Individual vendor review- CloudFlare
CloudFlare
| DISCLAIMER | No vendor feedback on presented data The vendor did not respond to the research; therefore, there is some missing data and information may be inaccurate. |
Overview
CloudFlare’s motto is “we will supercharge your website”. Its service includes CDN, Web Application Firewall (WAF), DDoS mitigation, analytics, and optimization, and it has an application market with 25 providers at last count. Having said that, this report has a single objective – DDoS, and CloudFlare is reviewed here for its DDoS mitigation traits only.
CloudFlare Enterprise
Deployment & Service Options
CloudFlare’s main deployment is based on DNS diversion (Web Protection). BGP is also available to protect the origin IP, but we did not find sufficient details about the extent of its always-on option.
CloudFlare has only cloud services, with no on-premises appliance or virtual appliances available.
CloudFlare offers 86 data centers. For acceleration, this is a positive figure. It is not a direct factor in terms of DDoS mitigation, but can be important in that it does not impair the latency of your traffic or even support better regulation factors.
CloudFlare not only caters to enterprise, but also to SMB or enterprises with modest DDoS needs. It has a Business plan for only $200 monthly per site, which includes enhanced DDoS mitigation.
 |
|||
|---|---|---|---|
|
Diversion Method: DNS |
CloudFlare has the basic DNS diversion methods. | ||
Always-onNo posts could be found that matched the specified criteria. |
|||
On-demandNo posts could be found that matched the specified criteria. |
|||
Non-web protocolsNo posts could be found that matched the specified criteria. |
No support in non-web protocols | ||
Diversion Method: BGPNo posts could be found that matched the specified criteria. |
|||
Always-onNo posts could be found that matched the specified criteria. |
|||
On-demandNo posts could be found that matched the specified criteria. |
|||
|
Service Features |
|||
SSL support – HSMNo posts could be found that matched the specified criteria. |
|||
Emergency responseNo posts could be found that matched the specified criteria. |
|||
Fully managed serviceNo posts could be found that matched the specified criteria. |
Cloud has many POP. This is foremost an acceleration feature, but is indirectly important for DDoS too. | ||
Number of data centersNo posts could be found that matched the specified criteria. |
79 see locations | ||
|
Entry Level |
|||
SMB plansNo posts could be found that matched the specified criteria. |
|
|||
|---|---|---|---|
|
Diversion Method: DNS |
CloudFlare has the basic DNS diversion methods. | ||
Always-onNo posts could be found that matched the specified criteria. |
|||
On-demandNo posts could be found that matched the specified criteria. |
|||
Non-web protocolsNo posts could be found that matched the specified criteria. |
No support in non-web protocols | ||
Diversion Method: BGPNo posts could be found that matched the specified criteria. |
|||
Always-onNo posts could be found that matched the specified criteria. |
|||
On-demandNo posts could be found that matched the specified criteria. |
|||
|
Service Features |
|||
SSL support – HSMNo posts could be found that matched the specified criteria. |
|||
Emergency responseNo posts could be found that matched the specified criteria. |
|||
Fully managed serviceNo posts could be found that matched the specified criteria. |
Cloud has many POP. This is foremost an acceleration feature, but is indirectly important for DDoS too. | ||
Number of data centersNo posts could be found that matched the specified criteria. |
79 see locations | ||
|
Entry Level |
|||
SMB plansNo posts could be found that matched the specified criteria. |
CloudFlare Deployment & Service Options
Mitigation
Reverse Proxy & Caching
Like with other cloud services, CloudFlare’s first line of defense is its reverse proxy and caching. This by itself blocks many attack vectors, but not all.
Web Challenges
The second, no-less-important, line of defense is the Web Challenges. CloudFlare offers a Javascript Challenge and NoCAPTCHA ReCAPTCHA, but does not have the basic Cookie Validation HTTP challenge. It also does not have the human investigation challenge (e.g., mouse movements) or the hard-core CAPTCHA (which is okay because it has the modern CAPTCHA). Therefore, it only partially provides the Web Challenge Spectrum.
Another annoying factor is that the CloudFlare JavaScript challenge is visible; the client can see that a CloudFlare challenge is occurring. It is not clear why the company does not make this challenge transparent like other vendors do. This might be some kind of advertisement for CloudFlare at the expense of its protected customer user experience.
