Recently I have been getting cautious about Cloudflare. I do use them and like them a lot, also enjoy reading their technical blogposts. However from a privacy stand point it makes me feel uneasy. Cloudflare is just everywhere now: HN, Stackoverflow, Reddit and countless other sites. You can block a cookie, connection to a third party script, but how do you block an internal proxy? All your cookies, credentials, heck even HTTP request and response goes through them. Also why is there cloudflare specific cookie (__cfduid) on sites may not prefer tracking users? (eg: HN)
No, you're not being paranoid. The internet started off as a de-centralized system and now we are seeing the emergence of more and more silos, cloudflare is another one of these (albeit a special one and run by people that I would trust more than those running some of the other silos).
This is sorta an internet architecture question for those in the know. Assuming there's no issue with client reachability/latency, what's stopping CloudFlare from having a single IP?
Suppose the IP was behind a fat enough pipe, why not load balance behind it instead of DNS load-balancing in front of it (and additionally behind each as I presume now happens)? Also, if that IP was anycast then you could ignore the issue of client latency as well, assuming you have the necessary private network behind endpoints to manage state.
If you don't like/can't solve the problem at the level of IP anycast, when not leverage a third-party anycast DNS and just have a few fixed IP for specific geographic locales, again with fat enough pipes and load balancing behind them.
I guess what I'm saying is that there's no reason for an organization, a monolithic entity, to have more that a handful IP addresses at most.
My understanding is that they basically "fast flux" IPs to funnel traffic for targeted attack to a specific data center. So, while you normally may be sharing IPs, if an enterprise customer's website example.com starts getting attacked they will put it on dedicated IPs, then broadcast those IPs from one or two data centers. They will then reroute all other enterprise traffic away from those data centers, thus minimizing the attack effect on other customers. If these websites were all on the same IP, it would be impossible to distribute traffic selectively between data centers like this.
Another thing they can do is use anycast to load balance across data centers. So, if a data center rather than a website is a target - the attackers will need to know which IPs to attack. They can start flooding the broadcasted IPs from a particular route. However, if this happens then hypothetically Cloudflare could just stop broadcasting the IPs at this particular data center, re-broadcast them at all the surrounding data centers, and basically spread out the attack load across multiple sites. If the attackers change the IPs that they target based on new routes, then Cloudflare can continue fast-fluxing the IPs every 5 minutes and mitigate the attack.
It's pretty cool use of BGP and anycast, but being able to change IPs of website and where they are broadcasted in real-time is core to Cloudflare's security.
I wonder if this is one of those strategic deals that would lead to an acquisition. With the push surrounding cloud and Google actively competing hard in this space, it would make a lot of sense.
Problem is that (besides for the brand) Cloudflare really has nothing to offer for Google. Google has spent the last 20 years solving the same problems CF is aiming to solve, they've even got a competing service Google PageSpeed that does exactly what CF does, except better (in my personal experience.).
It sounds like they are now peering directly. Google could also be operating Cloudflare's [Railgun](https://www.cloudflare.com/railgun) software at the edge of their network to reduce content transfer times.
What does this add? Before the partnership, could gce users not use cloudflare? Does the peering agreement result in lower transit costs on my gce bill?
It sounds like they now have a peering agreement so Google can directly communicate with CloudFlare's network, resulting in 2x faster performance. It looks like that's the primary benefit (other than the regular benefits of CloudFlare).
It's always been hard to DDoS sites protected by Cloudflare. Their business model is to promise to absorb any DDoS attack against you - and I think they've delivered so far.
Do we have to do anything special to make this work? We've already been using CloudFlare with our App Engine application, using a CNAME in CloudFlare DNS.
Yes. The NS records list reddit nameservers (usually you need to use CF nameservers for using their service, using your own nameservers require more config) but the A records list CF IPs (free users just get two IPs, reddit has quite a lot)
reddit.com. 22 IN A 198.41.209.143
reddit.com. 22 IN A 198.41.208.141
reddit.com. 22 IN A 198.41.209.137
reddit.com. 22 IN A 198.41.208.139
reddit.com. 22 IN A 198.41.208.143
reddit.com. 22 IN A 198.41.208.142
reddit.com. 22 IN A 198.41.209.139
reddit.com. 22 IN A 198.41.209.141
reddit.com. 22 IN A 198.41.209.138
reddit.com. 22 IN A 198.41.209.140
reddit.com. 22 IN A 198.41.208.138
reddit.com. 22 IN A 198.41.208.137
reddit.com. 22 IN A 198.41.209.142
reddit.com. 22 IN A 198.41.208.140
reddit.com. 22 IN A 198.41.209.136
[+] [-] nivla|11 years ago|reply
Maybe I am just being paranoid...
