The free and $20 plan doesn't cover all DDoS attacks. The real stuff costs more than I spend on my entire monthly infrastructure. For my use case, it would cost $6000/mo (I need wildcards and full DDoS mitigation). I'm sure $6k is cheap for someone, but it's not cheap for us.
Meanwhile, providers like OVH, Ramnode, Vultr and BuyVM offer various levels of integrated DDoS protection for their servers and VPS for free or a very reasonable cost ($5-10 per month). It's out there, you just need to look for it.
Genuinely curious: How reliable are the DDoS protection services offered by these cheap providers?
BuyVM promises 500Gbps protection for $3/mo, whereas Vultr offers only 10Gbps protection for $10/mo. The pricing is all over the place. I would naturally assume that the quality is all over the place, too.
OVH will nullroute you in about 3 seconds if you're affecting the stability of their network. I've been hit with a very large DDoS attack before, and our host nullrouted us because the attack was causing instability for our neighbors in the rack due to the switch being flooded with too much traffic.
How long ago was this? From what I've read it seems this used to be the case, but they got their act together about it within the last couple of years. On their site they claim to offer DDoS protection bundled with their VPS offerings:
If you're using CloudFlare to protect your site against DDoS, you're essentially participating as part of a passive protection racket. "That's a pretty bold claim," you may reasonably contend. Here are the facts:
- A very large proportion (I would conservatively estimate >50%) of DDoS-for-hire sites are hosted on CloudFlare. I couldn't find a comprehensive survey of all attack service providers, but in a recent sample[1], 100% of the services were protected by CloudFlare.
- CloudFlare will not discontinue service for customers offering DDoS-for-hire services unless you are the police and bring them a court order [2].
- If you are not the police and submit a report of someone operating an illegal service behind CloudFlare, they will forward you report, unredacted, to the owner of the IP range. They will not tell you who owns it prior to forwarding the report. It is highly likely that your identifying information will be passed to the (anonymous) individual operating the attack service and that their (likely bulletproof) hosting provider will do absolutely nothing.
"Why do all of these services use CloudFlare?", you ask. One simple reason: before CloudFlare, the market of DDoS-for-hire services was somewhat self-regulating via all of the providers DDoSing each other. Since the advent of CloudFlare, though, many have used its protection to avoid attacks from the others, which has led to an increase in DDoS-for-hire services and a reduction in prices as they attempt to compete with each other. CloudFlare providing DDoS protection to these DDoS-for-hire sites therefore effectively increases the supply of such services. On top of that, "just use CloudFlare like everyone else" doesn't work for everyone -- people who don't easily fit into CloudFlare's plans (particularly people offering services via protocols other than HTTP/HTTPS) can't use it at all, while some others have to pay for a higher tier of service. It sounds pretty convenient for CloudFlare that all of these DDoS services are around (and cheap to use), doesn't it?
I don't agree at all. I think CloudFlare is almost a public utility at this point, and they should offer services to anyone and be completely blind to the content they are serving. If LEAs have a court order, then they should definitely remove them from the service but not before. This is a law enforcement problem and it should not be CloudFlare's responsibility. Banks are not generally forced to police each customer's transactions, neither should CloudFlare be forced to police their network. They are a blind intermediary and they provide an extremely valuable service.
A great deal of DDoS services are essentially MITM intermediaries. Akamai, Black Lotus and others do the same thing. Why is CloudFlare the bad guy? They have an exemplary record thus far.
The comment I replied to was about Cloudflare. But what really concerns me are the website owners who betray their users by allowing their HTTPS traffic to be MITMd, no matter if they use Cloudflare or something else. Also it is not acceptable to let one entity (be it Cloudflare or anyone else) control a significant portion of the worlds web traffic.
By never revealing the IP address of the origin. Conceal it completely behind CF. A properly configured CF setup will mean your real server IP never gets revealed ever.
Not always possible without expensive plans. For example, if you use websockets you will need a business/enterprise level plan in order to pipe through cloudflare. Non http/https services often fail to go through cloudflare as well. For example, you're gonna have to reveal origin to use ftp/sftp.
Have a separate domain that points to your real origin IP. This is how I do it. I have company.com and companyprivate.com (obviously named so it's not so obvious they are related). Company.com points to CloudFlare and companyprivate.com points directly to the origin. Nobody knows about companyprivate.com except the people who need to.
Not everyone needs websockets, and only the legitimate administrator needs to know the true IP address for ssh. Plenty of websites can be perfectly hidden behind CloudFlare as long as they don't have an MX record or unused subdomain that points to the same server.
>and only the legitimate administrator needs to know the true IP address for ssh
Again this is a blanket statement. I recently integrated with a service that required sftp access to function. Is this ideal? No, but if I could recreate the service efficiently I wouldn't be paying for it in the first place.
This and the websockets scenario were just two examples I can come up with from personal experience, I'm sure there are many other situations that I've never come across.
My point is that the above commenter was acting like cloudflare is a panacea for DDOS attacks.
>"A properly configured CF setup will mean your real server IP never gets revealed ever."
This makes it sound like only engineers who are inept with cloudflare are vulnerable to origin ip leaks which simply isn't true.
> Plenty of websites can be perfectly hidden behind CloudFlare as long as they don't have an MX record or unused subdomain that points to the same server.
