The geographical blocks are not enforced by Cloudflare as a blanket ban, but are chosen by each account owner (it's a setting you configure). I've worked with a few companies that saw this as a very valuable service (like small domestic companies blocking international traffic, especially from Russia and China, because we had no presence there anyway and that cut down bot traffic by like 95%).
Likewise, TOR access is similarly configurable. Companies choose to block it because more often than not it IS bot traffic, and the few potential real customers who use TOR are deemed not worth the headaches of the rest of the network.
Anecdote: For small businesses with limited web resources, these are just everyday tradeoffs they have to make in order to keep hosting and security fees reasonable. At the place I worked at, previously we were spending tens of thousands a year on hosting and thousands more for a competing WAF that cost like 10x more and didn't work very well. Cloudflare let us move to a much lower hosting plan and cost like $240/yr and drastically reduced bot traffic. Not a single customer complained over the next year or two. It was a huge improvement in both performance and costs.
“I don’t like Cloudflare because they’re trying to centralize the Internet and block me”
It’s not as though Cloudflare goes out and randomly inserts themselves in Internet traffic and has some blanket policy of ruining TOR or blocking you.
Cloudflare has customers (site hosts) that have choice in the marketplace and choose them. The customer configures whether their services use Cloudflare or not. The customer configures TOR access, CAPTCHA level, geoblocks, and any other number of hundreds of parameters.
Then people get mad at Cloudflare when a site/host selects Cloudflare and configures it in a way that blocks them?
Cloudflare is selling what people want to buy and providing the service in the way they configure it. If you have a problem with that take it up with the site/host/CF customer, I truly don’t understand how/why they can or should be blamed for their success.
I think what you’ll find is that many Cloudflare customers are practical and pragmatic. Want access to our site over Tor? Sorry but Tor is 99.999% shady/malicious traffic we don’t care about. The risk vs reward isn’t there so blocked. Maybe if a customer says something we’ll enable it but that has never and will never happen so blocked.
Our PCI scans and auditing systems are showing weird traffic from Asia even though we have no customers or business there? Blocked.
Repeat this for any other number of factors and you can start to understand why Cloudflare has double the market share of their nearest competitor (AWS Cloudfront).
They offer a product suite site owners and hosts love. The collateral damage from a tiny fringe of legitimate users who get stuck in the CAPTCHAs, use tor, etc just don’t matter to the site hosts. If they did they would configure Cloudflare differently or leave them altogether.
I agree, it is annoying. But it's also your utility's choice. Complain to them about it or choose a different provider if you can?
Security and convenience are always tradeoffs. I think 2FA is annoying as heck too (much prefer passkeys these days), or ridiculous password requirements, email passwordless login, etc., but those are all choices some admin or manager made on behalf of their business.
I found out a few months ago that my router has a built-in VPN that I just had to turn on. Now it doesn't matter where in the world I am, it can always look like I'm not only in the US, I'm actually on my home network. That might be worth considering if you're traveling a lot: it's about as benign-looking to providers as is possible.
I'd be afraid of doing that, knowing how insecure most home routers are. Seems like a zero day (or really even a "zero year", considering how behind updates can be) away from having your home router become part of a botnet...
That’s like saying it’s annoying that I can’t get my favorite chips at the grocery store because they don’t ship them to my country, so I’m upset at the grocery store for not having them.
I am convinced that while harder, there are more intelligent ways to block these DDoS attacks other than blocking entire geographies. I often travel between Africa and US, and there are things like buying furniture (home depot blanket blocks non US customers, but they would simply allow shipping only to US addresses), buying cars (there are large car sites that don't allow browsing from outside US, even if you've already have an account or bought from them in the past), etc.
I feel like geoblocking is the easy way out, because if developing countries suddenly started waving their cards en masse, these merchants would find a way to let them in.
Speaking of card waving, it likely only appears that developing countries are not a large customer base because to merchants, they look like US customers.
Most African countries don't have access to Visa/Master cards, so often they'll have a US account where they can transfer some of their money. Others might earn in the US (like remote workers), and spend considerably in the US.
Then, because most merchants don't ship outside the US, these customers would use shipping forwarders, like myus.com.
So when making the decision to "block Nigeria because we don't really have any customers there", they're likely not considerig this potentially large customer base they're alienating.
Even worse, these are usually customers that do not have access to credit, only debit, so for example, when buying large ticket items (like a car), they tend to pay for it all upfront, so likely great customers.
Then there are the business customers, the ones what want to buy containers full of merchandise. Those too get blocked.
It's not usually a benefit to a business if a customer pays upfront.
Whether my customer pays by debit or credit, I get all of that money upfront before I let the transaction proceed.
Some businesses, like car dealers, actually make more money if the customer buys using debt, because they get incentivized by the loan company.
And lastly, the sheer scale of the US economy means that it's really not worth the hassle. All of Africa would be equal to one of the larger states (Wikipedia says $3T, Texas is 2.1T and Cali is 3.5T).
So it's vastly simpler, cheaper, and easier to deal with say 30m Texans or 40m Californians than literally 1.3 billion people in Africa or India, and you get roughly the same total addressable market and a fraction of the bots & scams.
Hence why many sites simply block non-North American traffic.
I wish we lived in a world that was more fair and open, but a couple of bad actors can really ruin things for everyone.
