Some context the article misses: there's a court order that allows the Spanish Football League to block websites which may be unlawfully broadcasting football, and the ISPs have to comply. Since Chrome activated ECH, LaLiga requested the order to be expanded to block individual IPs, to which the court happily obliged, and this order is being used to block Cloudflare's IPs ranges.
The result is that web browsing in Spain on weekends, when football is on, is severely impaired, with thousands of web sites going down as matches play. This is a breach of the court order itself, which clearly states that "no unrelated sites may be affected", all while the court order itself probably being illegal as well. And, of course, IPTV pirates found ways around the block.
bandaancha.eu is doing a fantastic job on the reporting of this.
>The result is that web browsing in Spain on weekends, when football is on, is severely impaired, with thousands of web sites going down as matches play.
At the risk of non-Spaniards being unable to understand: that's the most pandereta thing I've heard this year so far.
More context: Telefónica used one of its group companies to file a complaint against itself and all other telecom operators in Spain, instead of filing a complaint against Cloudflare. As the operators, including the plaintiff Telefónica, acknowledge and accept the claims, the judge granted the measures.
> The result is that web browsing in Spain on weekends, when football is on, is severely impaired, with thousands of web sites going down as matches play.
Aaah, this explains some stuff. I'm on holiday in Spain right now, and a bunch of little blogs and similar sites just don't work at all for some reason. I bet they're hosted on Cloudflare Pages or using Cloudflare as a CDN layer.
I assumed it was just the hotel WiFi doing something weird!
Orange and Vodafone are also implementing the blocking but users are not noticing because they are doing it wrong: instead of blackholing the IPs or only blocking when connecting through ECH, they are blocking by DPI the access when using the IP address as the SNI/Host header.
# curl http://104.21.16.1
<META HTTP-EQUIV="Pragma" CONTENT="no-cache"><META HTTP-EQUIV="Expires" CONTENT="-1"><html>Por causas ajenas a Vodafone, esta web no est� disponible</html>
# curl http://104.21.16.1 --header "Host: blockedsite.com"
error code: 1001
(1001 is the expected output from Cloudflare)
Which is really useless, but I guess fulfills the court order (pandereta meets undefined specifications).
They've been routinely blocking GitHub, I think because there are several repos tracking lists of IPTV streams? I often have to VPN to the US just to access my open-source repos.
The simplified answer is that Spain has greater net neutrality laws than most other places, and on top of that the relevant European Union laws specifically forbid any lawful blocking/enforcement action if it causes a nontrivial amount of collateral damage to unrelated parties. So in theory the court order should've violated both Spanish and European law.
Legally is it collateral damage to unrelated parties. It is cloudflare's servers providing the infringing content, and the cloudflare's servers being blocked. Does Spain net neutrality protections grant some kind of common carrier protections to CDN networks?
Would be nice if they did.
As one would need more reasons to hate football. It's a disgrace, here in Italy last year there were flooding in the center, some matches had to be postponed, people were digging up sand, basket clubs complained in silence, but there were some clubs like AC Milan trying to bitch about their important matches and league point, something that a person with common sense would never think, for real, people digging sand, people dying, and they had the guts to complain about their league points, they're psychos
I can't find a violin small enough for cloudflare here. They're known for ignoring abuse and now they want to retaliate for someone blocking them like they're some kind of required utility provider? Maybe it's time for legal action from all the people randomly blocked by cloudflare without recourse?
What (other than greed) can possibly justify blocking hundreds of different services, with little to no oversight?
The only saving grace here, is that premium broadcasts kinda succeeded in getting the fans, rather than corrupt politicians and the state, to mostly fund the entire scheme that is the sport.
Other than that, cry me a river with how much we allow football to bend (and break) so many of our laws and regulations (not to mention ethics and decency).
When you find you're seeing a problem as easy, and that "they should just", then you probably either don't have enough detail, or haven't thought about an issue enough.
For example, what else should 'morals' compel Cloudflare to spend money on blocking? Should they preemptively drop accounts that link to any abortion information? Did anything happen at Tiananmen Square?
Let's set all that aside though and say "unauthorized streaming bad", and say that we all agree that that is the case. Say we also agree that it's Cloudflare that should be the enforcer of this. We then run in to the practical issues. Random numbers I found online say that Cloudflare streams around 100 petabytes of video every month. How do you propose that it filter that amount of video and identify the 'offending' streams? There's legitimate license holders that could be streaming through Cloudflare, cut them off and you're looking at a lot of lost business if not a lawsuit against you. There's clips being shown during a recap on someone's sports info stream that probably fit some 'moral fair use'. Both those rely on being able to distinguish between this current streamed game and a replay of a game for a year ago, even in cases where the streaming party has taken measures to make that difficult.
How much extra would you be willing to pay Cloudflare for their services so they could do this type of 'football stream blocking'? Are you okay paying the extra to Cloudflare when the end result is that there's no fewer streams available online?
>What (other than greed) can possibly justify blocking hundreds of different services, with little to no oversight?
It could be that CloudFlare does absolutely nothing to aid any site, big or small, when asked to stop hosting & concealing blatantly malicious origins. I don't even care who it is at this point, at least someone is causing problems for CF who, frankly, behave as if they're untouchable.
Literally every scam site I've checked out in recent years, pretending to a government entity, or parcel delivery service, in order to defraud millions from those not blessed with much technological literacy, has been hidden behind CF. Their responses are excruciatingly slow, if they even do anything at all. Usually they don't.
“Every scam comes from Cloudflare” is an asinine metric.
“Every one of those scams” are also on the internet, use email, DNS, whatever.
The metric that matters is how much of Cloudflare is a scam, and can the rate of scamming on Cloudflare be reduced without significantly impacting legitimate uses of it, and how.
Let's get ISPs to instablock IPs shared by thousands of sites immediately, making the internet an excruciating experience on weekends, because we may be loosing some football euros on our way to charge as much as the market will bear is just indefensible. If for no other reason, because IPs are a scarce resource.
Yes, piracy will take advantage of privacy technology (EDNS in this case). If we're cautious of violating privacy to catch child abusers, again, cry me a river about LaLiga not being able to fund the next hundred million euro transfer.
The court order provides the means of doing it, it isn't itself a justification for wanting to do it.
