goal is essentially to block traffic which could be spoofed, making your downstream traffic somewhat attributable. Many ISPs provide functions like this, and is not nearly as complicated or invasive as letting Cloudflare MITM every bit of your traffic.
Any effort past that point should just be made in caching static assets, and optimizing dynamic pages. If your website uses sessions, you can implement basic rate controls very easily. No WAF required!
[0]: I made it up
> I made it up
I appreciate the honesty, at least
This conclusion stems from that it is much easier to launch a DDoS from a single server w/ spoofed traffic than to use a botnet. If you have a single 10Gig server, you will likely not be able to take down another 10Gig server unless the target is already doing near 1gbps[0]. I believe most "noise" DDoS which effects random website operators is considerably less than 10Gbps, and pretty much every giant attack uses spoofed traffic which can be blocked upstream without a WAF. So long as your upstream is big enough.
[0]: I made it up, again.
DDoS is distributed denial of service. It isn't coming from one server. It's now trivial to buy 100 Gbps or more of DDoS so sites would need 400G or more to simply eat it.
If you have a single server flooding spoofed traffic, it appears as a DDoS to the victim. It's at this point that the distinction between DoS/DDoS breaks down slightly.
It is very much not "trivial" to buy 100Gbps+ of DDoS. I'm highly confident the majority of D/DoS attacks are from single servers, because it works. If you have a 10Gbit server and your target has 1Gbit (or you 1Gbit and them 100Mbit, it still happens), it's not a question of if you can take the target down, but how long you can sustain that traffic level before your upstream notices.
Painting every D/DoS as the most bandwidth ever is a play out of Cloudflare's marketing. If every website operator knew that 1, you don't need that much bigger of a pipe, and 2, you shouldn't buy pipes that charge you $20+/TB like AWS anyway, then Cloudflare would have a much harder time selling you a downgrade in quality, and we would have faster and cheaper networks to boot.