CloudFlare
| DISCLAIMER |
No vendor feedback on presented data The vendor did not respond to the research; therefore, there is some missing data and information may be inaccurate. |
Overview
CloudFlare’s motto is “we will supercharge your website”. Its service includes CDN, Web Application Firewall (WAF), DDoS mitigation, analytics, and optimization, and it has an application market with 25 providers at last count. Having said that, this report has a single objective – DDoS, and CloudFlare is reviewed here for its DDoS mitigation traits only.
CloudFlare Enterprise
Deployment & Service Options
CloudFlare’s main deployment is based on DNS diversion (Web Protection). BGP is also available to protect the origin IP, but we did not find sufficient details about the extent of its always-on option.
CloudFlare has only cloud services, with no on-premises appliance or virtual appliances available.
CloudFlare offers 86 data centers. For acceleration, this is a positive figure. It is not a direct factor in terms of DDoS mitigation, but can be important in that it does not impair the latency of your traffic or even support better regulation factors.
CloudFlare not only caters to enterprise, but also to SMB or enterprises with modest DDoS needs. It has a Business plan for only $200 monthly per site, which includes enhanced DDoS mitigation.
 |
|||
|---|---|---|---|
|
Diversion Method: DNS |
CloudFlare has the basic DNS diversion methods. | ||
Always-on
A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) |
|||
On-demand
A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) |
|||
Non-web protocols
|
No support in non-web protocols | ||
Diversion Method: BGP
|
|||
Always-on
A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) |
|||
On-demand
A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) |
|||
|
Service Features |
|||
SSL support – HSM
|
|||
Emergency response
A team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more) |
|||
Fully managed service
A DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more) |
Cloud has many POP. This is foremost an acceleration feature, but is indirectly important for DDoS too. | ||
Number of data centers
The number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more) |
79 see locations |
||
|
Entry Level |
|||
SMB plans
DDoS SMB mitigation plans are intended for SMBs (Small-Medium Business) and are defined here as plans with a cost lower than $5,000 annually. (read more) |
|
|||
|---|---|---|---|
|
Diversion Method: DNS |
CloudFlare has the basic DNS diversion methods. | ||
Always-on
A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) |
|||
On-demand
A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) |
|||
Non-web protocols
|
No support in non-web protocols | ||
Diversion Method: BGP
|
|||
Always-on
A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) |
|||
On-demand
A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) |
|||
|
Service Features |
|||
SSL support – HSM
|
|||
Emergency response
A team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more) |
|||
Fully managed service
A DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more) |
Cloud has many POP. This is foremost an acceleration feature, but is indirectly important for DDoS too. | ||
Number of data centers
The number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more) |
79 see locations |
||
|
Entry Level |
|||
SMB plans
DDoS SMB mitigation plans are intended for SMBs (Small-Medium Business) and are defined here as plans with a cost lower than $5,000 annually. (read more) |
CloudFlare Deployment & Service Options
Mitigation
Reverse Proxy & Caching
Like with other cloud services, CloudFlare’s first line of defense is its reverse proxy and caching. This by itself blocks many attack vectors, but not all.
Web Challenges
The second, no-less-important, line of defense is the Web Challenges. CloudFlare offers a Javascript Challenge and NoCAPTCHA ReCAPTCHA, but does not have the basic Cookie Validation HTTP challenge. It also does not have the human investigation challenge (e.g., mouse movements) or the hard-core CAPTCHA (which is okay because it has the modern CAPTCHA). Therefore, it only partially provides the Web Challenge Spectrum.
Another annoying factor is that the CloudFlare JavaScript challenge is visible; the client can see that a CloudFlare challenge is occurring. It is not clear why the company does not make this challenge transparent like other vendors do. This might be some kind of advertisement for CloudFlare at the expense of its protected customer user experience.
CloudFlare Web Challenge
Signatures
CloudFlare’s vendor signatures are very good. Unlike other vendors, the company allows you to both see and configure the signature actions, so you know what you get. Customer signatures can be created by expressing in plain English what you want the signature to be, and CloudFlare’s support will create the signature for you. However, even then you will only be able to see the signature name and control its actions, not read its exact definition. This approach may be very convenient, but with respect to our methodology it is considered a disadvantage as opposed to the user being able to directly control the signature content.
