Explain to me like I’m a 5 year old who just learned what an internet is how CloudFlare can block traffick to websites that dont sign up for their services?
News from the UK shows that CloudFlare is now blocking a bunch of domains associated with peer to peer file sharing, but I dont understand why these domains wouldn’t just migrate away from CloudFlare services and that would fix the problem. Do the ISPs use CloudFlare to provide services between the user and the website hosts when the user requests a web page via the browser?
Yes, you’re correct. Those sites just need to move away.
Otherwise though they do run public DNS resolvers that could block domains for users of those DNS servers.
Worth noting that those sites typically use Cloudflare as a way to hide their real servers, both for average users (so you can’t attack the server directly) and law enforcement. You have to get Cloudflare to cooperate and that requires valid court orders from the right countries.
It’s also a useful double-edged sword: if Cloudflare refuses to cooperate, there’s not much you can do because if you block Cloudflare you also block a ton of legitimate websites, so it forces law enforcement to do a lot of collateral damage. Spain did it, and they ended up blocking a lot of legitimate traffic, upsetting a lot of people. Without Cloudflare they’d just block the pirate site’s IPs and DNS and be done with it.
The double-edge part is your traffic all goes through Cloudflare, so if they comply and shut you down, you’re shut down until you move to another provider.
CloudFlare offers free/inexpensive application firewall, DDOS, and static web hosting services. A few years ago, they also added bot detection, and more recently AI scraping prevention, all for free. They say they can offer all this for free because they make most of their money from enterprises. They’re especially popular with open-source projects because those services are really useful for anyone putting up a public-facing site nowadays and having to pay for each of them would be too expensive.
Anyone can set up CloudFlare to be the first point of contact before the traffic is passed on to them. This means that if CloudFlare’s system decides something looks wrong, they can easily block that traffic flow. The way they do this is by having them manage your DNS records so traffic flows through their services first.
None of this is automatic. Someone has to explicitly configure their site to do this. In a federated service, anyone can set up their node to be handled by CF. If CF detects traffic problems and blocks a certain flow or port, it could affect sharing between all the other nodes in the federation.
If the traffic is deemed illegal and CF is notified by law enforcement, they can shut down peer-to-peer traffic going through their network.
When you access a website, say lemmy.world, your browser will say to cloudflare “I want to access lemmy.world”
Cloudflare may not host the website but do something like DDOS protection so all the traffic to that site goes through Cloudflare then back out Cloudflare to the correct web server.
If Cloudflare have been told to block the traffic by law or court order, all Cloudflare has to do is stop responding to people saying “I want to access lemmy.world”
There are definitely multiple ways they can block traffic to a site, but you have to be sending traffic through them or using DNS from them, or placing your site behind them using them for protection from denial of service attacks.
Firstly, if you pay or use their free “anti-ddos” services, what is really happening is all traffic to your site is being sent through their network. Should you violate their terms of service, they can choose to terminate that traffic.
DNS is Domain name service, where I want to visit example.com, and DNS tells the computer to go to 12.34.56.78. The DNS server your computer will ultimately use can be assigned by your ISP, manually configured by your network administrator, etc. One choice you can use, that is regarded by some as a good choice due to response time, is cloudflare. When cloudflare decides to block a site, one method they may use is to redirect DNS replies for that domain to a placeholder that indicates this site is blocked, or reply with NXDOMAIN - Non-eXistent domain.
An ISP could also choose to buy bandwidth from cloudflare as an upstream provider. For cloudflare enforcing a block, they would redirect traffic destined for any of address they want to a placeholder just like DNS.
A more aggressive, and dangerous tactic that could cause global outages for a site, would be to falsely claim address as their own to the public internet with Border Gateway Protocol - BGP, then redirect/blackhole it.
ELI5 : Cloudfare is like your parents telling you (your browser) to whose birthday parties (websites) you can go or not because some parties or neighborhoods where the parties are happening are not safe.
