Also, I want to point out that many people at Cloudflare were involved with the optimization of the WAF at Cloudflare including @agentzh https://twitter.com/agentzh He also did a fantastic presentation at nginxconf!

agentzh has certainly helped CloudFlare a lot by delivering an amazing Lua framework, which CloudFlare's WAF rule are written in. He has also been instrumental in the development of CloudFlare's Core CDN v2, aka cloudflare-nginx [1].

(I wrote a good chunk of said Core CDN v1 and v2, sometime ago).

[1] http://blog.cloudflare.com/2013-refactoring-2014-stepping-on...

Here's the video from nginxconf

https://www.youtube.com/watch?v=Z0fQabvVhIk

thanks for posting this - woot woot.

agentzh's work is amazing. Real definition of a 10x or 100x developer.

Yes, agentzh helped a lot once I'd written the initial WAF code.

Cloudflare block comment-spam? That's pretty interesting to hear and not a trivial problem.

I've been running http://blogspam.net/ for the past few years to filter comment-spam from blogs, forums, etc, and it isn't an easy thing to manage.

I was always wondering what CloudFare does.

How soon until botnets & malware routinely bypass DNS and instead use host files compiled from simple subdomain pings (and other vectors for IP address leaks) and passed about like password lists?

If the target server is setup to only accept requests from certain IPs like the Cloudflare IPs then this shouldn't be a problem.

That doesn't seem to be common.

it would be if such a list got distributed. Simple IP tables or webserver config. Could you think of a way to make it easier?

I'm sure they are doing a lot of great work. However, I really do not like the idea of having one company to serve all major websites of the internet. Should one not focus on a better solution to ddos-attacks than putting everything into the hands of a single entity..?

It's not hard to make your own Cloudflare-alike. I helped bootstrap this for an organization in the non profit space which now serves dozens of threatened web sites. I even created a monitoring/rotation system that takes care of much of the minute to minute work. The hard part outside state funding is making it profitable / sustainable for real emergencies. But the nature of DDOS is it's largely about fighting fire with fire so basically needs a lot of distributed hosts.

This is an area I'd like to see a peer solution be successful, a bittorrent for hosting with no central dependencies.

right on. what did you use for your stack when you bootstrapped?

Pretty basic stuff. Apache traffic server, nagios, the monitoring/rotation is in nodejs, some scripts to tie it together and a lot of cheap VMs around the world. You can learn more about it at https://wiki.deflect.ca/wiki/Main_Page , but I'm no longer involved in that project.

I guess it comes down to how easy it is to set up and forget about it.

It may not be what the general user likes but it is so easy to set up that it becomes prevalent.

Unlike sibling I won't ask what you've done in this regard but I'll leave the request for a list of what alternatives are currently available.

Fully agree that the ease of use combined with a lack of alternatives makes a compelling argument pro CF.

And I'm afraid I cannot think of a better solution than at least hope for a forseeable competition will lead to the big sites being spread among several reverse-proxying-companies - instead of them all being served by CF. So far, they seem to be doing great work and consequently outperform everyone else.

>I really do not like the idea of having one company to serve all major websites of the internet

So what are you doing about this? Do you have started working on something one can contribute to?

Does one need to offer an alternative for voicing a concern?