Yeah. I think this is the elephant in the room. I keep stumbling upon "We need to verify you are a human" by Cloudflare in many sites around the web. Crazy.
I agree that having so many sites behind one CDN (and related services) is a problem, but I don't think it is the elephant in this room. Even if there were 100 very popular CDNs having 1% of sites blocked because one user was streaming sports doesn't feel acceptable. Shared hosting has always been very popular and you have sites like Shopify, Squarespace, WordPress.com that are hosting thousands of sites.
Maybe with IPv6 it will become normal to assign each customer their own IP? But I don't see it. This also reduces privacy because we are moving towards Encrypted Client Hello in TLS but we have made no progress to hide IPs.
Anubis is affective against certain kinds of bots and abuse, but wouldn't be that affective against large scale DDoS attacks. And it does have a negative impact on usability, as users have to wait for the browser to do the proof of work, which may or may not be worse than cloudflare's captchas.
Anubis is a partial mitigant of DDOS attacks, since it's less resource intensive to serve the Anubis page than the origin[1].
Cloudflare's captchas are only convenient for a subset of users, I'll bet there'd be decent money in one of the competing CDNs (Fastly maybe?) including an Anubis-like captcha.
Yes, it's a partial mitigator, but it isn't as complete of a solution as a CDN, for a number of reasons. For one thing, with Anubis your server is still responding to requests, so a full scale DDoS could potentially take you down without having to actually complete the PoW, they just have to make enough requests.
Using a CDN for DDoS typically has multiple levels of protection:
- caching reduces load on your server
- In the event of a (D)DoS attack, the cdn can absorb the attack traffic with their much higher capacity than your server(s)
- The CDN can block certain kinds of attacks, especially low level (D)DoS attacks without the traffic ever touching your servers
- Since the CDN fronts many sites, it can have more information about which IP addresss, and user agents are more suspicious. This one is a little controversial, because there is a conflict between getting an accurate profile of how suspicious a request is, and preserving the privacy of users.
- It may have built in support for some kind of bot detection, such as captcha or a proof of work. IDK about the free tier of cloudflare, but for paid offerings at least, this is usually optional.
In short, Anubis could be part of a DDoS mitigation plan, but if you are worried about a targeted attack, it probably isn't sufficient. And critical services are potentially a valuable target for attacks.
Also, if (when) their Captcha decides that you're a bad actor, there's literally no way around it. You can spend tons of time checking the box/trying again, but there's no way to "solve" it.
Maybe with IPv6 it will become normal to assign each customer their own IP? But I don't see it. This also reduces privacy because we are moving towards Encrypted Client Hello in TLS but we have made no progress to hide IPs.