On 18 November 2025, the popular Content Delivery Network (CDN) and Distributed Denial of Service (DDoS) protection provider Cloudflare suffered a major global outage. For several hours, users struggled to access X, ChatGPT, major retail and financial sites, and many gaming and crypto platforms. Kiwifarms, however, stayed online.
This was striking because Kiwifarms had been removed from Cloudflare’s services in September 2022 after a campaign that drew attention to the forum’s role in harassment and abuse, especially of trans people. A 2023 GNET Insight by Seán Looney describes Kiwifarms as “an internet forum known for its active targeting and harassment of trans people.” The Insight also identifies CDNs as promising points of leverage for countering terrorist and violent extremist content online, by withdrawing service from sites that contain such content, citing takedowns of sites such as The Daily Stormer, 8chan, and a variety of Taliban-owned websites. Deplatforming Kiwifarms from Cloudflare was widely regarded at the time as a major victory, as it effectively removed access to a “hotbed of bigoted and radical material” for the average internet user, thereby promoting a safer online ecosystem.
By tracing publicly available posts on Kiwifarms’ Telegram channel and forum, I show how the site was migrated onto a new infrastructure and continues to operate on both the Clearnet and Tor. I do not dispute that CDN-level deplatforming can be impactful. Instead, this Insight explores how, in the case of one site with a determined operator, deplatforming from Cloudflare ultimately drove a shift towards greater infrastructural resilience, suggesting that relying solely on CDN-level interventions risks training a technically capable minority of extremist or harassment sites to harden themselves against precisely those measures.
CDNs in the Tech Stack: What Cloudflare Actually Did
Looney’s Insight usefully summarises what CDNs do on the contemporary internet. They cache (i.e., store) content across geographically distributed servers to reduce latency and load, and they sit between clients and origin servers as ‘surrogate hosts’ from the perspective of many website operators. CDNs also provide a second critical function: they absorb and mitigate distributed denial-of-service (DDoS) attacks, which would otherwise overwhelm individual servers. In practice, for many high-traffic or controversial sites, the CDN is both a performance booster and a shield.
Cloudflare repeatedly stressed during the Kiwifarms controversy—that eventually led to the deplatforming—that it was not the site’s host and did not store its content. It presented itself as a ‘reverse proxy’ and security service. Kiwifarms’ owner-operator Null’s public posts from August 2022 agree: “we operate our own network infrastructure”, with Cloudflare as an application-layer attack mitigator and “a small part of our entire setup”.
Figure 1: Null describes Cloudflare’s Role in Kiwifarms’ Operation via a 24 August 2022 Telegram message to followers.
The value of that ‘small part’ lay precisely in absorbing floods of hostile traffic so that the underlying servers did not have to.
For context on internet infrastructure, Joan Donovan’s tech-stack diagram serves as a helpful visual. In this case, Cloudflare lives in the intermediary middle: above physical connectivity and transit, below end-user applications and platforms.
Figure 2: Joan Donovan’s ‘tech stack’.
Because CDNs see huge volumes of traffic and handle security functions, they are attractive chokepoints for content moderation.
This was the logic behind the #DropKiwifarms campaign, started by Canadian Twitch Streamer and trans activist, Clara Sorrenti, also known as Keffals, who mobilised her following to pressure the companies that allowed Kiwifarms to operate. If Cloudflare refused to handle traffic for Kiwifarms, the forum would be exposed to DDoS attacks and other hostile activity that could make it effectively unreachable. Because stricter rules around neutrality constrain some upper-tier infrastructure providers, and because Kiwifarms had not been successfully targeted through criminal prosecution, a CDN like Cloudflare appeared to be the ideal point of intervention: powerful enough that losing it would hurt, but still able to choose its clients. Cloudflare explicitly acknowledged one side of this argument (in favour of infrastructural neutrality) before backtracking, claiming an escalation in rhetoric had forced its hand.
In Looney’s Insight, this confirmed the potential of CDNs as part of a wider content-moderation toolkit. But there is a slightly more sobering sequel.
