Do Not Put Your Site Behind Cloudflare If You Don't Need To
Postedabout 2 months agoActiveabout 1 month ago
huijzer.xyzTechstoryHigh profile
heatedmixed
Debate
85/100
CloudflareCdnDdos ProtectionWeb Hosting
Key topics
Cloudflare
Cdn
Ddos Protection
Web Hosting
Related: Cloudflare Global Network experiencing issues - https://news.ycombinator.com/item?id=45963780
The article advises against using Cloudflare if not necessary, sparking a debate on the benefits and drawbacks of using Cloudflare for web hosting and DDoS protection.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
1h
Peak period
159
Day 1
Avg / period
80
Comment distribution160 data points
Loading chart...
Based on 160 loaded comments
Key moments
- 01Story posted
Nov 18, 2025 at 7:54 AM EST
about 2 months ago
Step 01 - 02First comment
Nov 18, 2025 at 9:24 AM EST
1h after posting
Step 02 - 03Peak activity
159 comments in Day 1
Hottest window of the conversation
Step 03 - 04Latest activity
Dec 2, 2025 at 7:12 AM EST
about 1 month ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45965060Type: storyLast synced: 11/20/2025, 8:28:07 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
> Maybe that's the core of this message. Face your fears. Put your service on the internet. Maybe it goes down, but at least not by yet another Cloudflare outage.
Well I'd rather have my website going down (along with half the internet) be the concern of a billion dollar corporation with thousands of engineers - than mine.
Still a bit weird to pretend we now have cyber weather that takes our webpages down.
The reaction to AWS US-East-1 going down demonstrates this. As so many others were in the same boat, companies got a pass on their infrastructure failing. Everyone was understanding.
But now, when one of these services breaks, everything on the internet goes down. And it is a lot easier to explain to your director of engineering that the whole internet is down than to say that your custom home-rolled storage system fell over, or whatever esoteric infrastructure failure you may run into doing it yourself.
We once had a cloudflare outage. My CEO asked "mitigate it" I hit him back with, okay, but that'll take me weeks/months potentially, since we're tiny, do you really want to take away that many resources just to mitigate a once every few years half the internet is down issue?
He got it really quickly.
I did mitigate certain issues that were just too common not to, but when it comes to this sort of thing, you gotta ask "is it worth it"
Edit: If you're so small, cloudflare isn't needed, then you don't care if you go down if half the internet does. If you're so big that you need cloudflare, you don't wanna build that sort of feature set. The perfect problem.
If you're using other features like page rules you may need to stand up additional infrastructure to handle things like URI rewrites.
If you're using CDN, your backend might not be powerful enough to serve static assets without Cloudflare.
If your using all of the above, you're work to temporarily disable becomes fairly complicated.
Suddenly you're not blocking bots or malicious traffic. How many spam submissions or fake sales or other kinds of abuse are you dealing with? Is the rest of your organization ready to handle that?
DDoS protection is one nice side effect of privacy, but I'd imagine there are others too.
I have never heard this before. Anonymity from what? From people knowing your Hetzner ip? I don't know what you're keeping private.
And besides, Cloudflare Tunnel is distinct from (though it integrates with) the cdn product.
Depends on the frame of reference of “single point-of-failure”.
In the context of technical SPOFs, sure. It’s a distributed system across multiple geographies and failure domains to mitigate disaster in the event any one of those failure domains, well, fails.
It doesn’t fix that technology is operated by humans who form part of the sociotechnical system and build their own feedback loops (whose failures may not be, in fact are likely not going to be, independent events).
SPOFs also need to contemplate the resilience and independence of the operators of the system from the managing organisation. There is one company that bears accountability for operating CF infra. The pressures, headwinds, policies and culture of that organisation can still influence a failure in their supposedly fully distributed and immune system.
For most people hosting behind Cloudflare probably makes sense. But you need to understand what you’re giving up in doing so, or what you’re sacrificing in that process. For others, this will lead to a decision _not_ to use them and that’s also okay.
Are these common?
