In the wake of Cloudflare's outage, could this software be an alternative?

[IdfbAn]

I'm very much not fond of the internet in practice being reliant on a few companies, especially after the AWS and Azure outages last month, and now the current Cloudflare situation.

Considering one of Cloudflare's core services is DDoS protection, could using and contributing to Gatekeeper be part of a hypothetical effort to make the internet more decentralized and less reliant on these tech giants?

[Onepamopa]

I don't think so... Not unless you've got deep pockets for fat pipes and compute... CF is the de-facto monopoly on this.

[AltraMayor]

I agree with @Onepamopa in the short term, but not in the long term. Before the creation of Internet Exchanges (IXs), companies outside the US were at a disadvantage when it came to bandwidth cost because only the most prominent players had economies of scale.

"Fat pipes and compute" dominate the cost of large Gatekeeper deployments because these resources are not shared, as peering resources are in IXs. There is more than one way we can make the transition from single-entity Gatekeeper deployments to shared deployments.

Consider the DDoS problem from the perspective of Internet Service Providers (ISPs), IP transit providers, cloud providers, and IXs. They are close to the sources of the attack, but they do not have the necessary information to identify and filter attacks. They do spend money to deal with the problem, but the lack of information limits how effective these solutions can be.

Once Gatekeeper is recognized as the path forward, it would be a reasonable next step for companies close to the sources of attacks to reallocate the budget they already spend on DDoS mitigation to provide free Gatekeeper servers to any autonomous system (AS). This way, the high cost of building and maintaining Gatekeeper deployments would be spread across the Internet. Destination ASes, the target of the attacks, would run the Grantor servers with their policy, so the companies offering free Gatekeeper servers would have the information to filter the attacks.

I omitted many details here to highlight only the key aspect of the solution.

[Onepamopa]

90% of the ISPs frankly - don't care. They've got no ddos defense posture on the inbound (besides null-routing, of course).
As for the outbond attacks that originate from them - CF already provides a bot feed they can query and get all offending IPs within their AS, if they'd bother to do anything about them, of course (which let's face it - most of the time they don't, and if they did - they suspend the user for 20-30 minutes). It's a ZOO, and the zoo-keepers don't have the time/resources to manage it properly :)

[AltraMayor]

When bad men combine, the good must associate; else they will fall,
one by one, an unpitied sacrifice in a contemptible struggle. -- Edmund Burke

My answer is about what can be done, not the current state of affairs. Uniting can bring the cost down, but the problem needs to become big enough for us all to care. Not uniting is what motivated @IdfbAn in the first place.

[IdfbAn]

Ladies, gentlemen, and everyone else, IT HAPPENED AGAIN.