(Unless your view of ethics/morality is that anything ordered by any court is automatically good, which I'm sure some people believe but I suspect many more do not have such a binary view.)
They buy a service which should block a specific type of traffic, for example bots or attacks. I don't believe any of their customers have purchased a "block a random version of a specific browser" plan. The fact this is occasionally treated as a bug and fixed confirms that idea.
If the customer specifically set a header match to block some Firefox variant, people wouldn't complain to cloudflare about it.
Customers can pick several levels of aggressiveness when it comes to blocking bots. Some of the more obscure browsers easily pass the "low" threshold but don't make it past the "high" threshold. Some older browsers like Palemoon seem to crash or break the JS Cloudflare serves but that seems to be a browser issue.
If your favorite website is blocking you, let them know. They can tweak a lot in their WAF settings. I don't think many websites care about obscure browsers, but it's something websites can control.
I'm not sure what point you're trying to make. Cloudflare has been failing this way for ages. At this point they're just accepting it and it affects people who don't understand or care who cloudflare is. It's an issue with cloudflare business model as a whole these days.
You covered everything except the most important case: Cloudflare blocks innocent people trying to access websites protected by Cloudflare.
For instance they block me because I'm behind CGNAT and because some of the millions of machines also behind that CGNAT once did something unsavory.
I'm not a customer of Cloudflare, so I have no one to call, I just get blocked from endless websites or have to click a checkbox, solve puzzles and suffer other indignities because I'm using a reputable and popular ISP in my country.
Fuck Cloudflare. They're accelerating the utter shittiness of the web because of their indiscriminate solutions to web malfeasance, which are worse than the disease.
> Everyone else other than you get to enjoy a snappy and fast loading site. I think that’s a good trade off.
The core logic behind that sentence is that it's good to be in an unfair system, as long as you benefit from the system and don't get unfairly targeted.
Work camps are also a good thing, provided you're benefiting from the work rather than sent to the gulag.
I've experienced similar problems in the past. Cloudflare decides that something about the ISP or software I'm using is not on some secret approved list and we all get a bag of coal for Christmas instead of the content we were asking for until we've jumped through whatever hoops it decided to set up this week. And I've heard way too many anecdotes from way too many people in real life to believe this is some sort of isolated or unusual event.
If Cloudflare is now taking a hit because it's become collateral damage to an over-generalised penalty system despite having done nothing wrong itself then it is difficult to find much sympathy. If this blocking exposes how much of the web we all use every day is now being routed via a single point of failure that has been operating largely as a law unto itself then that also seems like a positive step to me.
Depends on the kind of abuse. Acting as if CloudFlare is providing bullet-proof hosting and carrier services would be insincere. I have had CloudFlare suspend accounts within 18 hours of reporting.
For what it's worth I think Cloudflare and a few other ultra-large CDNs should be considered an utility provider, given that it is very difficult to exist in the Internet without their protection - no matter if you're just running a damn blog or an online forum, you'll get hounded by hordes of automated scanners looking to exploit you the very second a 0day appears. And if it's an online forum, chances are high someone will be pissed off by some moderation action and just buy a DDoS to shoot you off the 'net.
(In the end I think governments should finally hunt down and eliminate abusive netizens, but waiting for that to happen is pointless)
Cloudflare profits greatly from you thinking it's impossible to exist on the internet without them.
Did you know they have a workflow for you to sign up start using their protection in the middle of an attack? Costs money, of course. They don't get to EEE the Internet that way so they don't make it free.
Seconding that anything this big should be nationalized. That said, the internet still worked before cloudflare. The threat of a banned troll DDoSing your forum has been a risk for 30 years, yet the flourishing golden age of forums was before anyone had heard of cloudflare.
Add in their centralized panopticon of mass decrypted traffic and it becomes undeniable CF is an enormous net negative to the internet and society at large.
They could argue that they are on the side of the "good guys" (intelligence services and the police), especially if you consider their historical ties of collaborating with the 3-letters agencies like the FBI (c.f. how all started with Project Honey Pot).
> The threat of a banned troll DDoSing your forum has been a risk for 30 years, yet the flourishing golden age of forums was before anyone had heard of cloudflare.
Private forums in my experience stopped being a thing around 2010-2015-ish. The first deathknell was metasploit which made 0wning a target so much more easy than it was before, the second and final blow were "ddos for hire" services, running on cryptocurrencies that promised (and delivered) true anonymity, and using mass hacked consumer devices as a botnet that was much harder to defeat against than an STRO in some datacenter where you (or your DC) could just block the IP address.
> no matter if you're just running a damn blog or an online forum, you'll get hounded by hordes of automated scanners looking to exploit you the very second a 0day appears
This will happen to you if you use Cloudflare as well, _unless_ you enable (at least) the automatic captcha, which then annoys users and disallows privacy-focused people from visiting your site.
To effectively stop committed DDOS you'll need CF enterprise, which filters out private blogs etc by price. The WAF options definitely make it easier to fight simpler DDOS attacks, but even then you'll need to know what you're doing.
While massive overreach in the name of fighting piracy it's very on-brand for LaLiga, this seems pretty wild, even for them. I can't help but wonder if perhaps they didn't realize quite how many unrelated, legitimate sites/services that their citizens use would be affected by this.
I think burns/jokes about Cloudflare are missing the point. It's not about Cloudflare, it's about the millions of people in Spain who couldn't access a plethora of legitimate, unrelated websites and services because of the block. The block included things like Redsys, a major payments processor used by tons of ecommerce sites in Spain.
Piracy or not, you shouldn't be able to get away with this kind of collateral damage, blocking an entire population from accessing a far greater number legitimate websites.
And while I do understand their problems with piracy, LaLiga's view on the matter has always been so over-the-top and reminiscent of the false logic the record companies did in the early 2000s: LaLiga believe (or at least say, all the time) that every euro's worth of football that is pirated is a euro that has been stolen from them; that if piracy didn't exist, they would have that much more money. It's simply not the case. It's a hugely outdated viewpoint, and they shouldn't be able to cause damage to the public because of their adherence to it.
> It's not about Cloudflare, it's about the millions of people in Spain who couldn't access a plethora of legitimate, unrelated websites and services because of the block.
I happen to agree that La Liga wildly overreaching is on brand. But I think this is partly about Cloudflare.