I guess by using cloudflare you are pooling your connection with other services that are afraid of being ddosed and actively targetted, whether by politics or by sheer volume. Unless you have volume or political motivations, it might be better not to pool, (or to pool for other purposes)
The last I saw you can hire DDoS as a service for like $5 for a short DDoS, and many hosts will terminate clients who get DDoSed.
Its incredible we took a decentralized model and centralized it with things like cloudflare and social media. I think we need pushback on this somehow, buts hard right now to see how its possible. I think the recent talk about federation has been helpful and with the world falling into right-wing dictatorships, this privacy and decentralization is more important than ever.
As for people… A programming club I attended is filled with people who run homelabs, use Linux and generally dislike anything corporate. The project to switch communication of discord is now more than a year old. I do feel sometimes that resistance against corporate internet is futile.
Self hosting will also bring its own set of problems and costs.
Something like TTL 86400 gets you over a lot of outages just because all the caches will still have your entries.
You can also separate your DNS provider from your registrar, so that you can switch DNS providers if your registrar is still online.
> Fair point but you also get exposed if the dns provider has an outage
The usual workaround here is to put two IP addresses in your A record, one that points to your main server on hosting provider A, and the other to your mirror server on hosting provider B.
If your DNS provider goes down, cached DNS should still contain both IPs. And if one of your hosting providers goes down as well, clients should timeout and then fallback to the other IP (I believe all major browsers implement this).
Of course this is extra hassle/cost to maintain, and if you aren't quite careful in selecting hosting providers A and B, there's a good chance they have coordinated failures anyway (i.e. both have a dependency on some 3rd party like AWS/Cloudflare).
I would have shared bleeping computers blog post about the same attack but it's behind Cloudflare haha
But yeah, if you don't need Cloudflare, like, at all, obviously don't use them. But, who can predict whether they're going to be DDOS-ed in advance? Fact is, most sites are better off with Cloudflare than without.
Until something like this happens, of course, but even then the question of annual availability remains. I tried to ask Claude how to solve this conundrum, but it just told me to allow access to some .cloudflare.com site, so, ehhm, not sure...
I see many people saying this but be honest, do you know this for sure or are you just guessing? I've experienced DDoS so I know I'm not just guessing when I say that if your website gets DDoSed your hosting service would just take your website down for good. Then good luck running circles around their support staff to bring your website back up again. Maybe it won't kill your business but it'll surely create a lot of bad PR when your customers find out how you let a simple DDoS attack spiral out of control so bad that your host is refusing to run your website anymore.
you don't have control about them in the first place
Seriously: having someone in charge of your first-line traffic that is aware of today's security landscape is worth it. Even if they require an upgrade to the "enterprise plan" before actually helping you out.
Citation direly needed.
In particular I wonder: Who is that total mass of sites where you consider most being better off using cloudflare? I would be curious on what facts you base your assumption. How was the catalog of "all" procured? How are you so confident that "most" of this catalogue are better off using cf? Do you know lots of internals about how strangers (to you) run their sites? If so, mind sharing them?
Most. A lot of simple sites are hosted at providers that will be taken down themselves by run-of-the-mill DDOS attacks.
So, what will such providers do when confronted with that scenario? Nuke your simple site (and most likely the associated DNS hosting and email) from orbit.
Recovering from that will take several days, if not weeks, if not forever.
Dud(ett)e, it's a message board comment, not a scientific study.
But do you really doubt that most ISPs will gladly disable your 1Gb/s home-slash-SMB connection for the rest of the month in face of an incoming 1Tb/s DDOS? Sure, they'll refund your €29,95, but... that's about it, and you should probably be happy they don't disconnect you permanently?
There's no but... - just claims you made that I dared to question just for fundamentals, which obviously you want to dodge. I won't go as far as questioning your intellectual honesty here, but I really have a hard time seeing it. So now for reals, good day
In fact, I expect my host to kick weird porn websites from their servers so that I don't have any bad neighbours, we're running legitimate businesses here sir.
