Cloudflare - Tumblr Posts
Cloudflare lives in an interesting niche on the 'net. When we talk about the internet, we typically think of it as a bunch of "servers" (or "hosts", which "host" websites) and "clients" (like web browsers, which "receive" websites). In this model, a "client" (anyone with an internet connection) connects to a "server" and asks it for a website. The server will then give them that website. But, when we really get down to it, the server is just a computer, much like your laptop/desktop/phone/tablet, but instead of asking for (or "requesting") websites, it's configured to answer those requests.
Now, most people on the internet don't know the intimacies of configuring a computer to answer (or "serve") these request, and so if they want to make a website, they'll pay somebody to run the actual "server"/"host" computer for them. There's a whole industry of "hosting providers" that will give you a computer (or "host") to host your website on. Then, all you have to do is point your domain name at your hosting provider (using a system called DNS, which I've talked about in the past) and everything starts working!
This is not what cloudflare does (ok technically they have recently started doing this a little bit, but 99% of the things they are doing isn't this). Nobody actually uses cloudflare as their hosting provider because it's not really a service they even offer. Cloudflare solves a different problem which I think at this point literally everyone on the internet has heard of: DoS or DDoS attacks.
We've all heard the term thrown around in different contexts, but for our purposes we're going to need to get a little more specific. When a computer is "serving" a website (responding to requests for it), it's like running an application on your computer, let's use a text editor as an example. Answering a request is similar to opening a new document, adding a few words, then closing it. Under normal conditions, this does not break your computer [citation needed]. In fact, your computer can probably handle tens of documents opening and closing at the same time without a hitch. However, if you wrote a program that would open and close document this hundreds or even thousands of times every second, your entire computer would slow to a halt, CPU usage would go to 100%, and it would become totally unusable.
That is what a DoS (denial of service) attack is -- sending far more (phony) requests than the server/host can handle, causing it to no longer be able to answer any requests (legitimate or phony). DDoS is the same idea, but distributed (that's the first "D" in "DDoS"). In that case, the requests are coming from thousands of different client computers so it's much harder to block. The details of how these attacks are actually run isn't super relevant, they'll usually also leverage several very technical tricks to make things even worse and even harder to block but that's besides the point.
It used to be that anyone who could pay for a big enough network of computers could DDoS and successfully take down nearly any site on the internet. Because of this, a new type of service popped up: DDoS protection/mitigation (which is the 99.9% of cloudflares business that I mentioned earlier). There are different ways to do DDoS protection, but the way cloudflare does it is by sticking themselves between the "client" (browser) and "server" (website host). From that position, they're able to scan every request from a client before it reaches the server/host and potentially block it if they determine it to be part of an attack. So, if you're trying to connect to a Cloudflare secured website, instead of directly connecting to the host/server, you will actually be connecting to cloudflare, who will then examine your request and only pass it on to the actual ("origin") server if they deem it to be safe.
This, if you haven't already gathered, is an incredibly valuable and useful service to anyone who wants to run a website. And cloudflare provides it for free. no strings attached. zero dollars. to anyone on the internet. A good metaphor for cloudflare is a home security system, but if those companies just gave out free systems to anyone who asked.
So, now that we all understand what cloudflare is and where they sit in the web ecosystem, I'm going to talk a little about the recent news (the kiwifarms ban) and why it's a much more interesting case than a typical website takedown.
Typically, when trying to get a website taken down, the usual targets are either a) the person who owns and runs the website or b) the web hosting provider that the owner is using. These are obvious targets because they cut the website off instantly and directly. To make an analogy, let's think of a website like a brick and mortar business. The owner of the website is the owner of the business, the hosting provider is the landlord that rents their space to them, and, to bring cloudflare into the picture, cloudflare is their anti-theft system (it could also be the lock on their front door, the alarms when someone smashes a window, etc, it doesn't really matter for the analogy).
If a business is shitty, the only ways to make them shut down would be to target either the owner or the landlord that they rent their physical "platform" from. In this case however, the target was Cloudflare, aka their anti-theft system. This is uncommon mostly because taking down the anti-theft system doesn't actually shut down the business. It just makes it possible for anyone else to break in and destroy things much more easily, which, in the case of kiwifarms, is a large enough group of people that without the anti-theft system, it would likely immediately succumb to attack. I, like most people, would not mind seeing kiwifarms succumbing to these attacks :P
However, what makes this much more interesting is looking at it through the lens of one of the core ideals of the internet: Net Neutrality. "Net Neutrality," in the sense most people are familiar with it, means that an ISP must be "neutral" in how they manage the internet traffic they provide. They're not allowed to treat the traffic differently based on it's source or destination. This means that a company like Hulu couldn't pay your ISP to start throttling all traffic going to Netflix so that Hulu looks better, the ISP is required to be neutral.
This is similar to the posture cloudflare has been trying to build, in that cloudflare have tried to position themselves as a similarly "neutral" operation. They treat all traffic from all of their customers (the websites they protect) the exact same way, similar to how your ISP treats data from all of the websites you visit in the exact same way. If cloudflare kicks a site off its service and forces them to use a different service, it's much like your ISP deciding to start blocking netflix and now instead you can only watch netflix on cellular data (which is usually provided by a different company).
Now, I don't want this to be misconstrued so I'm going to make myself 100% clear: I am so fucking glad kiwifarms is gone. What they did is beyond awful and I want to see them gone through any means possible. I also think that this is a very interesting test of cloudflares posture around neutrality, which is something that has not really been tested before, and I'm curious to see where this goes in the future.
Anyways, hopefully this has revealed a bit more of the nuance around what cloudflare is and why we haven't heard about them banning websites before, despite them serving something like 10% of all internet traffic (that 10% number is from 2016, it's likely much more these days). I just wanted to put together a little explainer because this is a really unprecedented case and I've been watching it with a lot of interest. If you'd like to see cloudflares official positions, those are up on their blog (1, 2) (which, by the way, I would highly recommend, their blog is great, especially for a technical audience).