18 Nov 2025, a giga-giant company specializing in CDN and Cyber Security, CloudFlare, suffered an outage that affected millions worldwide, as roughly 20%¹ of the Web went down that day. This not only affected the site that relied on its DDOS Protection infrastructure, but also the anti-bot solutions Turnstile.

CloudFlare offers a wide range of services in various sectors such as DNS, CDN, WAF, Zero Trust, Email, Domain Registrar, Pages, and much more. So, those services are being used by a range of users, ranging from small personal blogs to multi-billion-dollar e-commerce sites, in parts of their infrastructure. This makes the impact of this downtime even more critical.

So, before we get any deeper, some people might not see the picture of how big CloudFlare is, and to make it clearer, here are some cool stats regarding CloudFlare as per data published by W3Techs²

15.1% of websites are using CloudFlare DNS as a nameserver

20.5% of all the websites are using CloudFlare WAF, which consists of 81.6% of reverse proxy market share(In terms of commercial reverse proxy for DDoS protection, WAF, etc.)

In the next part, I’ll be ranting on the trends of DDOS attacks and how it’s nearly impossible to independently suspend attacks anymore.

The DDOS Trends

If one is familiar with the cybersecurity community, one might have heard of AISURU, a botnet that consists of thousands, if not millions, of infected, insecure IoT devices.³

And just months after the debut, it has already made big headlines of 6.5 Tbps⁴ DDOS Attack in April 2025(Attack lasted approx 45 seconds). And later on May 2025, with 6.3 Tbps to a well-known cybersecurity blog “KrebsOnSecurity”(Attack lasted approx 45 seconds), but with protection of Project Shield by Google, the site remains online the entire time. And as of the recent quarter(Q3 2025), the attack has grown even larger to 29.7 Tbps⁵(Attack lasted approx 69 seconds).

Those are samples of AISURU campaigns that are successfully mitigated by the provider, although it’s not possible to achieve by everyone, this doesn’t limit to only a traditional ISP and Hosting company, but also a smaller mitigation firm.

NeoProtect(AS199414) is a german DDOS Protection as a Service firm, that was once offer Remote Shield, a DDOS Protected uplink for downstream ISP customer, but it was hugely relied on CDN77’s basic DDOS Filtering infrastructure. And as a result, the AISURU botnet attack on 24th october was causing a huge problem to CDN77.

While there is no official report of the attack size, NeoProtect has estimated it to be around “10-20 Tbit/s peak”⁶, therefore CDN77 has to cut off the BGP session entirely⁶ and stop providing services for DDOS filtering to anyone going forward, as confirmed by the updated AUP⁷ by the company. This resulted in NeoProtect stopping the Remote Shield service entirely, and it won’t get restored in the foreseeable future⁶.

The other instance is TCPShield(AS64199), A Canadian company specializing in Game DDOS Protection. The company reportedly got into a beef with the French Hosting Company, OVH, since at least early October 2025. There is no report of the attack size or the reasons for the suspension from the OVH infrastructure⁸. But it’s been speculated to be related to the Brutal Size of the Attack, as per the attached image of a ticket response by the OVH staffer to TCPShield⁹.

And not only the hosting provider or shielding provider that has been affected by the DDoS, but also the source ISP, as a high chunk of traffic might have been sent from the same Home Network as ours, such as the home CCTV, home Router, or IoT devices that got hacked into. And we might unknowingly be part of the global DDoS campaign that takes down sites worldwide.

The “Reverse Proxy” Trends

While supposedly, AISURU has shifted its interests into Resident Proxies, as published by KrebsOnSecurity Read. But the damage has already been done, and also the future of the independent Internet is now in question.

Undoubtedly, as the size of attack is growing rapidly, especially in 2025, causing the on-premises or In-House solutions to not be feasible anymore, and that hugely contributed to the increasing number of users residing in commercial Reverse proxies in recent years.

In my opinion, this might not be the intended outcome by the prepetrator(While we see many cases, the preparator is someone within the mitigation company who does that to sell service to customers, but we’ll rule that out for this article). And the cost of DaaS(DDOS as a Service) is not cheap either, as a result, targets are mostly big companies’ infrastructure, or some Minecraft server. But the panic is real and is imminent.

I understand why peoples choose the security of their site over diversity of the internet, but that still unintentionally increases the criticality of a single company to the internet. therefore giving the control over content policing to a single company, and one simple outage can cause a worldwide disruption, as we unavoidably experienced last month.

The “Content Policing” Trends

Content Policy has always been a part of the internet, well, not always, but it has more presence after the 2015 incident. But most of those actions are done by the platform itself (Facebook, X, TikTok, etc.) and not the infrastructure provider. That was until recent years, when we see more and more presence of direct intervention of content by the Infrastructure provider themselves.

For instance, while CloudFlare has a strong policy on Content Neutrality and high ground on Free Speech, its policy has been tested multiple times, and the results vary, based on the society’s norms. The most notable incident is in 2022 when a “certain” forum got terminated, in which their blog post, citing that

we believe there is an unprecedented emergency and immediate threat to human life unlike we have previously seen from Kiwifarms or any other customer before

While these decisions may be made within “good faith” that the forum may have “potential criminal acts and imminent threats to human life”, some might agree with these decisions by CloudFlare, given the natural nature of these sites.

But we all know, even CloudFlare itself, that this decision is just like throwing a gas can into the flame. And it really is, this blog post creates Publicity for CloudFlare, but also the KiwiFarms too.

There is more to a story on this forum saga, including post-CloudFlare looking for BGP session on LowEndTalk(authwall). And more Tier-1 ISPs intervene with the site directly, that’s the story for another day.

Although, there isn’t just CloudFlare that is intervening with content directly. There are many more DDoS protection companies out there that choose to play their own game of policing their customers. Such as Path.net, which has also disputed with the same forum. Though I don’t want to mention the same forum over and over, as that created bias toward one party or another. But there isn’t really a great example of when the big internet turned you over, with such big publicity and public stunts by both Forum admin and Management within the ISP.

The selective termination, like these examples, doesn’t lead to the betterment of the internet at all, as the terminations are mostly done without legal grounds, but rather moral grounds of society at the time. Also, that just creates another question of why this site is allowed, and why this isn’t? It also creates an excuse for a third party to request intervention, either.

As stated by the EFF¹⁰:

Given these pressures, the thorny questions they raise, and the importance of ensuring that users have the ability to speak up and express themselves without being vulnerable to the whims of company executives, providers that can’t answer those questions consistently should do their best to stay focused instead on their core mission: providing and improving reliable services so that others can build on them to debate, advocate, and organize. And policymakers should focus on helping ensure that internet policies support privacy, expression, and human rights.

The state of Independent Internet

Despite all this, DDOS and the Content Policy alone aren’t the only reasons causing harm to internet independence. But the ever-growing trends of government attacking the legality of encryption, enforcement of forced decryption, and controlling the accessibility of the site using KYC by preferring security over privacy, and the risks of data leaks.

While this isn’t directly harming the internet independence, it is directly harming the availability of content, the same way DDoS does, but instead, being enforced by the government rather than the Bad Actor disagreeing with the site content, and in some way might be worse than DDoS directly. As one can always seek shelter with providers, but another’s depends on the visitor’s technological knowledge to be able to access.

In the closing, I’m not the first one talking on this topic. There are many people concerned about these topics before, and yet no one has a possible solution to this, me either. But one thing we know is that if we keep these trends ongoing, along with the surge of LLM content scrapers in recent years. then Fuck it, the internet is dead.

x-x