>Eventually Cloudflare gave them the IP address of my server and the ciu-online.net people were able to determine that IP address was owned by Hetzner.
Wait... isn't the point of paying cloudflare to prevent DoS attacks?
I guess if you want to do a DoS attack, send a few bogus DMCA notices to Cloudflare first to get the real IP of the server they're supposed to be protecting. Then you can hammer the server directly without Cloudflare getting in the way.
No trail leading to the DDoS attack, which would be executed by a botnet from compromised home computers, and paid for in bitcoin passed via a mixer, or something.
>Wait... isn't the point of paying cloudflare to prevent DoS attacks?
Hahahahahaha..
Cloudflare exists to get in the way of your users from accessing your site and you who are trying to run a site. They claim to be an anti-DoS service but I've never seen any evidence they actually do that. I still get Cloudflare messages a plenty that the website is down. And of course that moronic time waster where it wants me to perform a captcha constantly without actually serving the captcha.
They do provide a pretty decent anti-ddos service. They regularly sink gigabytes of traffic before it hits our origin servers. There's lots to complain about them, but this is something they actually do well.
Don't know why it didn't work for you, but there are a few things that can trip up ops.
That has not at all been my experience with Cloudflare. At a previous job, it took us just a few hours to set up and configure all the options and WAF details, etc., then they took our drive-by probes and bot spam from thousands per day to near zero. Over the course of the next year, we had less than 3 reports of blocked access from real humans; one was traveling and another was behind a shared IP organization. Is it possible some customers were blocked and left frustrated without ever telling us? Yes, but that business kept growing, and it was in an industry where most of our customers were repeat dealers that would let us know very quickly if they couldn't access the website. So if there were false positives, there weren't many.
Cloudflare saved us immeasurable time vs manually configuring firewalls and blackholes and honeypots and open-source lists -- all for $20/mo. It was an amazing service. And they blew their competitors at the time out of the water (Imperva, etc.)... much higher quality blocking at like 1/10 the cost.
If you see a Cloudflare message that the website is down, well, chances are the website is down. If they set it up a certain way, Cloudflare may have been able to cache some pages beforehand, or not... but either way, it's probably not Cloudflare's fault. The site probably would've been down even more often without Cloudflare, just without the CF error page. (That said, DNSSec is a pain and can often cause issues with Cloudflare and other proxies)
As for hCaptcha, I don't think I've ever had an issue with it (besides being unable to tell what something was, I mean)... did you have JS turned off or strict third-party blocking, perhaps?
Weirdly most of my pirated IPFS content is hosted by and served directly by Cloudflare’s own IPFS cache. I can choose which IPFS gateway to download the content from and I always click “Cloudflare” because it’s ridiculously faster than the rest (thanks to Cloudflare caching/serving it).
Didn't they voluntarily ban The Daily Stormer? And while horrible, I don't recall there being anything illegal about that, whereas IPFS likely requires them to take manual action repeatedly to avoid legal penalty.
It wasn't exactly "voluntarily" -- more like "banned it after sustained public pressure", I think. They were reluctant at first but eventually caved after pressure continued to mount. The CEO wasn't happy about it.
They defended them for a long time, and then banned them shortly after one of the Stormer admins started bragging that they had Cloudflare in their pocket.
CloudFlare will sometimes go to the court to actively protect their abusive customer from being exposed to legal liability. But apparently they don't do that unless you're really nasty and exposing you would mean they are actually able to provide information about their customers - that's a line they won't cross even for attempted murders.
I guess if you want to do a DoS attack, send a few bogus DMCA notices to Cloudflare first to get the real IP of the server they're supposed to be protecting. Then you can hammer the server directly without Cloudflare getting in the way.