Comment by immibis
5 days ago
Pretty much exactly like it does now but with less captchas.
Fun fact: Headless browsers can easily pass cloudflare captchas automatically. They're not actually captchaing - they're just a placebo. You just need to be coming from a residential IP address and using a real browser.
> Pretty much exactly like it does now but with less captchas.
This just isn't true. e.g. I saw a 30x increase in traffic on my forum due to AI bots that I had to use CF to block.
CF is mainly empowered by the naive ideals of the internet's design that never built-in countermeasures against bad actors. You're expected to just deal with it yourself somehow. And that means outsourcing it, especially as residential IP address botnets on unlimited ISP data plans become cheaper and cheaper.
Just ask yourself why web hosting providers themselves can't offer services at CF's level. It's because it's too hard of a problem even for them.
You didn't have to use CF to block them. You chose to use CF to block them. How was your experience with Anubis or https://git.gammaspectra.live/git/go-away?
Or you could simply... serve the requests. If your normal traffic is only, like, 1 request per minute, then 30x that is still pretty low and there's no actual reason to worry about it.
Web hosting providers don't offer bot blockers because first, they have no reason to care, and second, they can serve the requests, and third, some of them want to upsell you on bandwidth (you should prefer the ones with unmetered bandwidth).
BTW AFAIK there's still zero evidence that the massive DDoS wave has anything at all to do with AI. It could be, say, one of Russia's many small avenues of trying to break the West, or Cloudflare trying to get more business, or the NSA trying to make Cloudflare get more business because it's tapped into Cloudflare.
I don't want to serve the traffic at all. It's a popular forum that I run out of charity.
I would have to upgrade my infrastructure to serve 30x the traffic just for bots. And it's traffic that busts my cache because it hits all over my forum at once, like deep into page 64 of topics made years ago.
Or, I can use CloudFlare to block the bots.
I was referring to web hosts offering DDoS protection. Basically all of them null route you if you receive a big enough volumetric attack, even the ones that claim to offer DDoS protection.
Also, whether AI is behind specific DDoS current events isn't relevant to the point of AI bots multiplying automated internet traffic.
These work against the claim that the internet without CF would be a mere difference in captchas which is dismissive of real challenges faced by the modern internet.