[+] [-] jgrahamc|11 years ago|reply
[+] [-] jacquesm|11 years ago|reply
[+] [-] throwaway000002|11 years ago|reply
Suppose the IP was behind a fat enough pipe, why not load balance behind it instead of DNS load-balancing in front of it (and additionally behind each as I presume now happens)? Also, if that IP was anycast then you could ignore the issue of client latency as well, assuming you have the necessary private network behind endpoints to manage state.
If you don't like/can't solve the problem at the level of IP anycast, when not leverage a third-party anycast DNS and just have a few fixed IP for specific geographic locales, again with fat enough pipes and load balancing behind them.
I guess what I'm saying is that there's no reason for an organization, a monolithic entity, to have more that a handful IP addresses at most.
[+] [-] philip1209|11 years ago|reply
Another thing they can do is use anycast to load balance across data centers. So, if a data center rather than a website is a target - the attackers will need to know which IPs to attack. They can start flooding the broadcasted IPs from a particular route. However, if this happens then hypothetically Cloudflare could just stop broadcasting the IPs at this particular data center, re-broadcast them at all the surrounding data centers, and basically spread out the attack load across multiple sites. If the attackers change the IPs that they target based on new routes, then Cloudflare can continue fast-fluxing the IPs every 5 minutes and mitigate the attack.
It's pretty cool use of BGP and anycast, but being able to change IPs of website and where they are broadcasted in real-time is core to Cloudflare's security.
[+] [-] jgrahamc|11 years ago|reply
2. People attack IP addresses. Handy to be able to change the IP address of a web site.
3. Countries block sites based on IP addresses. Handy to be able to move sites around to prevent collateral damage.
[+] [-] relaunched|11 years ago|reply
[+] [-] dmix|11 years ago|reply
It would fit in well with their silent yet never ending reach across the internet.
[+] [-] ryanlol|11 years ago|reply
[+] [-] nulltype|11 years ago|reply
[+] [-] Artemis2|11 years ago|reply
[+] [-] jhgg|11 years ago|reply
[+] [-] brandonwamboldt|11 years ago|reply
It sounds like they now have a peering agreement so Google can directly communicate with CloudFlare's network, resulting in 2x faster performance. It looks like that's the primary benefit (other than the regular benefits of CloudFlare).
[+] [-] touhonoob|11 years ago|reply
[+] [-] abritishguy|11 years ago|reply
That should be speeds.
[+] [-] josephmx|11 years ago|reply
[+] [-] runn1ng|11 years ago|reply
And that made me a little uneasy.
[+] [-] henningschuster|11 years ago|reply
[+] [-] yla92|11 years ago|reply
[1]: https://projectshield.withgoogle.com/en/
[+] [-] andygambles|11 years ago|reply
[+] [-] growthape|11 years ago|reply
And that's what they have built using Google Cloud Platform: http://www.cloudways.com/en/managed-google-compute-engine.ph...
[+] [-] nezo|11 years ago|reply
[+] [-] oaktowner|11 years ago|reply
Not sure why you think most Google Cloud Services are in beta.
The Google Cloud products page [1] lists 17 main products. Two are in alpha (Container Engine, Deployment Manager), one is in beta (Pub/Sub).
The rest are fully supported. There are some beta features here and there...but saying "most" are in beta is certainly not correct.
[1] https://cloud.google.com/products/
[+] [-] andrewpe|11 years ago|reply
[+] [-] gabeio|11 years ago|reply
[+] [-] higherpurpose|11 years ago|reply
[+] [-] sudhirj|11 years ago|reply
[+] [-] cmelbye|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] TeeWEE|11 years ago|reply
[+] [-] bingobob|11 years ago|reply
[+] [-] humanarity|11 years ago|reply
[+] [-] zuck9|11 years ago|reply
[+] [-] philip1209|11 years ago|reply
[+] [-] xxdesmus|11 years ago|reply
[+] [-] nezo|11 years ago|reply
[+] [-] tux|11 years ago|reply