What's happening is a reminder of how centralised the internet is becoming. If blocking Cloudflare IPs brings down big chunks of the internet for Spain, that's a problem. Cloudflare could go down for a while, or collapse permanently, or get compromised.
Putting aside my opinions on La Liga overreach, it will also be a problem if companies get to say to courts "Oh, well, if you block those IPs the internet goes down for your country, so let us know what you want to block and maybe we'll get around to it."
Cloudflare might get a resolution from the court that suits them in the short-term. But drawing this to government attention might not suit them in the long run.
> Putting aside my opinions on La Liga overreach, it will also be a problem if companies get to say to courts "Oh, well, if you block those IPs the internet goes down for your country, so let us know what you want to block and maybe we'll get around to it."
On the contrary, it would be an excellent outcome if the Internet became all-or-nothing, and countries could either choose to provide Internet access or block the entire Internet, with zero ability to selectively block things they don't like.
Doing that via a few centralized CDNs would be bad. Doing that at the protocol level would be excellent.
...is what most free speech proponents say until they discover child pornography, and then say "well, impossible for anything except child pornography", and then they discover...
That is not a problem to solve by internet blocking. That's a problem to be solved by tracking down the sources and arresting them so they can't make more. Blocking doesn't stop the underlying abuse. And blocking is too dangerous of a capability to exist, because it can and will be abused.
I think the comments here about cloudflare aren't trying to justify what LaLiga is doing, just pointing out that cloudflare does the same equally wrong thing ultimately. If you've ever ended up with an IP cloudflare decided is suspect for one reason or another, have fun being stuck in endless captcha loops all day for something like 70% of the websites you visit, with no recourse
Thanks, that's a great source! Definitely illuminates a part of Cloudflare's infrastructure I had no idea about before. Interesting to hear about their cooperation here given their publicly very anti-censorship reputation.
This arguement on whether LaLiga or Cloudflare are the biggest dicks is kinda dumb.
Yeah, CF has stepped in it from to time and yeah, maybe they have ego-ish proclivities. What Behemoth online service doesn't?
But at the core of this debate is about LaLiga and it's peripheral relationships dragging a lot of innocent folks along with the genuine targets of their focus.
It's like those Drift Netters
who have demonstrated they care not for the unindended species they catch. A bit of a labored metaphore but, there you have it.
"Like the majority of cloud providers, Cloudflare uses shared IP addresses to manage its network, meaning that thousands of domains can be accessed with a single IP address."
Thousands?
It used to be one could access _any_ Cloudlfare customer website using appropriate Host header, SNI and a _single_ Cloudflare IP address, i.e., one address could be used to reach all CF customer websites. For whatever reason, that is no longer the case.
Honestly, I hate both parties here so much. I just wanted to say that Cloudflare is the biggest problem I have at work when trying to detect and take-down phishing websites. They do not collaborate with official entities and keep protecting malicious actors. I could not care less about someone giving them problems.
Football goes beyond mere entertainment in Spain, it's like life itself. I think there's a case to be made that any and all disruption to internet services is justified to provide the public with the best possible Football experience.
CloudFlare doesn't allow video streaming on their free/low tiers so I would expect this to be shutdown by CF regardless as there wouldn't be anyone legit to pay for the Enterprise plan.
I don't understand why Cloudflare allowed itself to be use like this and is heading to court instead of just refusing to accept LaLiga's requests. They could just request them to provide appropriate evidence and make them pay for the time Cloudflare staff would need to review the evidence
Cloudflare isn't in a position to accept or decline LaLiga's requests; LaLiga, supported by a ridiculous court order, is forcing ISPs to block Cloudflare IP addresses.
Cloudflare absolutely is in a position to take down domains they're hosting on those IPs while keeping other domains sharing the same IP up.
I think that's probably what they'll be doing in the end, so it's interesting to observe that they haven't done so already. Do they maybe have at least an internal domain reputation system so that long-time customers mostly share IPs with other long-time customers and are less likely to get caught in the crossfire?
Cloudflare's customers are distributing copyrighted material. That's basic copyright law, and the host and distributor can easily take it offline after a court request.
The courts are unlikely to cheer on such websites, though. For better or worse, copyright law exists in Spain, and it will be enforced either with Cloudflare's co-operation (Cloudflare blocking infringing websites) or without (ISPs blocking Cloudflare IPs).
What I'm hoping for, here, is a case along the lines of "this court order has been used irresponsibly, with no regard for collateral damage, and has blocked sites such as GitHub, X, Y, and Z, which have nothing to do with the purpose of the court order; the court order should be rescinded".
According to another commenter here, the court order specifically stated that unrelated websites should not be blocked, so La Liga is potentially in breach of the court order, and could be on the hook for a lot of money in damages, should the injured parties decide to pursue it.
Bit of a strawman, yea?
Copyrighted material is flung from one end of the Earth to the other from thousands of places and you want to single out a single entity? How's that 3rd grade education working for ya?
Ok, this explains why Cloudflare is doing this. So the issue seems to be with the court order then. Is this then yet another case of court order makers not understanding the technological consequences of the court order they made?
I suspect that LaLiga lawyers and lawyer-techs aren't perhaps the most technical so when they learned to figure out IP's they made it their go-to way of working without even considering that they might need to contact CF (or Github that also seems blocked in Spain).
Finding abuse contacts is actually a M:N problem for the entire industry since we skimped on IPv6 (Had we gone to IPv6 providers like CF could've just assigned customers their own IP's and third-party fallout would've been minimal).
Well, I'm guessing here but I assume pirates are happy to stand up a new website for every match. And LaLiga wants the sites taken down within the ~90 minute duration of the game, otherwise what's the point?
I'd be interested to see if twitch is on their block list... or if running pirated tv, movies and sports from all over the world 24/7 just isn't as visible enough to them for them to say something...
Most streaming platforms actually put a lot of effort into combating live soccer broadcast piracy, more than a lot of other types of content. European soccer in is massively popular globally, as is the World Cup. Thus piracy of it is massive and global as well, and it gives the big leagues and competitions a lot of leverage. Most platforms try hard to counter soccer piracy, generally without waiting for a complaint or takedown request, and often using active methods like doing automated content detection on livestreams. The platforms simply have more to lose by poor enforcement of a huge soccer event than most anything else, including anything from Hollywood.
