

CloudFlare: A website security product accidentally makes sites 60% faster - pbreit
http://thenextweb.com/industry/2011/06/07/cloudflare-a-website-security-product-accidentally-makes-sites-60-faster/

======
moe
Perhaps someone can demystify CloudFlare for me?

Their value proposition is completely absurd ("protect websites from
hacking"), yet they're still around and get quite a bit of seemingly expensive
PR-spin like this article.

Who pays for the "accidental CDN" that, according to the article, pushes as
much traffic as the 10th largest website on the internet? Their optional
$20/mo subscription plan can't possibly cover that.

~~~
bbatsell
> Who pays for the "accidental CDN" that, according to the article, pushes as
> much traffic as the 10th largest website on the internet? Their optional
> $20/mo subscription plan can't possibly cover that.

They use VigLink to add affiliate tags to the external links of the sites that
use them.

~~~
eli
Somewhat offtopic, but why do affiliate programs go along with this? If it's a
link that was _already_ going to Amazon, then adding the tag brought in no new
business and CloudFront does not deserve a cut.

~~~
lurker14
You mean CloudFlare. CloudFront is Amazon's CDN service :-)

For Amazon at least, intercepting and tagging URLs is in violation of the
Associates agreement, and if detected Amazon will not pay these fraudulent
commission claims.

If the URLs are being tagged with the Associates account of the web page
owner, then this auto-tagging is a CMS feature, which is reasonable.

If the URLs being tagged are content created by NOT the website owners (like,
say, forum posts), then we might be back in fraud territory.

------
trotsky
I doubt I'm your target market, so feel free to ignore me, but do you have a
page that explains what you're really offering minus all the marketing hand
waving? It sounds like it might be interesting but it's difficult to wade
through the 10,000 ft view stuff.

For example, I just picked this mouseover that interested me:

 _The threat challenge page stops known threats and alerts infected humans
that they need to take action._

Is there anything that elaborates on that? From a security perspective, I'm
drawing a blank as to what a reverse proxy filter is achieving there. You're
rewriting html destined for ddos zombies?

~~~
eastdakota
If a threat is detected (either because the IP has a bad reputation, or a
request contains a malicious payload) then, depending on your security
settings, instead of the request being passed to your web server it is
answered by the proxy. The answer is a web page that, again depending on your
security settings and the type of threat, includes a CAPTCHA. If the visitor
passes the CAPTCHA then their session is marked as valid and they're allowed
to pass through the proxy unhindered.

~~~
Hisoka
Do you stop scrapers that use browsers, and rotates 100 different proxies with
different C classes, and uses fake headers?

~~~
eastdakota
The nature of the system is that we're seeing data across tens of thousands of
websites so we get smarter as we grow larger. We have a birdseye view into
overall flow patterns and can spot attacks that are very difficult to see if
you're only looking at your own logs from your own sites. For example, if the
same IP hits multiple, unrelated CloudFlare websites then it is an indication
that it is some kind of automated crawler. We can then look at whether it
comes from a known, legitimate entity (e.g., Google) and also watch its
behavior for other characteristics that indicate it may be a threat.

~~~
Hisoka
The chances are pretty low a scraper would hit multiple unrelated Cloudflare
websites since Cloudflare is only used in very very few websites... Scrapers
usually are interested in particular websites, they dun just scrape random
sites.

What other characteristics can you detect? Can't really look at IP address,
since ISPs such as AOL use the same IP address for the same user. Can't look
at headers or referral strings since those can easily be faked. Also search
engines such as Google have been known to use non-Google IP's to check if a
site is cloaking or not. And you say you analyze the reputation of an IP - IP
addresses for users change all the time. And many scrapers do use data
farms/cloud services such as AWS, but a lot are moving to European data
servers as well, and these IP addresses are harder to get reputation for
(they're not in ARIN, etc).

------
chaud
I have been running my site through it for some time now as well as testing an
uptime monitoring script via Google App Engine someone on Reddit wrote.

If anyone is interested in the very limited data, it is at
<http://isitupordown.appspot.com/v/urbad> with "ActualServer" being the VPS
itself, and CDNCache being CloudFlare.

------
shii
Has been used by Lulzsec effectively to hold up against DDoS attacks and
popularized by them on Twitter as well. It works.

