Hacker News new | ask | show | jobs
by cnst 2444 days ago
The problem is that it's often uninformed choice. Some people at LAX, for example, decided that my whole AS has no business accessing their website. (Yes, an international airport blocking international visitors — how cute.) And Cloudflare is the enabler.

Notice that you never see Akamai presenting these messages that you've been blocked.

Most of these pages where you get blocked are something that looks entirely static, should be cachable with the most basic nginx if dynamically generated, yet Cloudflare tells everyone that they need to protect such content from the users. (Some of their newer competitors that protect from more "bots" are even worse, BTW.)
2 comments
mdkdog 2444 days ago
I don't use cf, I'm running some mail services but i do block entire AS's after 5 brute force attacks from different IP addresses from same AS regardless of country of origin. This are always modem / routers left with default password, IP cameras with default password, various IoT devices with default password or all of the above with vulnerable firmware with CVE's dating way back. I think that if you are unable or can't be bothered to change the default password for your device you don't deserve internet access. There is much need for something like natural selection on the internet. It is getting to crowded out there.
link
oefrha 2443 days ago
An AS with an /8 is decidedly different from an AS with a /24. There could easily be millions of complete strangers behind a single ISP AS. Not saying you can’t choose whatever criteria for your service, but trying to pass off five-different-attacker-IPs-per-AS as fair is silly.

Edit: Even the CIDR block size isn’t a good indicator of the actual network size, due to NAT.

link
judge2020 2444 days ago
Their AS blocking functionality is based on the free "maxmind geoip2 ASN" database, LAX could have chosen to set up a nginx module or site middleware to perform the same block. CF's service offering is making this configuration easier and shifting thinks like having to update the DB onto CF.
link
cnst 2444 days ago
And how's that any better? What's the likelihood that LAX would bother to block my AS if it wasn't a simply click courtesy of Cloudflare?

It's like that IBM saying: no-one's been fired for buying IBM. Doesn't make it a good choice, though.

link