After Deplatforming: From CDN Dependence to DIY Defences
Once Cloudflare terminated Kiwifarms in September 2022, Null had three options: shut down, retreat permanently into Tor and other non-clearnet channels (building a website that requires specialised browser software to access), or build alternative infrastructure. He chose the third.
First, the scramble for replacements. Kiwifarms briefly appeared behind DDoS-Guard, a Russian-based provider known for taking on high-risk clients, before that protection, too, was removed under pressure.
Figure 3: Null Reports Russian DDoS Protection Service DDoS-Guard’s Termination of Service.
Hosting and routing arrangements shifted across multiple providers. At the same time, Null began experimenting with replicating the key functions Cloudflare had provided. In late September 2022, he described:
Figure 4: Null Describes His Mitigation Activities.
“testing different methods of proof-of-work application-layer DDoS mitigation”, explicitly likening them to Cloudflare’s familiar browser checks. He also noted that he had set up front-end servers that would take initial traffic and filter out obvious junk before passing it to the core forum servers. He further described changes to DNS and routing intended to prevent attackers from reaching the main machines running the site; DDoS attacks work by ‘clogging up’ access channels with inauthentic web traffic, so legitimate users are unable to connect.
This led to a deeper restructuring of Kiwifarms’ own infrastructure. In a long technical status update in late October 2022, Null wrote that he had “rebuilt everything from scratch”. He described offloading roughly seven terabytes of content to a new storage device, setting up new back-end servers “in different countries”, standing up “forward nodes” that would accept connections and pass them back to the core servers, and clustering the forum’s large database across these machines and experimenting with different replication strategies. This distributed approach replicated what Cloudflare offers as a service package: geographic dispersion, intermediation between public-facing endpoints and core infrastructure, and defence against attacks. The difference is that the logic now resides with a single site operator rather than with a large infrastructure firm managing thousands of clients.
Subsequent messages through 2023 showed this strategy becoming more durable. Replacement servers were purchased and shipped into a single data centre, implied to be Null’s own house or a property he owned, to create local redundancy; Null emphasised his preference for owning “our own bare metal” so that no single hosting company could shut down the entire operation. The first mention of what is now Kiwifarm’s own long-term cryptography-based DDoS mitigation system, the imaginatively named ‘Kiwiflare’, is on 13 March 2023, with earlier references to anti-DDoS efforts suggesting they were only partially successful.
Figure 5: Null Mentions ‘Kiwiflare’ has ‘kicked in and is working intended[sic]’.
A December 2022 message on the Kiwifarms Telegram chat lists Tier-1 providers that were “either rejecting our announcement or blackholing our routes” and threatened a “total…war” on what he called “the digital equivalents of the post office”.
That list included Lumen, GTT, Arelion, Zayo and Voxility -major internet infrastructure providers- whom he accused of violating ‘European Net Neutrality’. When one upstream’s DDoS filtration was later withdrawn, Null characterised the DDoS mitigation industry as a “multi-billion dollar” sector which forced smaller sites to “seek refuge under larger and larger choke points on the Internet” and argued that this economic structure explained why “half the Internet uses Cloudflare”. However, Tier-1 providers eventually stopped ‘blackholing’ the network (refusing to resolve Kiwifarms’ IP address), leading to Null to crow, “this means that #DropKiwifarms has regressed all progress since September, and no T1 is blackholing anymore” on 14 January 2023.
What deplatforming had done, in other words, was to push Kiwifarms into a more adversarial relationship with every layer of the stack below Cloudflare, while also teaching its operator how to operate in that environment.
I referred at the beginning of this Insight to the 18 November 2025 Cloudflare outage. The episode has been read, quite reasonably, as a warning about infrastructural concentration: when a single firm that carries around 20% of global web traffic suffers a cascading internal failure, the impact is systemic rather than local.
Kiwifarms, no longer behind Cloudflare and now running on its own improvised infrastructure, remained up. Null, predictably, crowed in a message on the Kiwifarms Telegram channel:
Figure 6: Null Boasts of Kiwifarms’ Resilience.