~~~
BoppreH
In CloudFlare's Features page ( <https://www.cloudflare.com/cloudflare-
services.html> ), "Denial of service attack protection" is marked as not
available now or even soon.

Not sure how this stands against a DDoS.

~~~
ceejayoz
A CDN is always going to have DDoS mitigation as a side-effect.

------
Postscapes
I saw this article and took the plunge on one of my sites. It took the
standard time for the DNS to update and I was up and running shortly after. It
maintains all of your MX records, etc and I did see a jump on Google Page
Speed Score (went from 81-87) after installing.

One of the side benefits was their one click "apps" where you can install
Google Analytics, etc and manage it from one place.

I did have one question that I didn't see a clear answer for. If I am using
Amazon's Cloudfront for many of my images, how does the Pro account handle the
caching of these seemingly conflicting services?

------
timtadh
Not having heard of the service before, am I correct as characterizing this
product as a WAF (web application firewall)? That also as a consequence of its
architecture acts as proxy/CDN for its customers?

------
tstanley
I use cloudflare and I LOVE THEM. My site serves up tons of static content and
thought I'd offer some specs. Previously, I had been considering moving all my
static content to the rackspace CDN, but thought I'd give Cloudflare a whirl.

Since configuring with cloudflare on May 26th, I've had 26,133 page views, 368
from crawlers and 755 from bots.

Without cloudflare my average page load time is 2.66 seconds. With cloudflare
my time is 1.55 (my google pagespeed score is 97/100: <http://bit.ly/k3MDGk>)

Out of 125,183 total requests, 72,405 have been saved by cloudflare.

10GB of bandwidth has been served since that time and 4.9 has been saved.

Cloudflare makes my site 41% faster as well.

I was getting hit with a lot of exploit attacks, mainly from China, so I was
glad to see I could block by IP, IP Range and Country in their Threat control
Panel. I'm aware that's not a foolproof method but it helps.

link to my site: <http://www.alphavr.com/tours/properties/virtual/240>

------
Metapony
I think I understand how it works -- and they have an option for installing a
firewall on your server (htaccess file?) that will block any traffic that
didn't come from them. That's optional, and I'd imagine that if you didn't use
it you could be SQL injected right around this service by the attacker using
your server's IP address.

But I'm going to hook up my nearlyfreespeech.net sites up and see how things
go.

------
lionheart
I've been using it as well and wow does it cut down on my bandwidth as well.

~~~
shii
Just wondering, how many different lionhearted-folk are there on HN?

Here's the ones I've found so far:

<http://news.ycombinator.com/user?id=lionheart>

<http://news.ycombinator.com/user?id=lionhearted>

<http://news.ycombinator.com/user?id=theli0nheart>

<http://news.ycombinator.com/user?id=ligerhearted>

Any others hiding in the woodworks that wanna show themselves?

~~~
pestaa
I doubt your nickname exposes your true identity any better. Some names are
just more common.

------
joshfraser
At Torbit, we make websites faster... intentionally. :)

<http://torbit.com>

~~~
mgarfias
Yes!

------
eli
I remember signing up for the beta of this service not really understanding
how it worked and was pretty weirded out when it asked me to point my DNS to
their server.

That's not an anti-spam product, that's hosting.

~~~
eastdakota
CloudFlare is reverse proxy. You keep your existing hosting provider. It's
just like how Postini, MX Logic, or MessageLabs stopped email spam via a
change to DNS.

~~~
aonic
What do you guys use for your reverse proxying? Custom software with very good
on-the-fly HTML processing?

~~~
eastdakota
We use NGINX as our underlying platform, but have extensively extended it for
our purposes. We actively contribute back to the NGINX open source community
where there are developments we've made we think may be useful.

~~~
piotrSikora
Sorry, but what/how exacly are you actively contributing? Other than
yesterday's naive port of mod_pagespeed, I didn't find any of your
contributions and you make it sound like something you're doing on the regular
basis.

Don't get me wrong, I love the idea of your product from the very beginning,
but don't say that you do things when you don't.

~~~
eastdakota
Yes, one of our engineers contributed a his work on a native port of
mod_pagespeed two days ago. We have made a number of other contributions along
the way as well, most of which aren't nearly as sexy as the one you pointed
out. And we'll continue to do so.