As a reminder, LaLiga got caught spying their users with their app using the microphone and the geolocation to detect illegal emissions in bars. They got fined, applying the GDPR, with 250k euros. [0]
However, the last court order, removed the fine as they interpreted the AEPD (Spanish data protection agency, and the ones that fined LaLiga) did not showed any guidelines about this kind of stuff so it couldn't be fined retroactively. And that showing a "Mic in use" warning every time the app was using the microphone, as AEPD wanted, was "excessive". [1]
I've had issues with their captchas just not working but not providing that as feedback. Javascript enabled and all.
You can easily reproduce this by using a mainstream browser like Chrome and changing your user agent to e.g. a Firefox one (or the reverse). You'll be hit with captchas everywhere but unlike the cloudflare ones the google ones can at least be resolved.
I've had that experience in a developed country too, but every time it happened it was because of CGNAT without IPv6 (or some similar setup causing millions of requests to come from a single IP).
But on the other hand, almost all of the requests from less developed countries in my logs seem to be malicious. I've blocked entire countries at times (through iptables, arguably better for privacy but worse for blocked people) when a dumb bot wave made it through the internet. I get why Cloudflare is so eager to ban some ISPs, those ISPs seem to be doing a terrible job protecting the rest of the internet from their hacked or abusive customers.
If you travel is short enough, use Chrome. It works fine for me with Linux+Chrome+LessDevelopedCountryISP. That said, I do understand you are giving up some privacy by using Chrome, instead of Firefox. Can you just use a Chrome user agent, or does Cloudflare fingerprint your browser via JavaScript?
Can confirm. If I click certain links in the Discord Electron client on Windows they work just fine, but in Firefox on Linux I get the DDoS block page, regardless of the internet connection I'm using.
In the second case, the parties are still related. The websites that are intended to be targeted by the court order are served by Cloudflare, and the operators of the sites that you want to access are also served by Cloudflare. It is like doing business with a bank that also serves sanctioned customers, and now your suppliers cannot get paid.
Can Cloudflare demand that ISPs carry its traffic? Probably, due to net neutrality laws. That's what they are trying to do in court.
Can you demand that websites allow you in? Depends on the site, I can imagine certain kinds of sites, e.g., government websites or public utility websites, being compelled to do this by a court, if they use Cloudflare and block innocent users. But the blocked users will generally not have enough time or money to deal with a lawsuit.
I get locked out occasionally when travelling outside EU as well. I've got to the point I will just avoid using services with CloudFlare in front of them.
Also the one time I reported abuse which was online banking phishing they just replied that they'd informed the upstream provider and nothing happened.
Most folks do not realize the consequences. Of those who do, a significant fraction thinks that the only people accessing it are from US mainland and use Chrome on Windows.
CF's announcements are quite fragmented/deaggregated due to traffic engineering. Here's a much shorter list of the actual IP blocks: https://www.cloudflare.com/ips/
LaLiga is the main football league in Spain, where Real Madrid, FC Barcelona,... play. It's also considered the second most important league in Europe after the Premier League in England. And, related to this, it manages the TV rights of the matches.
Some context the article misses: there's a court order that allows the Spanish Football League to block websites which may be unlawfully broadcasting football, and the ISPs have to comply. Since Chrome activated ECH, LaLiga requested the order to be expanded to block individual IPs, to which the court happily obliged, and this order is being used to block Cloudflare's IPs ranges.
The result is that web browsing in Spain on weekends, when football is on, is severely impaired, with thousands of web sites going down as matches play. This is a breach of the court order itself, which clearly states that "no unrelated sites may be affected", all while the court order itself probably being illegal as well. And, of course, IPTV pirates found ways around the block.
bandaancha.eu is doing a fantastic job on the reporting of this.
> bandaancha.eu is doing a fantastic job on the reporting of this.
And LaLiga’s response to their reporting? Sending false abuse notices to their hosting provider [1]
[1]: https://x.com/bandaanchaeu/status/1892992576069783825?s=46
La Liga's president is known to be unhinged, so this is not a surprise.
>The result is that web browsing in Spain on weekends, when football is on, is severely impaired, with thousands of web sites going down as matches play.
At the risk of non-Spaniards being unable to understand: that's the most pandereta thing I've heard this year so far.
This is banana country-tier stuff.
More context: Telefónica used one of its group companies to file a complaint against itself and all other telecom operators in Spain, instead of filing a complaint against Cloudflare. As the operators, including the plaintiff Telefónica, acknowledge and accept the claims, the judge granted the measures.
> The result is that web browsing in Spain on weekends, when football is on, is severely impaired, with thousands of web sites going down as matches play.
Aaah, this explains some stuff. I'm on holiday in Spain right now, and a bunch of little blogs and similar sites just don't work at all for some reason. I bet they're hosted on Cloudflare Pages or using Cloudflare as a CDN layer.
I assumed it was just the hotel WiFi doing something weird!
I think the cloudflare issue only happens with movistar/digi. At least in my case I couldnt use github yesterday
Orange and Vodafone are also implementing the blocking but users are not noticing because they are doing it wrong: instead of blackholing the IPs or only blocking when connecting through ECH, they are blocking by DPI the access when using the IP address as the SNI/Host header.
(1001 is the expected output from Cloudflare)Which is really useless, but I guess fulfills the court order (pandereta meets undefined specifications).
They've been routinely blocking GitHub, I think because there are several repos tracking lists of IPTV streams? I often have to VPN to the US just to access my open-source repos.
So "only" the biggest broadband provider in the country :)
I've seen reports that Orange may have imposed the block as well, which is the #2 provider. Definitely a nontrivial slice of the population
Only Vodafone refused to implement the blocking.
Other ISPs are blocking as well.
> court order itself probably being illegal as well
How so?
The simplified answer is that Spain has greater net neutrality laws than most other places, and on top of that the relevant European Union laws specifically forbid any lawful blocking/enforcement action if it causes a nontrivial amount of collateral damage to unrelated parties. So in theory the court order should've violated both Spanish and European law.
https://www.redes-sociales.com/bloqueo-cloudflare-parte-lali...