When I say pay "upfront", I don't mean that the upfront cash is better for business, but that usually, the credit industry is very good at letting people buy things they can't afford. Some one who pays upfront likely can afford and might have higher lifetime value. Someone to advertise to, upsell, or whatever.
Secondly, I also get it, there's only so many things a business can worry about, and supporting geographies with historically high fraud rates is not high on the list, this is why my gripe here is with CF that does not make it easier to improve this even though they know they control such a huge chunk of the web.
> Some one who pays upfront likely can afford and might have higher lifetime value. Someone to advertise to, upsell, or whatever.
100%. Richer people tend to be better customers. But that's another strike in favor of geoblocking non-US visitors.
When I was a kid growing up in Africa, I dreamt of a world where everything was accessible and purchasable and learnable everywhere, all the time, to everyone. Hopefully the internet turns out to be an equalizing factor and we get there someday.
Right now it's not really fair to expect business owners - most of whom are in non-tech businesses that require 100% focus - to keep up with the tidal wave of scams, hackers, and regulators originating from outside their sphere of concern.
> I am convinced that while harder, there are more intelligent ways to block these DDoS attacks other than blocking entire geographies.
Sure. Even by default, Cloudflare won't block entire countries. That's a CHOICE some businesses make if the default blocks aren't enough, and they don't have the time or resources to configure more nuanced WAF rules. (OWASP isn't exactly straightforward). Edit: For example, at that job I was talking about, we had different rulesets for different regions... China and Russia were completely banned, Africa was put behind stricter JS security checks and CAPTCHAs but allowed in, Europe had a medium security level (we did occasionally sell there, but very rarely), while the US had entirely custom WAF rules. It just depends on who we wanted to sell to or not.
It goes the other way around, too, you know. I've seen European and Asian sites that geoblock US customers. It's not out of malice, they just don't want to deal with the edge cases. Even if a foreign customer can access your website and buy stuff, dealing with international customs, consumer laws, credit card fraud, wire transfers, etc. can be a pain that's not worth it for smaller merchants. And if the foreign buyer is using a reshipper anyway, well, the reshipper can just buy the whole thing for them and deal with payments, etc. as an intermediary, like how Tenso/BuyFromJapan/JapanRabbit work.
Big companies have proper international presences, but for small local businesses, the amount of effort it takes to support international buyers just isn't worth the profit they typically bring in. Even on eBay, with its built-in international payment and shipping rules, sellers often won't want to bother.
This isn't really a matter of security rules, really, but just business cost/benefit decisions.
Besides, it helps businesses in each country stay local! Do you really want Amazon taking over everywhere...?
I'm aware of this, CF can be very granular, but businesses do not on average have the know-how or bandwidth to properly setup their rules to not come off like a...holes. So the effect is that most businesses behind CF come off like a...holes. My point is CF does not seem very interested in coming up with a better solution, like maybe a list of CF managed WAF profiles that work well and don't make both the businesses and CF seem like they do not care. Those profiles could be paid.
And yes! it's better to buy local, and Africa can't blame the US because our economy isn't there, and we aren't building all the things we should be building. But that is an entirely different discussion isn't it?
They do offer different profiles! By default the security is pretty sane, and offer many easy to choose default sets. Businesses actually have to go out of their way to make a custom country block via a custom page rule. So when you see a site block you, that's because that specific business chose to customize their rules specifically to block you. That's not Cloudflare's fault.
I work for a not so small company with a large international user base and wish I could have the option to geoblock sometimes. While you're not wrong about there being more intelligent ways to block traffic it's substantially more time consuming to apply and get it right so that you allow legit traffic and actually block what you need to.
We also aren't just talking about blocking DDoS and other common vulnerability scanning. Depending on your business there are other potentially costly fraud and abuse scenarios that you are blocking just by blocking other countries outright. Until there are tools to block all this that are as easy to apply as a geoblock, this will probably remain the unfortunate state of things. A lot of businesses just don't have the time or resources to manage all of this without applying geoblocks.
It does, but depending on your shipping patterns and volume, it can be worth it. For example, some provide storage so you can hold your merchandise until you have a container full, and then ship all at once by ocean freight. Other times, they have deals with shipping companies like DHL that might make it cheaper than dealing with DHL rates by yourself.
Absolutely this. Cloudflare simply provide website owners with the tools. I've used them on a number of sites. For example, someone provides a local service and is sick of hacking attempts from the same 5 countries. Block 'em. Or they sell products that can't be delivered internationally, so why expose yourself to pointless inquiries or hacking attempts?
Likewise, TOR access is similarly configurable. Companies choose to block it because more often than not it IS bot traffic, and the few potential real customers who use TOR are deemed not worth the headaches of the rest of the network.
Cloudflare's WAF is really pretty granular, with a lot of toggles and overrides: https://developers.cloudflare.com/waf/managed-rules/
Anecdote: For small businesses with limited web resources, these are just everyday tradeoffs they have to make in order to keep hosting and security fees reasonable. At the place I worked at, previously we were spending tens of thousands a year on hosting and thousands more for a competing WAF that cost like 10x more and didn't work very well. Cloudflare let us move to a much lower hosting plan and cost like $240/yr and drastically reduced bot traffic. Not a single customer complained over the next year or two. It was a huge improvement in both performance and costs.