CloudFlare

DISCLAIMER No vendor feedback on presented data
The vendor did not respond to the research; therefore, there is some missing data and information may be inaccurate.
cloudflare-screen-1

Overview

CloudFlare’s motto is “we will supercharge your website”. Its service includes CDN, Web Application Firewall (WAF), DDoS mitigation, analytics, and optimization, and it has an application market with 25 providers at last count. Having said that, this report has a single objective - DDoS, and CloudFlare is reviewed here for its DDoS mitigation traits only.

CloudFlare Enterprise

Deployment & Service Options

CloudFlare’s main deployment is based on DNS diversion (Web Protection). BGP is also available to protect the origin IP, but we did not find sufficient details about the extent of its always-on option.

CloudFlare has only cloud services, with no on-premises appliance or virtual appliances available.

CloudFlare offers 86 data centers. For acceleration, this is a positive figure. It is not a direct factor in terms of DDoS mitigation, but can be important in that it does not impair the latency of your traffic or even support better regulation factors.

CloudFlare not only caters to enterprise, but also to SMB or enterprises with modest DDoS needs. It has a Business plan for only $200 monthly per site, which includes enhanced DDoS mitigation.

       

Diversion Method: DNS

CloudFlare has the basic DNS diversion methods.

Always-on

A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more)

On-demand

A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more)

Non-web protocols

Non-web protocols support refers to the ability to protect non-web protocols (e.g., proprietary gaming protocols) even if the organization does not poses a Class C network. (read more)

No support in non-web protocols

Diversion Method: BGP

Border Gateway Protocol (BGP) is one of the prominent techniques used in DDoS mitigation to divert an organizations’ traffic to a cloud service provider for inspection before it reaches the enterprise network. (read more)

Always-on

A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more)

On-demand

A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more)

Service Features

SSL support – HSM

A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. (read more)

Emergency response

A team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more)

Fully managed service

A DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more)

Cloud has many POP. This is foremost an acceleration feature, but is indirectly important for DDoS too.

Number of data centers

The number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more)

79
see locations

Entry Level

SMB plans

DDoS SMB mitigation plans are intended for SMBs (Small-Medium Business) and are defined here as plans with a cost lower than $5,000 annually. (read more)

       

Diversion Method: DNS

CloudFlare has the basic DNS diversion methods.

Always-on

A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more)

On-demand

A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more)

Non-web protocols

Non-web protocols support refers to the ability to protect non-web protocols (e.g., proprietary gaming protocols) even if the organization does not poses a Class C network. (read more)

No support in non-web protocols

Diversion Method: BGP

Border Gateway Protocol (BGP) is one of the prominent techniques used in DDoS mitigation to divert an organizations’ traffic to a cloud service provider for inspection before it reaches the enterprise network. (read more)

Always-on

A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more)

On-demand

A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more)

Service Features

SSL support – HSM

A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. (read more)

Emergency response

A team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more)

Fully managed service

A DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more)

Cloud has many POP. This is foremost an acceleration feature, but is indirectly important for DDoS too.

Number of data centers

The number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more)

79
see locations

Entry Level

SMB plans

DDoS SMB mitigation plans are intended for SMBs (Small-Medium Business) and are defined here as plans with a cost lower than $5,000 annually. (read more)

CloudFlare Deployment & Service Options

Mitigation

Reverse Proxy & Caching

Like with other cloud services, CloudFlare’s first line of defense is its reverse proxy and caching. This by itself blocks many attack vectors, but not all.

Web Challenges

The second, no-less-important, line of defense is the Web Challenges. CloudFlare offers a Javascript Challenge and NoCAPTCHA ReCAPTCHA, but does not have the basic Cookie Validation HTTP challenge. It also does not have the human investigation challenge (e.g., mouse movements) or the hard-core CAPTCHA (which is okay because it has the modern CAPTCHA). Therefore, it only partially provides the Web Challenge Spectrum.

Another annoying factor is that the CloudFlare JavaScript challenge is visible; the client can see that a CloudFlare challenge is occurring. It is not clear why the company does not make this challenge transparent like other vendors do. This might be some kind of advertisement for CloudFlare at the expense of its protected customer user experience.