Legally is it collateral damage to unrelated parties. It is cloudflare's servers providing the infringing content, and the cloudflare's servers being blocked. Does Spain net neutrality protections grant some kind of common carrier protections to CDN networks? Would be nice if they did.
This previously happened in Italy, and was quickly undone as "a mistake" after being called out.
I see in Spain it isn't a mistake.
What is ECH?
Encrypted Client Hello https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypt...
As one would need more reasons to hate football. It's a disgrace, here in Italy last year there were flooding in the center, some matches had to be postponed, people were digging up sand, basket clubs complained in silence, but there were some clubs like AC Milan trying to bitch about their important matches and league point, something that a person with common sense would never think, for real, people digging sand, people dying, and they had the guts to complain about their league points, they're psychos
Is sand dug to construct dams?
What's a "basket club", and how can a thing complain in silence?
I suspect a translator app? AI translator? The complain in silence makes me think the intent is "complain but not heard"?
Think the parent is referring to other big Serie A clubs
Basket clubs complied (sorry) without objection
I can't find a violin small enough for cloudflare here. They're known for ignoring abuse and now they want to retaliate for someone blocking them like they're some kind of required utility provider? Maybe it's time for legal action from all the people randomly blocked by cloudflare without recourse?
There's no violin small enough for LaLiga.
What (other than greed) can possibly justify blocking hundreds of different services, with little to no oversight?
The only saving grace here, is that premium broadcasts kinda succeeded in getting the fans, rather than corrupt politicians and the state, to mostly fund the entire scheme that is the sport.
Other than that, cry me a river with how much we allow football to bend (and break) so many of our laws and regulations (not to mention ethics and decency).
It is CloudFlare that should be shutting down websites to comply with the law. If they did that, LaLiga wouldn't need to resort to a bigger hammer.
Needless to say, companies should comply with the law of the place where they do business in.
Did they serve Cloudflare a court order?
Apparently not. From Cloudflare's declarations, it seems they did not even notify them:
> "LaLiga secured this blocking order without notifying cloud providers"
[flagged]
> Why does there need to be a court order?
Because there needs to be a fair legal process involving legal experts to determine whether a site is breaking the law. That's the court.
[flagged]
When you find you're seeing a problem as easy, and that "they should just", then you probably either don't have enough detail, or haven't thought about an issue enough.
For example, what else should 'morals' compel Cloudflare to spend money on blocking? Should they preemptively drop accounts that link to any abortion information? Did anything happen at Tiananmen Square?
Let's set all that aside though and say "unauthorized streaming bad", and say that we all agree that that is the case. Say we also agree that it's Cloudflare that should be the enforcer of this. We then run in to the practical issues. Random numbers I found online say that Cloudflare streams around 100 petabytes of video every month. How do you propose that it filter that amount of video and identify the 'offending' streams? There's legitimate license holders that could be streaming through Cloudflare, cut them off and you're looking at a lot of lost business if not a lawsuit against you. There's clips being shown during a recap on someone's sports info stream that probably fit some 'moral fair use'. Both those rely on being able to distinguish between this current streamed game and a replay of a game for a year ago, even in cases where the streaming party has taken measures to make that difficult.
How much extra would you be willing to pay Cloudflare for their services so they could do this type of 'football stream blocking'? Are you okay paying the extra to Cloudflare when the end result is that there's no fewer streams available online?
Cloudflare is not the content police.
Every person and organization should police themselves.
Should everyone police everyone else? That is called "the Stasi" and makes for a fearful populace. I think they have something like that in China.
[flagged]
[dead]
> There's no violin small enough for LaLiga.
Both?-both.gif
>What (other than greed) can possibly justify blocking hundreds of different services, with little to no oversight?
It could be that CloudFlare does absolutely nothing to aid any site, big or small, when asked to stop hosting & concealing blatantly malicious origins. I don't even care who it is at this point, at least someone is causing problems for CF who, frankly, behave as if they're untouchable.
Literally every scam site I've checked out in recent years, pretending to a government entity, or parcel delivery service, in order to defraud millions from those not blessed with much technological literacy, has been hidden behind CF. Their responses are excruciatingly slow, if they even do anything at all. Usually they don't.
“Every scam comes from Cloudflare” is an asinine metric.
“Every one of those scams” are also on the internet, use email, DNS, whatever.
The metric that matters is how much of Cloudflare is a scam, and can the rate of scamming on Cloudflare be reduced without significantly impacting legitimate uses of it, and how.
Let's get ISPs to instablock IPs shared by thousands of sites immediately, making the internet an excruciating experience on weekends, because we may be loosing some football euros on our way to charge as much as the market will bear is just indefensible. If for no other reason, because IPs are a scarce resource.
Yes, piracy will take advantage of privacy technology (EDNS in this case). If we're cautious of violating privacy to catch child abusers, again, cry me a river about LaLiga not being able to fund the next hundred million euro transfer.
It's not blocking hundereds of services, it's blocking one, cloudflare. A service that routinely is used to share copyright material.
> What (other than greed) can possibly justify blocking hundreds of different services, with little to no oversight?
In this case? A court order: https://bandaancha.eu/articulos/esta-nueva-sentencia-autoriz... which is a pretty heavyweight oversight mechanism.
Personally I'm broadly pro-piracy and anti-big-sports-organisation. But alas the legal system disagrees.
The court order provides the means of doing it, it isn't itself a justification for wanting to do it.
(Unless your view of ethics/morality is that anything ordered by any court is automatically good, which I'm sure some people believe but I suspect many more do not have such a binary view.)
> people randomly blocked by cloudflare without recourse?
Cloudflare does not randomly block access to sites that don't deal with Cloudflare.
Cloudflare customers buy blocking service to their sites from Cloudflare. Any randomness there is just customer service issue.
They buy a service which should block a specific type of traffic, for example bots or attacks. I don't believe any of their customers have purchased a "block a random version of a specific browser" plan. The fact this is occasionally treated as a bug and fixed confirms that idea.
If the customer specifically set a header match to block some Firefox variant, people wouldn't complain to cloudflare about it.
Customers can pick several levels of aggressiveness when it comes to blocking bots. Some of the more obscure browsers easily pass the "low" threshold but don't make it past the "high" threshold. Some older browsers like Palemoon seem to crash or break the JS Cloudflare serves but that seems to be a browser issue.