Maybe they'd push me into upgrading my server, as a sort of way of charging me for the increased resources, which is fine. If I'm coasting on a 7$ VPS and my host tanks a DDoS like a hero, sure, let's set up a 50-100$ dedicated server man.
In business loyalty pays and it goes both ways.
I have more than 1 hosting provider though, so I can reroute if needed, and even choose not to reroute to avoid infecting other services, isolating the ddosed asset.
If this is their core argument for not using CDN, then this post sounds like a terribly bad advice. Hopes and prayers do not make a valid security strategy. Appropriate controls and defenses do. The author seems to be completely missing that it takes only a few bucks to buy DDoS as a service. Sometimes people do DDoS your small blog because some random stranger didn't like something you said somewhere online. Speaking from experience. Very much the reason I'm posting this with a throwaway account. If your website receives DDoS, your hosts will take down your server. Nobody wants to be in this situation even if for a personal, small blog.
I'm not too worried about someone DDOSing my personal site. Yeah, they could do it. And then what? Who cares?
Have you experienced a targeted DDoS attack on your personal site? I have. I too had this attitude like yours when I didn't know how nasty targeted DDoS attacks can get.
If you're not too worried about someone DDoSing your personal site, then your host taking your website down and then you having to run circles around their support staff to bring back the website up again, then I guess, you don't have a problem. It's nice that you don't care. (Honestly speaking. Not being sarcastic at all.)
Personally, I wouldn't mind DDoS on my personal site if the problem was just the DDoS. Unfortunately, mostly it isn't. A DDoS has other repercussions which I don't want to deal with exactly because it's a personal site. I just don't want to spend time with customer support staff to find out if and when I can bring my website back up again. DDoS on my personal website by itself isn't all that bad for me. But having to deal with the fallout is a pain in the neck.
These are very different situations. With a DDoS the disruption ends when the attack ends, and your site should become available without any intervention. Your host taking down your site is a whole different matter, you have to take action to fix it, waiting won't do it.
It is obvious those two are very different situations. I'm not sure I understand point. Of course, nobody will be bothered by a short 15 minute DDoS attack. I probably wouldn't even notice it unless I'm actively checking the logs. But DDoS attacks rarely that short. When someone is DDoSing you, they're doing it with a purpose. Maybe they're just pissed at you.
My point is that a sustained DDoS attack will just make your host drop you. So one situation directly leads to another and you are forced to deal with both situations, like it or not.
I'd love to see someone suing the host for damages. The contract binds them as much as it binds you.
Sounds like a good way to have your next gaming rig financed.
Your host taking down the site and forgetting to bring it back up after a DDoS attack isn't a common thing with any host, unless it's the kind that does this routinely even without a DDoS. And then you should look long and hard at your choice of hosting.
Either you suffer from a DDoS attack and come back when it's over, or you have a host that occasionally brings your site down and fails to bring it up until you chase them. But one does not follow the other without a lot of twisting.
How does taking the site down stop the DDOS attack?
Isn't the host network still being bombarded by garbage packets, even if there isn't anything there listening?
Or is routing the destination IP to /dev/null enough to blunt the attack?
I know there are different kinds of attacks (e.g. some that are content based, impacting the individual server), but I thought most of them were just "legit" requests storming through the door that the server can't keep up with.
Having the site taken down after the fact, as a "risk to infrastructure" that the host can't afford, that's a different issue.
Internet packets have to travel through many routers between the source and the attack and the server they're attacking, at each step the routers usually get smaller. the smaller routers are less able to withstand the amount of traffic destined for one server, which means they can't route traffic to all the other servers that are not under attack. a common strategy is to drop the traffic at a much farther away server, thus protecting the smaller routers, thus protecting all the other servers.
The host Network would definitely still be affected by the DDOS, which is why the strategy is often to "blackhole" the traffic farther away from the individual server racks.
I see people say route traffic to /dev/null All the time, but I personally try to reserve that for the individual servers or the nearest router, just to avoid your exact confusion.
depending on how well designed, any specific network is the "hug of death" which has taken down many sites would also degrade the performance of the peers next to that server. Which is why many ISP are quick to block the traffic farther away. To protect not you but their other customers.