CloudFlare Web Challenge
Signatures
CloudFlare’s vendor signatures are very good. Unlike other vendors, the company allows you to both see and configure the signature actions, so you know what you get. Customer signatures can be created by expressing in plain English what you want the signature to be, and CloudFlare’s support will create the signature for you. However, even then you will only be able to see the signature name and control its actions, not read its exact definition. This approach may be very convenient, but with respect to our methodology it is considered a disadvantage as opposed to the user being able to directly control the signature content.
|
|||
|---|---|---|---|
Proxy / CachingNo posts could be found that matched the specified criteria. |
|||
Reverse ProxyNo posts could be found that matched the specified criteria. |
|||
CachingIn DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more) |
|||
Web ChallengesNo posts could be found that matched the specified criteria. |
CloudFlare Web Challenges are partial. | ||
Cookie ValidationNo posts could be found that matched the specified criteria. |
|||
JavaScript ChallengeNo posts could be found that matched the specified criteria. |
|||
Silent Bot DetectionNo posts could be found that matched the specified criteria. |
|||
Modern CAPTCHANo posts could be found that matched the specified criteria. |
|||
CAPTCHANo posts could be found that matched the specified criteria. |
CloudFlare Web Challenges are partial. | ||
SignaturesNo posts could be found that matched the specified criteria. |
|||
VendorNo posts could be found that matched the specified criteria. |
|||
CustomerNo posts could be found that matched the specified criteria. |
|||
Blacklist (BL) / WhitelistNo posts could be found that matched the specified criteria. |
|||
|
BL IP |
|||
|
BL Geo-protection |
|||
|
Whitelist |
|||
|
BL URL |
|||
Rate LimitNo posts could be found that matched the specified criteria. |
CloudFlare does not have rate-limit protection. | ||
|
IP |
|||
|
URL |
|||
|
Geo-protection |
|||
|
DNS |
|||
DNS protectionNo posts could be found that matched the specified criteria. |
|||
|
SCORE |
73% | Over protection is good, but not perfect. |
|
|||
|---|---|---|---|
Proxy / CachingNo posts could be found that matched the specified criteria. |
|||
Reverse ProxyNo posts could be found that matched the specified criteria. |
|||
CachingIn DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more) |
|||
Web ChallengesNo posts could be found that matched the specified criteria. |
CloudFlare Web Challenges are partial. | ||
Cookie ValidationNo posts could be found that matched the specified criteria. |
|||
JavaScript ChallengeNo posts could be found that matched the specified criteria. |
|||
Silent Bot DetectionNo posts could be found that matched the specified criteria. |
|||
Modern CAPTCHANo posts could be found that matched the specified criteria. |
|||
CAPTCHANo posts could be found that matched the specified criteria. |
CloudFlare Web Challenges are partial. | ||
SignaturesNo posts could be found that matched the specified criteria. |
|||
VendorNo posts could be found that matched the specified criteria. |
|||
CustomerNo posts could be found that matched the specified criteria. |
|||
Blacklist (BL) / WhitelistNo posts could be found that matched the specified criteria. |
|||
|
BL IP |
|||
|
BL Geo-protection |
|||
|
Whitelist |
|||
|
BL URL |
|||
Rate LimitNo posts could be found that matched the specified criteria. |
CloudFlare does not have rate-limit protection. | ||
|
IP |
|||
|
URL |
|||
|
Geo-protection |
|||
|
DNS |
|||
DNS protectionNo posts could be found that matched the specified criteria. |
|||
|
SCORE |
73% | Over protection is good, but not perfect. |
CloudFlare Mitigation Coverage
Rate Limit
Cloud does not offer rate limit at all! This has impacted the DDoS resiliency. Although it is true that rate limit is no longer a first line of defense, it is still an important one. Rate limit is important layer of defense in stopping DDoS attacks against RESTful API, where web challenges commonly cannot be used.
Infrastructure Protection
The entire Infrastructure Protection (BGP) was not available for us to review.
UX & Reporting
CloudFlare’s look and feel is good. However, it is somewhat too simple for a modern cloud service, so it is hard to fall in love with it. Still, it is definitely functional and its navigation is excellent. You can easily find your way around it.
