Skip navigation
Network cables in a server room Michael Bocchieri/Getty Images

Cloudflare Stops Charging More for Bigger DDoS Attacks

Compares “surge pricing” commensurate with attack size to vendor extortion

One year ago, security researcher and blogger Brian Krebs was hit by a massive DDoS attack, so big that his host booted him off their network.

While the attack against Krebs reportedly set records for its size, large denial of service attacks are becoming more and more frequent. And they cost money to defend against.

DDoS protection vendors typically charge extra when there's a really big attack, said Matthew Prince, CEO at Cloudflare, which provides DDoS protection services among other things.

"It's kind of the equivalent of Uber's surge pricing," he said. "That has always made us very uncomfortable. It's kind of gross if you are charging someone more in their time of greatest need."

According to Deloitte Global, DDoS attacks are becoming larger in scale, harder to mitigate, and more frequent.

From 2013 to 2016, the largest of them grew from 300 to 500 gigabits per second. Last year, there were two attacks that crossed the 1 terabit-per-second threshold.

If you don’t know what Cloudflare does but the name sounds familiar, it’s because the company was in the news recently, after Prince made a controversial decision to discontinue providing services to the white-supremacist website the Daily Stormer, raising questions about the extent to which companies that provide internet infrastructure services should control internet content.

Many DDoS attacks are extortion attacks, Prince said, where the victim is asked to pay up to get the attack to stop.

"There's not much difference if the extortion is coming from your attacker or coming from your vendor," he said.

So, this morning, Cloudflare announced a new, unlimited pricing model.

"No matter how large of an attack you receive, no matter your plan -- whether it's a free plan or a high-end plan -- we won't charge you more," he said. "We guarantee that your price will never go up."

The reason that Cloudflare is able to do this, even for its free-tier users, is that its network has gotten so large that it can handle the capacity, Prince said.

Cloudflare has presence in 117 cities around the world and capacity to handle more than 15 terabits per second.

"That's more than the publicly announced capacity of all our competitors combined," he said. "We sit in front of 10 percent of all internet requests today and have nearly 10 million customers."

That's more than 10 trillion requests per month, the company said, with a new DDoS attack blocked every three minutes.

Cloudflare also works with intermediaries to stop attacks close to their source, reducing the burden on internet service providers and speeding up internet connections around the planet.

The scale of the platform makes it possible for the company to offer unlimited DDoS protection for even the smallest sites.

"One of the reasons we provide the free version of the service is that Cloudflare acts at some level as an immune system for the internet," Price said. "When we see an attack against any of our customers, it helps us protect everyone else. It can help inform the protection against much larger customers, some of which pay us millions of dollars a year to protect their infrastructure."

Prince said he expects that unlimited protection will soon become the industry standard.

"We'll have an opportunity to make DDoS attacks go the way of spam email," he said. "We'll make it something you don't have to think about much anymore."

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.