To be fair (pedantic), if it's part of a DDOS, it's not a legit request. Depending on the capabilities of the attackers, they will either choose obviously invalid requests because those take longer to process or exclusively valid requests which take longer to process. it is generally speaking much easier to send valid well-formed requests because that's what most libraries exist to do. you're often writing custom code if you want to send an invalid request because that is a bug in other cases.
I was thinking more things being done to the actual machine the site was hosted on.
Assume a "personal" blog or site is not making money for the owner, and they have backups of the site to restore if the VM gets wiped or defaced. Why spend money on DDoS protection if it is unlikely to ever occur, much less affect someone monetarily?
You already experienced the downtime, so if not having downtime was a goal you already failed. If avoiding downtime is not important then there's no reason to add anti-downtime capability to your system. The most charitable modeling of this approach is that the downtime incident may prompt one to realize that avoiding downtime actually is an important property for their system to possess.
You don't care about going down once, you do care about frequent outages.
So again, if staying dry in the rain is important to you, buy an umbrella before the rain, if you don't care about getting wet from time to time, then no need for the umbrella.
While the personal blog owner may not care about DDoS related downtime, he may face extra usage charges due to higher bandwidth, CPU usage, etc that he'd like to avoid.
It also isn't a good analogy because insurance doesn't apply retroactively to wrecks that happened before start of term, and is event-based rather than providing continuous value.
This is not considering other issues with Cloudflare, like them MITM the entire internet and effectively being an unregulated internet gatekeeper.
Insurance for physical things is different for services, they don't map as an analogy. A better one would be, Because you buy a new car every hour, it's like buying insurance for every car after someone steals your 700th car.
When the bad guys want to DDoS the personal blog website they don’t go and figure out the correct amount they need to send to fill up that pipe/tube that directly connects the personal blog website, they just throw roughly one metric fton at it. This causes the pipes/tubes before the personal blog website to fill up too, and has the effect of disrupting all the other pipes/tubes downstream.
The result is your hosting provider is pissed because their infrastructure just got pummeled, or if you’re hosting that on your home/business ISP they also are pissed. In both cases they probably want to fire you now.
See: BGP Blackhole Community (usually 65535:666).
Instead it will protect me for free:
https://www.hetzner.com/unternehmen/ddos-schutz
Sure maybe you'll get lucky and they waive it.
But sometimes going down is a feature if you're not a multi m/billion dollar business
Especially when you are facing "infected machines by the millions".
Your server will keep existing if cloudflare just drops their free service, effectively going down for the ddosrs but still available for your own access directly
In Russia (I have nothing against Russia - I just know this info about “Дождь ТВ”), some news websites have been targeted by state-baked DDoS attacks, but I highly doubt most people are in this category.
This is a good essay: https://inoticeiamconfused.substack.com/p/ive-never-had-a-re...
Lol I didn't even notice that my submission reached the front page. What is your evidence for that claim?
Your host, assuming you're hosting your site on a VPS. Many of them have a policy of terminating clients who get DDoSed.
I also blocked all the AI crawlers after moving to CloudFlare and have stopped a huge amount of traffic theft with it.
My website is definitely much more stable, and loads insanely faster, since moving to CloudFlare.
It's not because it's not a criticism that it's a sponsored post.
I happen to have multiple sites that use the same technology (WordPress, with the same few plugins and the same theme) running on the same server, with one behind CloudFlare and one not. Left value is with CloudFlare, right is without:
- First Contentful Paint: 0.4s - 0.7s
- Largest Contentful Paint: 0.8s - 0.9s
- Total Blocking Time: 0 ms - 0 ms
- Cumulative Layout Shift: 0 - 0
- Speed Index: 0.4s - 8.9s
The difference is quite staggering, and I'm located pretty close to my server (a Hetzner VPS), I can't imagine the difference for someone that lives across the world.
NARRATOR:
- "Has THIS ever happened to you?"
CUT TO:
Black-and-white. Some guy stares in frustration and confusion at a terminal. Output of 'cat /usr/bin/gcc | xxd' or whatever scroll by.
