
Frickin' Awesome: CloudFlare Automatically Learns How to Stop DDoS Attacks - eastdakota
http://blog.cloudflare.com/thats-freaking-awesome-cloudflare-automatical
======
watchandwait
CloudFlare looks cool but the sit does a lousy job explaining the service. I
even watched the video. I'm actually more confused than when I started...I
thought it as a cloud layer like Heroku, but you keep your current host, and
don't install anything. How does this work, is it DNS? Why is it so cheap?

~~~
eastdakota
Works via DNS. Takes about 5 minutes to sign up. Tens of thousands of sites
using the service. Currently powering than 2,000 page views per second for
more than 100 million unique visitors per month.

~~~
pnathan
That's a pretty good ad copy there, at least for this geek.

~~~
semanticist
I disagree, it took a follow-up question to get the real answer to what it is.
(A caching reverse proxy.)

I undertand that you'd never ever say the words 'caching reverse proxy' to
normal people, but if someone on HN asks 'what is this doing' you can probably
feel safe to use the technical terms.

Good ad copy, if you're aiming at geeks and only geeks, doesn't spare the
jargon.

------
Meai
This all sounds a little mysterious to me. Their FAQ promises a lot of weird
stuff, like protection against "web software vulnerability", whatever that
means. How does CloudFlare achieve "comment spam" protection? They check each
and every post request sent to my server? Isn't that going to add a lot of
overhead? Can I just say that it's hard for me to believe that CloudFare has
enough servers and bandwidth to do that.... I don't understand the extent of
what CloudFare is offering exactly. What kind of spam protection is that
exactly?

~~~
flam316
It blocks threats based on IP, threats which includes spammers. I wouldn't
worry about how much servers or bandwidth they have... they seem to have more
than enough.

~~~
blantonl
_I wouldn't worry about how much servers or bandwidth they have... they seem
to have more than enough._

That is a very scary off-the-cuff assumption to make.

~~~
flam316
Contact them directly and maybe that will ease your worries, but based on the
amount of servers and DCs they have been adding to their network recently, I
wouldn't worry about it.

~~~
blantonl
Our business hosts off of AWS and two other hosting providers, in addition to
utilizing Cloudkick, Sendgrid, Geckoboard, Dynect, and Chartbeat.

It is my job every day to "worry" about how PAAS providers might not be able
to deliver services to my business.

We're now in contact with Cloudflare to see how we might progress, but
understand that a random posting that says "don't worry" without any
substantial background makes me worry.

------
kitcar
As this is a DNS based service, If I were a hacker, couldn't I just skip all
the protection CloudFlare offers by hardwiring the website's domain + IP in my
hosts file?

~~~
kondro
CloudFlare is actually a CDN proxy, so you could overcome this by hardwiring
your web server firewall rules to the CloudFlare platform.

~~~
kitcar
Ah, so basically use IPTables to detect if the request is originating from
CloudFlare's CDN, and if it is not redirect it via CloudFlare?

~~~
blantonl
No, you would configure your firewall to only allow requests from CloudFlare's
infrastructure.

------
ay
Judging by its description (CDN-like functionality?), it might also do a great
service if it offered to dual-stack the sites that use it. Even if time before
June 8th runs short, I am sure they would get _some_ new customers because of
this.

The anti-ddos functionality is indeed pretty cool. I guess the reliable
detection of "anomaly" vs. "spike in traffic" is the secret sauce - but if
not, would be entertaining to know more about that.

------
jarin
I've been using Cloudflare since the beta, and I think I love them almost as
much as I love Apple.

~~~
gavingmiller
Their services look interesting - What specifically do you love about them?
How have they improved your site?

~~~
jarin
Very nice DNS management, faster page loads, reduced bandwidth usage and
server load, and all of the nice security features (blocking malicious
clients, XSS protection, etc). And all of it with practically no configuration
and it's free unless you need SSL (and/or more advanced security features).

Also, they pass along a country header which comes in handy if you need to
know which country a user is in without having to set up GeoIP and keep it up
to date.

Oh plus they sent me a t-shirt.

~~~
kibitzer
you sure you don't work there?

~~~
flam316
He's telling the truth; it ACTUALLY does all this stuff (including the
t-shirt, which is nice and soft :) )... and for free, too.

------
blantonl
Interesting. I attempted to sign up on CloudFlare's platform but received the
response that I must contact them directly to "use the features of CloudFlare"
for my domain. I'm interested in testing CloudFlare, but I don't feel like
having to submit a blanket request in a generic "contact us" Web form.

I wonder what the reasons are why my business is excluded from participating
from initial sign-up? We are a highly trafficked site, so on the surface it
seems to me someone might be talking to me shortly on the "up-sell" side of
things. Agh..

~~~
eastdakota
We have a limit in place for big sites (top 2,000 according to Quantcast, if I
recall correctly). Email us the site and we'll get the block lifted. Not an
upsell, just something we do to make sure we're watching carefully when big
guys come on board.

~~~
blantonl
Thanks for the quick update - understood on the methodology. We're at about
2400 on Quantcast if I recall, so I'll pop in and shoot you guys a message.

Just a quick suggestion.... you might indicate that to the requestor instead
of the generic "contact us" response. You could easily drive away someone who
might want to POC your service but then ultimately decides to move on to the
next task. And that someone could be a big guy.

Thanks again!

~~~
eastdakota
Agreed. It's a remnant from when we first launched on stage at TechCrunch
Disrupt 7 months ago. We'll get the error revised, and I'll get the
restriction lifted ASAP.

------
datums
Stop DDoS ? DoS and DDoS are 2 different animals, DoS are simple to stop.

"One of our user's site was under a denial of service (ddos) attack earlier
this week"

I like the distributed website caching for static pages. Would be interesting
to have pay for what was served model . . .

~~~
xtacy
The nice thing about distributed caches is that the closer the cache is to the
user, the lesser the traffic traversing wide-area. So, the main hosting
website wouldn't even see all that traffic!

But I guess these make sense only for static content...

~~~
flam316
You could use it for non-static content (like forums and such), people do it
and it tends to work fairly well... or so I've heard.

------
gojomo
How does it 'learn' what is illegitimate traffic? (An actual explanation
rather than just vague claims/graphs would be truly "frickin' awesome".)

What's the risk it misclassifies real surges in interest as illegitimate
traffic?

------
Uchikoma
I assume it only makes sense for US companies with US visitors? Or do they
have other locations? Latency from Europe might be to long?

~~~
eastdakota
Data centers worldwide: Hong Kong, Tokyo, Los Angeles, San Jose, Chicago, New
York, DC, and Amsterdam.

Coming soon: Singapore, Dallas, Miami, Paris, Frankfurt, and London.

~~~
Uchikoma
Thanks, sounds great, Amsterdam is good enough for Germany already I think,
I'll give the free plan a try.