If your favorite website is blocking you, let them know. They can tweak a lot in their WAF settings. I don't think many websites care about obscure browsers, but it's something websites can control.
That's why I wrote
>... just customer service issue.
I'm not sure what point you're trying to make. Cloudflare has been failing this way for ages. At this point they're just accepting it and it affects people who don't understand or care who cloudflare is. It's an issue with cloudflare business model as a whole these days.
You covered everything except the most important case: Cloudflare blocks innocent people trying to access websites protected by Cloudflare.
For instance they block me because I'm behind CGNAT and because some of the millions of machines also behind that CGNAT once did something unsavory.
I'm not a customer of Cloudflare, so I have no one to call, I just get blocked from endless websites or have to click a checkbox, solve puzzles and suffer other indignities because I'm using a reputable and popular ISP in my country.
Fuck Cloudflare. They're accelerating the utter shittiness of the web because of their indiscriminate solutions to web malfeasance, which are worse than the disease.
If not for cloudflare, the site which you’re trying so hard to visit would probably not survive due to:
1. High genuine traffic
2. High bot traffic
3. Being DDoSed to death
Everyone else other than you get to enjoy a snappy and fast loading site. I think that’s a good trade off.
> Everyone else other than you get to enjoy a snappy and fast loading site.
Why can't everyone else suffer? What makes me the loser besides prejudice?
I'm hardly unique, there are many people who share an external IP.
Maybe the point is don't screw one half of the population to benefit the other half.
> Everyone else other than you get to enjoy a snappy and fast loading site. I think that’s a good trade off.
The core logic behind that sentence is that it's good to be in an unfair system, as long as you benefit from the system and don't get unfairly targeted.
Work camps are also a good thing, provided you're benefiting from the work rather than sent to the gulag.
I've experienced similar problems in the past. Cloudflare decides that something about the ISP or software I'm using is not on some secret approved list and we all get a bag of coal for Christmas instead of the content we were asking for until we've jumped through whatever hoops it decided to set up this week. And I've heard way too many anecdotes from way too many people in real life to believe this is some sort of isolated or unusual event.
If Cloudflare is now taking a hit because it's become collateral damage to an over-generalised penalty system despite having done nothing wrong itself then it is difficult to find much sympathy. If this blocking exposes how much of the web we all use every day is now being routed via a single point of failure that has been operating largely as a law unto itself then that also seems like a positive step to me.
Depends on the kind of abuse. Acting as if CloudFlare is providing bullet-proof hosting and carrier services would be insincere. I have had CloudFlare suspend accounts within 18 hours of reporting.
Maybe you don't care about Cloudflare, but a lot of small sites use CF, and they're getting blocked. I'd feel bad about those sites.
Anyway, read the rest of the responses here giving context; the issue has more nuance than you seem to realize.
For what it's worth I think Cloudflare and a few other ultra-large CDNs should be considered an utility provider, given that it is very difficult to exist in the Internet without their protection - no matter if you're just running a damn blog or an online forum, you'll get hounded by hordes of automated scanners looking to exploit you the very second a 0day appears. And if it's an online forum, chances are high someone will be pissed off by some moderation action and just buy a DDoS to shoot you off the 'net.
(In the end I think governments should finally hunt down and eliminate abusive netizens, but waiting for that to happen is pointless)
AFAIK, when HN gets hit by a DDoS attack, they go and re-route the DNS to Cloudflare's IPs.
Cloudflare profits greatly from you thinking it's impossible to exist on the internet without them.
Did you know they have a workflow for you to sign up start using their protection in the middle of an attack? Costs money, of course. They don't get to EEE the Internet that way so they don't make it free.
Seconding that anything this big should be nationalized. That said, the internet still worked before cloudflare. The threat of a banned troll DDoSing your forum has been a risk for 30 years, yet the flourishing golden age of forums was before anyone had heard of cloudflare.
Add in their centralized panopticon of mass decrypted traffic and it becomes undeniable CF is an enormous net negative to the internet and society at large.
They could argue that they are on the side of the "good guys" (intelligence services and the police), especially if you consider their historical ties of collaborating with the 3-letters agencies like the FBI (c.f. how all started with Project Honey Pot).
> The threat of a banned troll DDoSing your forum has been a risk for 30 years, yet the flourishing golden age of forums was before anyone had heard of cloudflare.
Private forums in my experience stopped being a thing around 2010-2015-ish. The first deathknell was metasploit which made 0wning a target so much more easy than it was before, the second and final blow were "ddos for hire" services, running on cryptocurrencies that promised (and delivered) true anonymity, and using mass hacked consumer devices as a botnet that was much harder to defeat against than an STRO in some datacenter where you (or your DC) could just block the IP address.
> no matter if you're just running a damn blog or an online forum, you'll get hounded by hordes of automated scanners looking to exploit you the very second a 0day appears
This will happen to you if you use Cloudflare as well, _unless_ you enable (at least) the automatic captcha, which then annoys users and disallows privacy-focused people from visiting your site.
To effectively stop committed DDOS you'll need CF enterprise, which filters out private blogs etc by price. The WAF options definitely make it easier to fight simpler DDOS attacks, but even then you'll need to know what you're doing.
While massive overreach in the name of fighting piracy it's very on-brand for LaLiga, this seems pretty wild, even for them. I can't help but wonder if perhaps they didn't realize quite how many unrelated, legitimate sites/services that their citizens use would be affected by this.
I think burns/jokes about Cloudflare are missing the point. It's not about Cloudflare, it's about the millions of people in Spain who couldn't access a plethora of legitimate, unrelated websites and services because of the block. The block included things like Redsys, a major payments processor used by tons of ecommerce sites in Spain.
Piracy or not, you shouldn't be able to get away with this kind of collateral damage, blocking an entire population from accessing a far greater number legitimate websites.
And while I do understand their problems with piracy, LaLiga's view on the matter has always been so over-the-top and reminiscent of the false logic the record companies did in the early 2000s: LaLiga believe (or at least say, all the time) that every euro's worth of football that is pirated is a euro that has been stolen from them; that if piracy didn't exist, they would have that much more money. It's simply not the case. It's a hugely outdated viewpoint, and they shouldn't be able to cause damage to the public because of their adherence to it.