NARRATOR:
- "Introducing CloudFlare™!"
CUT TO:
Full color. Sunlight. The same guy now sprawled on grass at a park. Two dogs tackle him with adoration. His kids hand him ice cream.
NARRATOR:
- "Stop debugging. Start living."
Re-reading it you're right, but ultimately the last sentence aims at directly answering this question from the parent:
> If you added up all the outage time caused by DDOS and all the outage time caused by being behind auxiliary services that have their own outages... I wonder which would be larger?
Add all this together and you have an extremely not basic setup at all anymore.
What are the response times of requests between CF and accessing them directly?
It used to be apple.
What is the benefit to having small blogs be decentralized?
Did you consider and discard the eventuality that all the other ISP have gone out of business because everyone just uses cloudflare?
Invasive species destroy ecosystems.
The 'Invasive species destroy ecosystems' quote sounds good, but what exactly does it mean in this case? What is the species, and what is it invading?
I'd rather advocate for a solution that doesn't induce centralization. Because that still does. It's a weird suggestion to pay twice. I'm assuming in your hypothetical, cloudflare not only doesn't ever go down, but also absorbs only malicious traffic, and not any organic? Why should cloudflare do that and not my primary host? I'll assume I have XX to spend on hosting, you don't see how if I dedicate half of that to cloudflare, and half to the real host, how that might limit what the real host can charge? If the real host can't charge enough to fund R&D on services like basic DDoS or other traffic shaping, how I would then become dependent on cloudflare? And now hey cloudflare has other service, and I don't like the extra overhead of paying multiple services... I'll just move everything to cloudflare because they're bigger and do both...m
sigh
> The 'Invasive species destroy ecosystems' quote sounds good, but what exactly does it mean in this case? What is the species, and what is it invading?
I'm comparing cloudflare to any species that enters an existing system that has developed a natural ecological balance that includes diversity. Which then proceeds to grow for the sake of growth, consuming resourcs at an unsustainable rate; destroying the diversity that previously existed.
Destroying that diversity is bad because that diversity is what gives the system as a whole resistance to catastrophic events.
Like huge parts of the Internet going down because someone wanted to ship their project before the holidays, in time for their perf review.
The argument being: we should view cloudflare's growth, and consumption and takeover of the resources of the Internet as a whole, similar to the way we view other invasive species. It destroys the good parts of an existing system in a way that is almost impossible to recover from. Resulting in a much more fragile system. One than's now vulnerable to single events that take down "everything". A healthy system would be able to absorb such an event without destabilizing the whole thing.
There seems to be two views. One forward looking and one not. The forward looking view appropriate recognizes the threat of centralization. Centralization crushes small businesses (and small blogs), leads to censorship (see youtube et al.), and destroys competition. No one on the planet can compete with cloudflare pound for pound and thus if they decide your site is bad based on $CURRENT_ZEITGEIST you're SOL. You may as well not exist. We already have plenty of evidence from 2016 to now of this occurring via a large conspiracy between big tech and government.
The non-forward looking view naively closes their eyes and says "well we aren't there yet so what does it matter". This is how rights erode. It is a shame people with this view are allowed to vote and breed.
I don't see how youtube can be an example here. You can post most things to youtube but might not be able to monetize them. Of course there will be limits to the things you post on someone else's server.
> No one on the planet can compete with cloudflare pound for pound and thus if they decide your site is bad based on $CURRENT_ZEITGEIST you're SOL. You may as well not exist.
What are you talking about here? You could just disable cloudflare proxying of your site, change your nameservers and be off of them no?
Nice, you root caused it too. I couldn't agree more.
less reliable (more hops -> less reliable)
dependence on the US regime
You’d see those same errors if someone took their own site down while working on it , probably accidentally
I am hosted on Cloudflare but my stack is also capable of running on a single server if needed, most libraries are not design with this in mind.
I’m also wondering if all these recent outages are connected to cyber attacks, the timing is strange.
209 more comments available on Hacker News