
Cloudflare's new Rate-limiting. Beware - gopi_ar
Early this month, our devops engineer went on leave. On the same day, usage spiked on our opensource API. Disabled tokens were making 1000s of rps causing heavy load. Not wanting to disturb our devops engineer, we tried IP blocking in CF, which didn&#x27;t help because requests were coming in from 100s of IPs (probably app users).<p>We then saw - on the same page - CF&#x27;s new rate-limiter. It seemed great, and I think it said &#x27;1 free rule&#x27;. We quickly set it up to rate limit to a few rps. This also <i>did not</i> work, because there were multiple tokens making requests from 100s of IPs. We finally ended up filtering those tokens out on NGINX.<p>Fast forward to yesterday when we got the bill. I don&#x27;t usually open them because it&#x27;s always $40&#x2F;month. This time we added their LBs (they don&#x27;t support session stickiness, so again, beware) so I was curious about the charge.<p>$876.<p>$90 for the LB, fine. But the clincher? $721 for the &#x27;rate-limiter&#x27;.<p>Here&#x27;s why we have an issue with this:<p>1. Rate-limiting did <i>not</i> work for us. 144 million requests passed through. 28 requests were rate-limited. 28. <i>(facepalm)</i><p>2. The pricing is misleading; In the heat of things, I only remember it saying &#x27;1 free rate-limiting rule&#x27; and missed their note on usage pricing. Yes, silly of me to assume that CF would continue their claim-to-fame as the single unmetered vendor. You have to click the &#x27;usage&#x27; link nearby and read the blog post to understand pricing.<p>3. No billing alerts whatsoever. When usage is over 20x of a user&#x27;s monthly charge, you&#x27;d expect some form of an alert. To put this in a USD -INR context, that&#x27;s ~2 month&#x27;s salary for our devops guy.<p>We absolutely love CF and have been evangelizing them since we started using them 2 years ago. I&#x27;ve reached out to support and their first response was to say there&#x27;d be no refund. Let&#x27;s see how this plays out. :-)<p>In the meantime, if you&#x27;re using CF please check your usage to make sure you&#x27;re not running up 20x your monthly costs.
======
gopi_ar
Interestingly, it's their 7th birthday this week and they announced 'unmetered
mitigation'.

[https://blog.cloudflare.com/unmetered-
mitigation/](https://blog.cloudflare.com/unmetered-mitigation/)

"So today, on the first day of our Birthday Week celebration, we make it
official for all our customers: Cloudflare will no longer terminate customers,
regardless of the size of the DDoS attacks they receive, regardless of the
plan level they use. And, unlike the prevailing practice in the industry, we
will never jack up your bill after the attack.

Doing so, frankly, is perverse.

We call this Unmetered Mitigation. It stems from a basic idea: you shouldn't
have to pay more to be protected from bullies who try and silence you online.
Regardless of what Cloudflare plan you use — Free, Pro, Business, or
Enterprise — we will never tell you to go away or that you need to pay us more
because of the size of an attack. Cloudflare's higher tier plans will continue
to offer more sophisticated reporting, tools, and customer support to better
tune our protections against whatever threats you face online. But volumetric
DDoS mitigation is now officially unlimited and unmetered."

:-|

~~~
bradknowles
Maybe the OP can talk to them with this article in hand and see if they can
get some money back?

It never hurts to ask.

------
stephenr
I don't want to kick a guy when he's down but I think the key takeaway here is
"our devops engineer", singular.

Maybe s/he is just a developer playing at ops anyway and it wouldn't have
helped but if there is literally one person even slightly familiar with your
infra and ops, you have a problem unless that person is Mr Data from star trek
and never goes on holiday, gets sick, has a night out, or heck has a weekend.

~~~
kc10
Depends on the size of the company and how complex is their infra. May be the
founder can rollup his sleeves and get things done when needed. Nothing wrong
if that's what it takes for the business to survive.

~~~
johnpython
DevOps is about shared responsibility between dev and ops teams. One guy with
the title "DevOps Engineer" responsible for everything is doing it very wrong.

~~~
NetStrikeForce
Is that true for small companies, too? Does the financial department have to
be more than one person, too? What about sales? Logistics?

~~~
stephenr
Those departments aren't responsible for maintaining the infrastructure your
company relies on and customers expect to access 24x7.

Having just one person who can manage your ops is like having a single cop and
wondering why crime goes up when he's off duty.

~~~
NetStrikeForce
Some of those can be, though. Logistics definitely is...

------
gopi_ar
They refunded the 'rate-limit' charge. Phew! Thanks to @jgrahamc, their CTO,
for weighing in.