> It's not about Cloudflare, it's about the millions of people in Spain who couldn't access a plethora of legitimate, unrelated websites and services because of the block.
I happen to agree that La Liga wildly overreaching is on brand. But I think this is partly about Cloudflare.
What's happening is a reminder of how centralised the internet is becoming. If blocking Cloudflare IPs brings down big chunks of the internet for Spain, that's a problem. Cloudflare could go down for a while, or collapse permanently, or get compromised.
Putting aside my opinions on La Liga overreach, it will also be a problem if companies get to say to courts "Oh, well, if you block those IPs the internet goes down for your country, so let us know what you want to block and maybe we'll get around to it."
Cloudflare might get a resolution from the court that suits them in the short-term. But drawing this to government attention might not suit them in the long run.
> Putting aside my opinions on La Liga overreach, it will also be a problem if companies get to say to courts "Oh, well, if you block those IPs the internet goes down for your country, so let us know what you want to block and maybe we'll get around to it."
On the contrary, it would be an excellent outcome if the Internet became all-or-nothing, and countries could either choose to provide Internet access or block the entire Internet, with zero ability to selectively block things they don't like.
Doing that via a few centralized CDNs would be bad. Doing that at the protocol level would be excellent.
So... you don't agree with the existence of laws? And differing jurisdictions?
I would like it to be impossible to selectively block portions of the Internet. I would like it to not be an option available to anyone.
...is what most free speech proponents say until they discover child pornography, and then say "well, impossible for anything except child pornography", and then they discover...
That is not a problem to solve by internet blocking. That's a problem to be solved by tracking down the sources and arresting them so they can't make more. Blocking doesn't stop the underlying abuse. And blocking is too dangerous of a capability to exist, because it can and will be abused.
Nah, it should be solved by your phone automatically reporting you to the police if it thinks you have CSAM stored /s (I fully agree with you)
I think the comments here about cloudflare aren't trying to justify what LaLiga is doing, just pointing out that cloudflare does the same equally wrong thing ultimately. If you've ever ended up with an IP cloudflare decided is suspect for one reason or another, have fun being stuck in endless captcha loops all day for something like 70% of the websites you visit, with no recourse
They want cloudflare deal with pirated issue for them
Sure it's blunt. But I guess it will be rather effective in getting Cloudflare to urgently revise their policy on copyright violation.
When they started doing these blocks a few weeks ago they also took down Telegram for the whole weekend and part of Monday.
It's my understanding that the usual process is to ask Cloudflare to move infringing domains from shared IP addresses to fixed IP's, before blocking.
Do you have a source for this?
No, it's my recollection of words spoken by a lawyer. https://torrentfreak.com/internet-backbone-cogent-blocks-clo... is related to the topic.
Thanks, that's a great source! Definitely illuminates a part of Cloudflare's infrastructure I had no idea about before. Interesting to hear about their cooperation here given their publicly very anti-censorship reputation.
This arguement on whether LaLiga or Cloudflare are the biggest dicks is kinda dumb.
Yeah, CF has stepped in it from to time and yeah, maybe they have ego-ish proclivities. What Behemoth online service doesn't?
But at the core of this debate is about LaLiga and it's peripheral relationships dragging a lot of innocent folks along with the genuine targets of their focus. It's like those Drift Netters who have demonstrated they care not for the unindended species they catch. A bit of a labored metaphore but, there you have it.
"Like the majority of cloud providers, Cloudflare uses shared IP addresses to manage its network, meaning that thousands of domains can be accessed with a single IP address."
Thousands?
It used to be one could access _any_ Cloudlfare customer website using appropriate Host header, SNI and a _single_ Cloudflare IP address, i.e., one address could be used to reach all CF customer websites. For whatever reason, that is no longer the case.
Honestly, I hate both parties here so much. I just wanted to say that Cloudflare is the biggest problem I have at work when trying to detect and take-down phishing websites. They do not collaborate with official entities and keep protecting malicious actors. I could not care less about someone giving them problems.
Football goes beyond mere entertainment in Spain, it's like life itself. I think there's a case to be made that any and all disruption to internet services is justified to provide the public with the best possible Football experience.
What's the chance that
1) Cloudflare wins its lawsuit against LaLiga. 2) LaLiga appeals to Cloudflare to block these individual, infringing sites.
3) Cloudflare does nothing.
CloudFlare doesn't allow video streaming on their free/low tiers so I would expect this to be shutdown by CF regardless as there wouldn't be anyone legit to pay for the Enterprise plan.
They just host the pages on CF, not the video streams.
I don't understand why Cloudflare allowed itself to be use like this and is heading to court instead of just refusing to accept LaLiga's requests. They could just request them to provide appropriate evidence and make them pay for the time Cloudflare staff would need to review the evidence
Cloudflare isn't in a position to accept or decline LaLiga's requests; LaLiga, supported by a ridiculous court order, is forcing ISPs to block Cloudflare IP addresses.
Cloudflare absolutely is in a position to take down domains they're hosting on those IPs while keeping other domains sharing the same IP up.
I think that's probably what they'll be doing in the end, so it's interesting to observe that they haven't done so already. Do they maybe have at least an internal domain reputation system so that long-time customers mostly share IPs with other long-time customers and are less likely to get caught in the crossfire?
> Cloudflare absolutely is in a position to take down domains they're hosting on those IPs while keeping other domains sharing the same IP up.
They could. On the other hand, why should they? I would much rather see them fight this court order and make it stop across the board.
Cloudflare's customers are distributing copyrighted material. That's basic copyright law, and the host and distributor can easily take it offline after a court request.
Your response assumes I want to see sites distributing copyrighted soccer games taken down, rather than cheered on.
The courts are unlikely to cheer on such websites, though. For better or worse, copyright law exists in Spain, and it will be enforced either with Cloudflare's co-operation (Cloudflare blocking infringing websites) or without (ISPs blocking Cloudflare IPs).
What I'm hoping for, here, is a case along the lines of "this court order has been used irresponsibly, with no regard for collateral damage, and has blocked sites such as GitHub, X, Y, and Z, which have nothing to do with the purpose of the court order; the court order should be rescinded".
According to another commenter here, the court order specifically stated that unrelated websites should not be blocked, so La Liga is potentially in breach of the court order, and could be on the hook for a lot of money in damages, should the injured parties decide to pursue it.
