> Essentially, Cloudflare by design randomly perpretrates denial of service attacks on users, yet at the same time Cloudflare paradoxically advertises itself as a service to mitigate DoS attacks.
I guess he's trying to be snarky here, but it's obvious their business is to prevent DoS attacks against the server by malicious clients.
I imagine the extremely large majority of clients [fully-featured modern web browsers] can get past the captcha (or JS challenge), therefore it's only a 'DoS attack against the user' in the small amount of situations where the user's client/browser doesn't have the technology required to solve the captcha (or JS challenge). If lynx or other non-JS browsers had a surge in popularity and CF's enterprise customers complained, you can assure they would have a solution out within a week that would not require JS or cookies.
There was another discussion a few weeks ago about how often in particular people from developing countries face captchas. Essentially cloudflare knows first and second class citizens of the internet, and sites protected with cloudflare will feel good in Western Europe and US but might require captchas at every corner and are not necessarily sped up if you happen to be sitting in India or Nigeria.
It's a rather typical blindness of US (and to a lesser degree EU/AU/.. ) companies, which by design or accident care mainly about US and other rich country users.
It's surely a difficult problem to even comprehend without being in that situation, but the CF ip reputation systems don't flag certain ASNs or IP blocks just because of the location. Maybe there's less security and unpatched RCEs happen often, maybe NAT'ing hundreds of users behind an IP is common place (making a bad actor taint the IP reputation for 99 other users), maybe a good amount of their users install things like the Hola VPN (where your computer turns into a VPN) or a rasberry Pi devices that also turns your computer into a "residential IP VPN" for extra cash. Regardless, if the automated threat detection systems see 100 IPs in a /24 block perform questionable requests, chances are that block or full ASN is going to get the boot.
Maybe that's the problem, the current scale of the internet and of human civilization means it's nearly impossible to use fairly-accurate humans for these types of things; the only option for managing something that works for the entire world is by turning to error-prone computers that we can only bet on someday being as good as humans at making decisions with the full context provided.
That's often down to site owners, not Cloudflare. I know of a few projects using captchas for all visitors from non-core markets. It drastically lowers malicious traffic while not hurting revenues by much. Not that I'd support it but I can understand why people decide to do that.
In that case Cloudflare enables them to do it but I wouldn't call them responsible.
I guess he's trying to be snarky here, but it's obvious their business is to prevent DoS attacks against the server by malicious clients.
I imagine the extremely large majority of clients [fully-featured modern web browsers] can get past the captcha (or JS challenge), therefore it's only a 'DoS attack against the user' in the small amount of situations where the user's client/browser doesn't have the technology required to solve the captcha (or JS challenge). If lynx or other non-JS browsers had a surge in popularity and CF's enterprise customers complained, you can assure they would have a solution out within a week that would not require JS or cookies.