This does not mean that deplatforming backfired in any simple sense. Kiwifarms lost traffic and visibility after Cloudflare’s decision, and its new stack is fragile in other ways, but it does highlight a tension in infrastructure governance. The same concentration that makes CDNs effective chokepoints also creates systemic fragility when they fail. When one of those chokepoints is removed from an adversarial site, the operator may learn to distribute risk in ways that make them less exposed to that particular point in future.
Regulatory Blind Spots in the Tech-Stack Model
CDNs sit uncomfortably within existing legal categories. Under frameworks such as the EU’s Digital Services Act, they can be treated as caching services with limited liability or as hosting providers with greater responsibilities. CDNs often stress that they do not control the content they help deliver.
The Kiwifarms case suggests that this narrow focus on the CDN layer alone misses important dynamics with direct policy implications. Intervening at one layer of the stack rarely keeps effects neatly contained there. When Cloudflare dropped Kiwifarms, pressure shifted downwards to transit and Tier-1 providers that had previously operated quietly in the background, and while some of those providers appear to have blocked routes associated with Kiwifarms, others did not. Some of the providers who acted also eventually reversed their decisions: Null explicitly asked Kiwifarms users who were customers to complain, underscoring that informal pressure campaigns can go both ways.
If these actors are going to be drawn into content moderation, policy frameworks need to recognise that explicitly. That could include transparency about when and why traffic to particular networks is blocked, basic due process standards when connectivity is restricted, and clarity about the legal obligations of backbone (‘mere conduit’) providers. Without such measures, there is a risk of pushing governance into opaque infrastructural domains or of making governance decisions based on who shouts the loudest, raising concerns about accountability and procedural fairness.
Recognising CDNs and large DDoS-mitigation providers as critical infrastructure, with associated resilience and transparency obligations, would be one way to align regulation with their real role. It would also make it easier to consider how to address the small number of sites that deliberately opt out and attempt to harden themselves.
Finally, Kiwifarms illustrates the ease with which controversial operators can move between jurisdictions and alternative infrastructure. Under pressure, Kiwifarms experimented with services and hosts in more permissive environments, a familiar pattern across extremist, harassment, and criminal sites. Large, well-known infrastructure providers are increasingly subject to regulation and public scrutiny. A long tail of smaller, more obscure providers is not. Deplatforming from the former can push determined operators into this tail without necessarily removing them from the internet. That does not mean such measures are futile, but it should temper expectations and highlight the need for complementary tools such as financial measures, targeted criminal enforcement for specific harms, and demand-side interventions to reduce reach.
Conclusion
Kiwifarms’ removal from Cloudflare in 2022 exemplified the potential of CDN-level deplatforming as part of the broader response to harmful and extremist content online. For a time, the site was difficult to access, and its operator struggled to keep it alive.
By late 2025, however, the picture is more ambivalent. Through trial and error, Kiwifarms’ operator built a bespoke, if fragile, stack of servers and defences that no longer depends on a single large intermediary. When Cloudflare itself suffered a major outage, Kiwifarms stayed online.
For policymakers and practitioners, this should not be read as a reason to abandon infrastructure-level interventions. Most sites will not have the capacity or determination to do what Kiwifarms did. However, the case is a clear warning that governance focused on a single layer of the stack can sometimes train the most committed adversaries to operate without that layer. Any strategy that relies on CDNs as chokepoints needs to be paired with a clearer view of how pressure cascades down the stack, and a plan for sufficiently motivated actors who redesign for resilience.
–
Alexander Yen is a doctoral candidate in International Relations at the University of Oxford. His research focuses on international order and contestation, but his more recent interests have lain in the institutional and infrastructural particulars of transnational governance, including in the digital sphere, and the ways that actors, state and private, contest and shape that the digital ecosystem. He is a concerned observer of the growth of digital extremist content and the intermediaries and regulatory gaps that shape its continued existence.
–
Are you a tech company interested in strengthening your capacity to counter terrorist and violent extremist activity online? Apply for GIFCT membership to join over 30 other tech platforms working together to prevent terrorists and violent extremists from exploiting online platforms by leveraging technology, expertise, and cross-sector partnerships.