Bit of a strawman, yea? Copyrighted material is flung from one end of the Earth to the other from thousands of places and you want to single out a single entity? How's that 3rd grade education working for ya?
Ok, this explains why Cloudflare is doing this. So the issue seems to be with the court order then. Is this then yet another case of court order makers not understanding the technological consequences of the court order they made?
Or more likely not caring, or not being informed because the plaintiff doesn't care about collateral damage.
I suspect that LaLiga lawyers and lawyer-techs aren't perhaps the most technical so when they learned to figure out IP's they made it their go-to way of working without even considering that they might need to contact CF (or Github that also seems blocked in Spain).
Finding abuse contacts is actually a M:N problem for the entire industry since we skimped on IPv6 (Had we gone to IPv6 providers like CF could've just assigned customers their own IP's and third-party fallout would've been minimal).
LaLiga went directly to the courts, according to Cloudflare.
Well, I'm guessing here but I assume pirates are happy to stand up a new website for every match. And LaLiga wants the sites taken down within the ~90 minute duration of the game, otherwise what's the point?
I'd be interested to see if twitch is on their block list... or if running pirated tv, movies and sports from all over the world 24/7 just isn't as visible enough to them for them to say something...
Most streaming platforms actually put a lot of effort into combating live soccer broadcast piracy, more than a lot of other types of content. European soccer in is massively popular globally, as is the World Cup. Thus piracy of it is massive and global as well, and it gives the big leagues and competitions a lot of leverage. Most platforms try hard to counter soccer piracy, generally without waiting for a complaint or takedown request, and often using active methods like doing automated content detection on livestreams. The platforms simply have more to lose by poor enforcement of a huge soccer event than most anything else, including anything from Hollywood.
As a reminder, LaLiga got caught spying their users with their app using the microphone and the geolocation to detect illegal emissions in bars. They got fined, applying the GDPR, with 250k euros. [0]
However, the last court order, removed the fine as they interpreted the AEPD (Spanish data protection agency, and the ones that fined LaLiga) did not showed any guidelines about this kind of stuff so it couldn't be fined retroactively. And that showing a "Mic in use" warning every time the app was using the microphone, as AEPD wanted, was "excessive". [1]
[0]: https://confilegal.com/20220505-la-an-ratifica-la-sancion-de... [1]: https://www.cuatrecasas.com/es/spain/propiedad-intelectual/a...
Cloudflare's ddos protection constantly locks out non-mainstream browsers, so pot and kettle, and such.
I've had issues with their captchas just not working but not providing that as feedback. Javascript enabled and all.
You can easily reproduce this by using a mainstream browser like Chrome and changing your user agent to e.g. a Firefox one (or the reverse). You'll be hit with captchas everywhere but unlike the cloudflare ones the google ones can at least be resolved.
A Firefox user agent with a Chrome Javascript engine and a Chrome TLS engine is suspicious. Any decent bot prevention mechanism will trigger on that.
I don't have issues passing these blocks in Firefox, though.
from my travel experiences with my laptop
linux + firefox + less developed country ISP = endless captcha loop or straight up ban
I've had that experience in a developed country too, but every time it happened it was because of CGNAT without IPv6 (or some similar setup causing millions of requests to come from a single IP).
But on the other hand, almost all of the requests from less developed countries in my logs seem to be malicious. I've blocked entire countries at times (through iptables, arguably better for privacy but worse for blocked people) when a dumb bot wave made it through the internet. I get why Cloudflare is so eager to ban some ISPs, those ISPs seem to be doing a terrible job protecting the rest of the internet from their hacked or abusive customers.
If you travel is short enough, use Chrome. It works fine for me with Linux+Chrome+LessDevelopedCountryISP. That said, I do understand you are giving up some privacy by using Chrome, instead of Firefox. Can you just use a Chrome user agent, or does Cloudflare fingerprint your browser via JavaScript?
Not just non-mainstream web browsers but also users in certain less developed countries.
Clearly there’s a balance to be had, but Cloudflare’s shadowbans are just mean.
Can confirm. If I click certain links in the Discord Electron client on Windows they work just fine, but in Firefox on Linux I get the DDoS block page, regardless of the internet connection I'm using.
It's a service that Cloudflare customers buy for their site.
This is about messing with unrelated parties. Cloudflare is not doing that.
I'm also an unrelated party, it messes with me, Cloudflare is doing it, and I can't opt out.
You are related when you try to access a site. It's just customer service issue. You can't demand that sites allow you in.
See the difference.In the second case, the parties are still related. The websites that are intended to be targeted by the court order are served by Cloudflare, and the operators of the sites that you want to access are also served by Cloudflare. It is like doing business with a bank that also serves sanctioned customers, and now your suppliers cannot get paid.
Can Cloudflare demand that ISPs carry its traffic? Probably, due to net neutrality laws. That's what they are trying to do in court.
Can you demand that websites allow you in? Depends on the site, I can imagine certain kinds of sites, e.g., government websites or public utility websites, being compelled to do this by a court, if they use Cloudflare and block innocent users. But the blocked users will generally not have enough time or money to deal with a lawsuit.
I get locked out occasionally when travelling outside EU as well. I've got to the point I will just avoid using services with CloudFlare in front of them.
Also the one time I reported abuse which was online banking phishing they just replied that they'd informed the upstream provider and nothing happened.
I mean isn't that a feature customers have to turn on?
Most folks do not realize the consequences. Of those who do, a significant fraction thinks that the only people accessing it are from US mainland and use Chrome on Windows.
Can we get those IP ranges posted here that belong to Cloudflare for educational purposes?
https://bgp.tools/as/13335#prefixes
CF's announcements are quite fragmented/deaggregated due to traffic engineering. Here's a much shorter list of the actual IP blocks: https://www.cloudflare.com/ips/
Fucking rich when I can't access a load of cloudflare sites on a vpn
I wonder what prompted this reaction from them for this particular case. This has been happening for years in my country without a peep from them.
What's laliga
LaLiga is the main football league in Spain, where Real Madrid, FC Barcelona,... play. It's also considered the second most important league in Europe after the Premier League in England. And, related to this, it manages the TV rights of the matches.
Cloudflare is a flaming heap of garbage of a company and to see them have beef with another company like this is very ironic.