Deployment
Deployment of a new web site (DNS) is very easy. It was not available for me to review the network protection (BGP).
All the basic security configurations are very easy to accomplish.
Real-time monitoring (RTM) was not available for me to review.
Security Events
| CloudFlare does not offer email alert or syslog. |
The security events as shown on their portal are very informative and easy to review. They do not, however, send email, nor do they send a syslog. They will call you under attack and allow you to access the logs with REST API. We assume that only a limited number of users will develop a REST client just to collect the security logs.
Forensics
Forensics can start well by the detailed logs they provide in the portal. However, you will not be able to view a capture file, nor record a real-time capture file
| WORTH NOTING | Vendor Signatures Visibility and Control CloudFlare is the only vendor that offers vendor visibility and control in its vendor signatures (signatures that the vendor provides to all customers). This visibility means that you can see the name of the signatures and understand what each one is protecting; you can also control its action. This is a white-box approach that this report positively acknowledges, as it provides the user with great value. |
Pricing
We did not receive any pricing information or a pricing model for the CloudFlare Enterprise service level.
|
|||
|---|---|---|---|
Look and FeelNo posts could be found that matched the specified criteria. |
Good | ||
|
Ease-of-Navigation |
Excellent | ||
|
Deployment |
|||
|
New website (DNS) |
Excellent | ||
|
New network (BGP) |
Unknown | ||
|
Security |
|||
|
Block IP |
Excellent | ||
|
Block URL |
Full Service |
||
Web ChallengeNo posts could be found that matched the specified criteria. |
Excellent | ||
Signatures (vendor)No posts could be found that matched the specified criteria. |
Excellent | CF is unique, as you can both see and control their vendor signatures. | |
Signatures (customer)No posts could be found that matched the specified criteria. |
Full Service |
||
|
Security |
|||
|
Real Traffic |
Unknown | ||
|
Blocked Traffic |
Unknown | ||
|
Block IP |
Unknown | ||
|
Events |
CloudFlare does not offer email alert or syslog. | ||
|
Web logs |
Excellent | ||
|
|
|||
|
Call |
|||
|
Syslog |
|||
|
REST |
|||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.
ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement |
|||
|
Detailed alert |
Excellent | ||
|
Event capture file |
|||
|
Score |
69% |
|
|||
|---|---|---|---|
Look and FeelNo posts could be found that matched the specified criteria. |
Good | ||
|
Ease-of-Navigation |
Excellent | ||
|
Deployment |
|||
|
New website (DNS) |
Excellent | ||
|
New network (BGP) |
Unknown | ||
|
Security |
|||
|
Block IP |
Excellent | ||
|
Block URL |
Full Service |
||
Web ChallengeNo posts could be found that matched the specified criteria. |
Excellent | ||
Signatures (vendor)No posts could be found that matched the specified criteria. |
Excellent | CF is unique, as you can both see and control their vendor signatures. | |
Signatures (customer)No posts could be found that matched the specified criteria. |
Full Service |
||
|
Security |
|||
|
Real Traffic |
Unknown | ||
|
Blocked Traffic |
Unknown | ||
|
Block IP |
Unknown | ||
|
Events |
CloudFlare does not offer email alert or syslog. | ||
|
Web logs |
Excellent | ||
|
|
|||
|
Call |
|||
|
Syslog |
|||
|
REST |
|||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.
ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement |
|||
|
Detailed alert |
Excellent | ||
|
Event capture file |
|||
|
Score |
69% |
CloudFlare UX & Reporting Coverage
CloudFlare Business (for SMBs)
The CloudFlare Business plan costs $200 monthly ($2,400 annually) per web site, and gives you DDoS protection with some important limitations: no phone support, no real-time monitoring and no network protection (BGP). Despite these limitations, it provides a good DDoS entry point for organizations with clear DDoS needs but without the budget for full-fledged protection.
Additional Relevant Chapters:
- Individual vendor reviews: Incapsula, F5
- Next steps – completing your evaluation
Additional Relevant Chapters:
- Individual vendor reviews: Incapsula, F5
- Next steps – completing your evaluation
Newsletter
Stay up to day with the latest DDoS news
Error: Contact form not found.