CloudFlare Web Challenge

Signatures

CloudFlare’s vendor signatures are very good. Unlike other vendors, the company allows you to both see and configure the signature actions, so you know what you get. Customer signatures can be created by expressing in plain English what you want the signature to be, and CloudFlare’s support will create the signature for you. However, even then you will only be able to see the signature name and control its actions, not read its exact definition. This approach may be very convenient, but with respect to our methodology it is considered a disadvantage as opposed to the user being able to directly control the signature content.

       

Proxy / Caching

A server that receives the client’s request, and then requests it indirectly from the web server.
Reverse proxies can act as an effective DDoS mitigation layer by reducing the attack surface from the targeted server. (read more)

Reverse Proxy

A server that receives the client’s request, and then requests it indirectly from the web server.
Reverse proxies can act as an effective DDoS mitigation layer by reducing the attack surface from the targeted server. (read more)

Caching

In DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more)

Web Challenges

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

CloudFlare Web Challenges are partial.

Cookie Validation

A type of Web Challenge used in DDoS mitigation to filter out DDoS attackers from legitimate clients by sending a web cookie and requesting the client to send it back. (read more)

JavaScript Challenge

A Web Challenge that is used in DDoS mitigation to filter out attackers from legitimate clients by sending a JavaScript code that most attackers are unable to process and pass successfully. (read more)

Silent Bot Detection

An advanced web challenge technology that detects bots using passive and active checks to validate if the client is a human or a bot – for example, by checking for the existence of mouse and keyboard. (read more)

Modern CAPTCHA

A type of challenge intended to differentiate between computers and humans. A modern CAPTCHA is designed to be easier to pass for humans than CAPTCHA. (read more)

CAPTCHA

A type of challenge-response that helps mitigate DDoS attacks by blocking attacking computers while allowing entry to legitimate human users. (read more)

CloudFlare Web Challenges are partial.

Signatures

A detection mechanism in which DDoS attacks are detected and blocked based on their known pattern or signature associated with a particular kind of attack. Signatures are saved in a database for matching when an attack is encountered. (read more)

Vendor

Vendor signatures come in large number and are based on the vendor research.

Customer

Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it.

Blacklist (BL) / Whitelist

Blacklist and whitelists enable blocking or allowing network access to entities based on parameters such as a IP address, geographical location or URL path. (read more)

BL IP

BL Geo-protection

Whitelist

BL URL

Rate Limit

A technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more)

CloudFlare does not have rate-limit protection.

IP

URL

Geo-protection

DNS

DNS protection

The technology or service in charge of protecting DNS Servers. (read more)

SCORE

73%
Over protection is good, but not perfect.
       

Proxy / Caching

A server that receives the client’s request, and then requests it indirectly from the web server.
Reverse proxies can act as an effective DDoS mitigation layer by reducing the attack surface from the targeted server. (read more)

Reverse Proxy

A server that receives the client’s request, and then requests it indirectly from the web server.
Reverse proxies can act as an effective DDoS mitigation layer by reducing the attack surface from the targeted server. (read more)

Caching

In DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more)

Web Challenges

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

CloudFlare Web Challenges are partial.

Cookie Validation

A type of Web Challenge used in DDoS mitigation to filter out DDoS attackers from legitimate clients by sending a web cookie and requesting the client to send it back. (read more)

JavaScript Challenge

A Web Challenge that is used in DDoS mitigation to filter out attackers from legitimate clients by sending a JavaScript code that most attackers are unable to process and pass successfully. (read more)

Silent Bot Detection

An advanced web challenge technology that detects bots using passive and active checks to validate if the client is a human or a bot – for example, by checking for the existence of mouse and keyboard. (read more)

Modern CAPTCHA

A type of challenge intended to differentiate between computers and humans. A modern CAPTCHA is designed to be easier to pass for humans than CAPTCHA. (read more)

CAPTCHA

A type of challenge-response that helps mitigate DDoS attacks by blocking attacking computers while allowing entry to legitimate human users. (read more)

CloudFlare Web Challenges are partial.

Signatures

A detection mechanism in which DDoS attacks are detected and blocked based on their known pattern or signature associated with a particular kind of attack. Signatures are saved in a database for matching when an attack is encountered. (read more)

Vendor

Vendor signatures come in large number and are based on the vendor research.

Customer

Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it.