|
|||
|---|---|---|---|
Proxy / CachingA server that receives the client’s request, and then requests it indirectly from the web server. |
|||
Reverse Proxy
A server that receives the client’s request, and then requests it indirectly from the web server. |
|||
Caching
In DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more) |
|||
Web Challenges
|
CloudFlare Web Challenges are partial. | ||
Cookie Validation
|
|||
JavaScript Challenge
|
|||
Silent Bot Detection
|
|||
Modern CAPTCHA
|
|||
CAPTCHA
|
CloudFlare Web Challenges are partial. | ||
Signatures
|
|||
Vendor
|
|||
Customer
|
|||
Blacklist (BL) / Whitelist
|
|||
|
BL IP |
|||
|
BL Geo-protection |
|||
|
Whitelist |
|||
|
BL URL |
|||
Rate LimitA technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more) |
CloudFlare does not have rate-limit protection. | ||
|
IP |
|||
|
URL |
|||
|
Geo-protection |
|||
|
DNS |
|||
DNS protection
|
|||
|
SCORE |
73% | Over protection is good, but not perfect. |
|
|||
|---|---|---|---|
Proxy / CachingA server that receives the client’s request, and then requests it indirectly from the web server. |
|||
Reverse Proxy
A server that receives the client’s request, and then requests it indirectly from the web server. |
|||
Caching
In DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more) |
|||
Web Challenges
|
CloudFlare Web Challenges are partial. | ||
Cookie Validation
|
|||
JavaScript Challenge
|
|||
Silent Bot Detection
|
|||
Modern CAPTCHA
|
|||
CAPTCHA
|
CloudFlare Web Challenges are partial. | ||
Signatures
|
|||
Vendor
|
|||
Customer
|
|||
Blacklist (BL) / Whitelist
|
|||
|
BL IP |
|||
|
BL Geo-protection |
|||
|
Whitelist |
|||
|
BL URL |
|||
Rate LimitA technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more) |
CloudFlare does not have rate-limit protection. | ||
|
IP |
|||
|
URL |
|||
|
Geo-protection |
|||
|
DNS |
|||
DNS protection
|
|||
|
SCORE |
73% | Over protection is good, but not perfect. |
CloudFlare Mitigation Coverage
Rate Limit
Cloud does not offer rate limit at all! This has impacted the DDoS resiliency. Although it is true that rate limit is no longer a first line of defense, it is still an important one. Rate limit is important layer of defense in stopping DDoS attacks against RESTful API, where web challenges commonly cannot be used.
Infrastructure Protection
The entire Infrastructure Protection (BGP) was not available for us to review.
UX & Reporting
CloudFlare’s look and feel is good. However, it is somewhat too simple for a modern cloud service, so it is hard to fall in love with it. Still, it is definitely functional and its navigation is excellent. You can easily find your way around it.
Deployment
Deployment of a new web site (DNS) is very easy. It was not available for me to review the network protection (BGP).
All the basic security configurations are very easy to accomplish.
Real-time monitoring (RTM) was not available for me to review.
Security Events
| CloudFlare does not offer email alert or syslog. |
The security events as shown on their portal are very informative and easy to review. They do not, however, send email, nor do they send a syslog. They will call you under attack and allow you to access the logs with REST API. We assume that only a limited number of users will develop a REST client just to collect the security logs.
Forensics
Forensics can start well by the detailed logs they provide in the portal. However, you will not be able to view a capture file, nor record a real-time capture file
| WORTH NOTING |
Vendor Signatures Visibility and Control CloudFlare is the only vendor that offers vendor visibility and control in its vendor signatures (signatures that the vendor provides to all customers). This visibility means that you can see the name of the signatures and understand what each one is protecting; you can also control its action. This is a white-box approach that this report positively acknowledges, as it provides the user with great value. |
Pricing
We did not receive any pricing information or a pricing model for the CloudFlare Enterprise service level.
|
|||
|---|---|---|---|
Look and Feel
The overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more) |
Good | ||
|
Ease-of-Navigation |
Excellent | ||
|
Deployment |
|||
|
New website (DNS) |
Excellent | ||
|
New network (BGP) |
Unknown | ||
|
Security |
|||
|
Block IP |
Excellent | ||
|
Block URL |
Full Service |
||
Web Challenge
|
Excellent | ||
Signatures (vendor)
|
Excellent | CF is unique, as you can both see and control their vendor signatures. | |
Signatures (customer)
|
Full Service |
||
|
Security |
|||
|
Real Traffic |
Unknown | ||
|
Blocked Traffic |
Unknown | ||
|
Block IP |
Unknown | ||
|
Events |
CloudFlare does not offer email alert or syslog. | ||
|
Web logs |
Excellent | ||
|
|
|||
|
Call |
|||
|
Syslog |
|||
|
REST |
|||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity. ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement |
|||
|
Detailed alert |
Excellent | ||
|
Event capture file |
|||
|
Score |
69% |
|
|||
|---|---|---|---|
Look and Feel
The overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more) |
Good | ||
|
Ease-of-Navigation |
Excellent | ||
|
Deployment |
|||
|
New website (DNS) |
Excellent | ||
|
New network (BGP) |
Unknown | ||
|
Security |
|||
|
Block IP |
Excellent | ||
|
Block URL |
Full Service |
||
Web Challenge
|
Excellent | ||
Signatures (vendor)
|
Excellent | CF is unique, as you can both see and control their vendor signatures. | |
Signatures (customer)
|
Full Service |
||
|
Security |
|||
|
Real Traffic |
Unknown | ||
|
Blocked Traffic |
Unknown | ||
|
Block IP |
Unknown | ||
|
Events |
CloudFlare does not offer email alert or syslog. | ||
|
Web logs |
Excellent | ||
|
|
|||
|
Call |
|||
|
Syslog |
|||
|
REST |
|||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity. ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement |
|||
|
Detailed alert |
Excellent | ||
|
Event capture file |
|||
|
Score |
69% |
CloudFlare UX & Reporting Coverage
CloudFlare Business (for SMBs)
The CloudFlare Business plan costs $200 monthly ($2,400 annually) per web site, and gives you DDoS protection with some important limitations: no phone support, no real-time monitoring and no network protection (BGP). Despite these limitations, it provides a good DDoS entry point for organizations with clear DDoS needs but without the budget for full-fledged protection.
Additional Relevant Chapters:
- Individual vendor reviews: Incapsula, F5
- Next steps – completing your evaluation
Additional Relevant Chapters:
- Individual vendor reviews: Incapsula, F5
- Next steps – completing your evaluation
Newsletter
Stay up to day with the latest DDoS news
Error: Contact form not found.