That seems... really low? I would've expected way, WAY more than that.
Even later on in the report, they say:
> 31.2% of all application traffic processed by Cloudflare is bot traffic. [...] 93% of bots we identified were unverified bots, and potentially malicious.
So I guess there's a wide range there, from 7% verified at the low end, up to maybe 30% at the higher, hypothetical end?
30% is plain ridiculous. Cloudflare is believed to counts as bots even the real users who fail their verification, including:
- people with older browsers who fail it automatically due to unsupported features
- whoever gets stuck in captcha loops and gives up eventually
- whoever has a slow internet connection and gives up during the verification process
This happens to be a lot of people, especially the less technical ones with less access to good technology, which is why we rarely hear complaints on HN.
This way, the Cloudflare people can tell you some completely made up numbers, like "This month we blocked one gazillion malicious bots and saved you 30 yottabytes of data", which makes it look like they're doing something of value instead of making the internet a more closed, restricted, corporate and centralized place.
Interesting. I tend to bail immediately when presented with a captcha rather than bother trying to get past it. I had no idea this meant I was counted as a bot!
It takes about 4 tries until all challenge-related stuff is discovered and added manually to the uMatrix whitelist for every Cloudflare-protected site (as it does not have a preset for it like for reCAPTHCA)
I would go with the lower 7% estimate today. The last major traffic sink in Internet history was ASCII email-spam, Internet oldsters of every gender pummeled with penis enhancement devices and 411 traffic. It was discussed a lot on the NANOG mailing list 1995-2005 and major portions of IPv4 space were NOT partitioned very well between customer ISP space and their server farms... so from international sources you could expect valid email to come from any address.
The other 'spam' of the time was ICMP traffic. Nets were so flaky in those days everyone who could write a script was running pings to what remote servers they had. Many were idiots that didn't even realize you can send small pings with no padded payloads. And of course there were ICMP reflection attacks from bad actors with incredible payloads and address spoofing. So one number I remember is that combined spam-email and ICMP demanded 50% of bandwidth at times. But remember, at the time the principal use of the net was to move ASCII and ASCII-compressed content.
While the botspam of today probably exceeds any historical levels, the percentage is low because bots do not watch or serve video. The botspam is spoofing humans on websites and port probing for automated exploit.
This talking point is tired. They would just pay $100/month for ddos-guard. I don't understand why Cloudflare should be forced to screen customers by default or held to a standard that no other Internet business is. Why not go up the chain and start protesting outside Verisign HQ?
Cloudflare likes using their extensive knowledge of everything on the internet for marketing purposes. When it comes to their customers they suddenly know nothing. I think calling it out until they change either side of that is reasonable.
While malicious traffic is a threat, so is the internet police going after political content. I think Cloudflare made some mistakes here in the past and indeed it was for content that you hardly can garner sympathy for. But the important thing is that they are not a gatekeeper and that is very fine with me.
What you're describing is the modern (digital) version of "sin tax".
Where government identified categories like smoking, alcohol, pornography - are defined by governments to be potentially harmful to its citizens. So as a hosting company, you're in a weird spot because it's not clear if you can/cannot do business with those types of companies.
Yes but there's no law requiring this and it raises their bounce rate. I don't see any evidence that if law enforcement asked them to shut down a domain that they wouldn't. DDoS as a service existed long before Cloudflare and in its simplest form just requires messaging someone on a forum with a target.
> In one case, attackers attempted to exploit a JetBrains TeamCity DevOps authentication bypass a mere 22 minutes after the proof-of-concept code was published.
Ha, I wonder if an LLM can be told to "code an exploit from this proof-of-concept, find hosts where this app is running and give me admin access"...
Even later on in the report, they say:
> 31.2% of all application traffic processed by Cloudflare is bot traffic. [...] 93% of bots we identified were unverified bots, and potentially malicious.
So I guess there's a wide range there, from 7% verified at the low end, up to maybe 30% at the higher, hypothetical end?