Blacklist (BL) / Whitelist

Blacklist and whitelists enable blocking or allowing network access to entities based on parameters such as a IP address, geographical location or URL path. (read more)

BL IP

BL Geo-protection

Whitelist

BL URL

Rate Limit

A technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more)

CloudFlare does not have rate-limit protection.

IP

URL

Geo-protection

DNS

DNS protection

The technology or service in charge of protecting DNS Servers. (read more)

SCORE

73%
Over protection is good, but not perfect.

CloudFlare Mitigation Coverage

Rate Limit

Cloud does not offer rate limit at all! This has impacted the DDoS resiliency. Although it is true that rate limit is no longer a first line of defense, it is still an important one. Rate limit is important layer of defense in stopping DDoS attacks against RESTful API, where web challenges commonly cannot be used.

Infrastructure Protection

The entire Infrastructure Protection (BGP) was not available for us to review.

UX & Reporting

CloudFlare’s look and feel is good. However, it is somewhat too simple for a modern cloud service, so it is hard to fall in love with it. Still, it is definitely functional and its navigation is excellent. You can easily find your way around it.

Deployment

Deployment of a new web site (DNS) is very easy. It was not available for me to review the network protection (BGP).

All the basic security configurations are very easy to accomplish.

Real-time monitoring (RTM) was not available for me to review.

Security Events

CloudFlare does not offer email alert or syslog.

The security events as shown on their portal are very informative and easy to review. They do not, however, send email, nor do they send a syslog. They will call you under attack and allow you to access the logs with REST API. We assume that only a limited number of users will develop a REST client just to collect the security logs.

Forensics

Forensics can start well by the detailed logs they provide in the portal. However, you will not be able to view a capture file, nor record a real-time capture file

WORTH NOTING Vendor Signatures Visibility and Control
CloudFlare is the only vendor that offers vendor visibility and control in its vendor signatures (signatures that the vendor provides to all customers). This visibility means that you can see the name of the signatures and understand what each one is protecting; you can also control its action. This is a white-box approach that this report positively acknowledges, as it provides the user with great value.

Pricing

We did not receive any pricing information or a pricing model for the CloudFlare Enterprise service level.

       

Look and Feel

The overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more)

Good

Ease-of-Navigation

Excellent

Deployment

New website (DNS)

Excellent

New network (BGP)

Unknown

Security

Block IP

Excellent

Block URL

Full Service

Web Challenge

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

Excellent

Signatures (vendor)

Vendor signatures come in large number and are based on the vendor research.

Excellent
CF is unique, as you can both see and control their vendor signatures.

Signatures (customer)

Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it.

Full Service

Security

Real Traffic

Unknown

Blocked Traffic

Unknown

Block IP

Unknown

Events

CloudFlare does not offer email alert or syslog.

Web logs

Excellent

Email

Call

Syslog

REST

Forensics

DDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.

vDTP 05

ARE YOU READY?

Answer seven online questions and get a free report assessing your protection status with recommendations for improvement


Free DDoS Assesment

Detailed alert

Excellent

Event capture file

Score

69%
       

Look and Feel

The overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more)

Good

Ease-of-Navigation

Excellent

Deployment

New website (DNS)

Excellent

New network (BGP)

Unknown

Security

Block IP

Excellent

Block URL

Full Service

Web Challenge

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

Excellent

Signatures (vendor)

Vendor signatures come in large number and are based on the vendor research.

Excellent
CF is unique, as you can both see and control their vendor signatures.

Signatures (customer)

Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it.

Full Service

Security

Real Traffic

Unknown

Blocked Traffic

Unknown

Block IP

Unknown

Events

CloudFlare does not offer email alert or syslog.

Web logs

Excellent

Email

Call

Syslog

REST

Forensics

DDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.

vDTP 05

ARE YOU READY?

Answer seven online questions and get a free report assessing your protection status with recommendations for improvement


Free DDoS Assesment

Detailed alert

Excellent

Event capture file

Score

69%

CloudFlare UX & Reporting Coverage

CloudFlare Business (for SMBs)

The CloudFlare Business plan costs $200 monthly ($2,400 annually) per web site, and gives you DDoS protection with some important limitations: no phone support, no real-time monitoring and no network protection (BGP). Despite these limitations, it provides a good DDoS entry point for organizations with clear DDoS needs but without the budget for full-fledged protection.

Additional Relevant Chapters:

Additional Relevant Chapters: