Protecting a server from DDoS attacks without Cloudflare

Hello, I am Matteo, the owner and developer of servury.com, an anonymous cloud service provider. In the recent days, I have realized that Cloudflare has huge leverage over a large part of the internet, as shown by the many times Cloudflare went down, taking down “half” of the internet with them, not only that, but granted that someone would use an SSL cert provided by Cloudflare, they could theoretically see everything that is sent by clients to your server.

And so after realizing all of this, I’m sitting here like : what do I do about this? I can’t just tell my customers that we use CF for DDoS protection, that they log all traffic to Servury and to ask them to please trust CF not to get hacked.

Here’s 2 things I think are worth believing in :
1, don’t trust, verify
2, the internet should be free (cloudflare going down and taking down half the internet is literally proof that the internet is no longer as decentralized as it once was)

I am going on a tangent, but it is with those concerns that I am opening this discussion, with the goal of finding self-hosted alternatives to Cloudflare.

So far, I’ve found Anubis, which seems to be far from perfect, according to this issue opened yesterday on Github : Bots are circumventing Anubis, CPU back to 100%

From my experience mitigating DDoS attacks on Servury, I’ve found that serving a managed challenge to ALL HTTP requests (POST, GET, DELETE… all of them), with a success pass-through of a few hours, to not annoy real visitors seemed to be the best solution. I would then whitelist some known crawlers to not wreck my SEO.

Perhaps simple firewall rules could be as efficient as CF.

SSL certificates are isolated from the CA, and the CA is isolated from its clients, as private keys are never exchanged during the certification processus.

IIRC, they state on their docs that anubis is a temporary solution while waiting for research on ai bot filters.

You probably won’t be as efficient as cloudflare without their network (can you even handle 1tb/s of legitimate trafic ?

Just launch a browser every “few hours”, solve the challenge and get the cookie

GrapheneOS wrote about how they avoid DDoS attacks, might be worth a look.

I think this only really highlights that you’re not going to easily replace cloudflare. GOS guys are using distributed rate limiters with some packet inspector named nftables and synproxy that they custom configure in their firewall. Sounds complex.

You might also take a look at ALTCHA, it’s self-hosted and PoW based and uh, no anime girls lol.

And so after realizing all of this, I’m sitting here like : what do I do about this?

There is something called Cloudflare spectrum that just passes through the TCP/UDP traffic on layer 3/4, which does not decrypt the traffic.

So far, I’ve found Anubis, which seems to be far from perfect,

Anubis will not protect against a DDoS attack, and it will only prevent a limited type of DoS attacks.

Perhaps simple firewall rules could be as efficient as CF.

This will not prevent a DDoS attack, only a DoS attack.
DDoS attacks target your bandwidth and are pretty primitive type of attack. It works with the principal of the stronger wins. If the attacker has more bandwidth than you, he wins, if you have more bandwidth than the attacker, you win.
CF works like that. They can protect against such attacks, because they are large.

There are exactly three things that can protect you from a DDoS attack:

• Your hosting provider
• Your ISP
• a service like Cloudflare

There is also Bunny.net which is an EU based alternative to cloudflare
I would also take a look into crowdsec as a threat-intelligence platform.