DISCLAIMER |
No vendor feedback on presented data The vendor did not respond to the research; therefore, there is some missing data and information may be inaccurate. |
CloudFlare’s motto is “we will supercharge your website”. Its service includes CDN, Web Application Firewall (WAF), DDoS mitigation, analytics, and optimization, and it has an application market with 25 providers at last count. Having said that, this report has a single objective – DDoS, and CloudFlare is reviewed here for its DDoS mitigation traits only.
CloudFlare’s main deployment is based on DNS diversion (Web Protection). BGP is also available to protect the origin IP, but we did not find sufficient details about the extent of its always-on option.
CloudFlare has only cloud services, with no on-premises appliance or virtual appliances available.
CloudFlare offers 86 data centers. For acceleration, this is a positive figure. It is not a direct factor in terms of DDoS mitigation, but can be important in that it does not impair the latency of your traffic or even support better regulation factors.
CloudFlare not only caters to enterprise, but also to SMB or enterprises with modest DDoS needs. It has a Business plan for only $200 monthly per site, which includes enhanced DDoS mitigation.
![]() |
|||
---|---|---|---|
Diversion Method: DNS |
CloudFlare has the basic DNS diversion methods. | ||
Always-on
No posts could be found that matched the specified criteria. |
|||
On-demand
No posts could be found that matched the specified criteria. |
|||
Non-web protocols
No posts could be found that matched the specified criteria. |
No support in non-web protocols | ||
Diversion Method: BGPNo posts could be found that matched the specified criteria. |
|||
Always-on
No posts could be found that matched the specified criteria. |
|||
On-demand
No posts could be found that matched the specified criteria. |
|||
Service Features |
|||
SSL support – HSM
No posts could be found that matched the specified criteria. |
|||
Emergency response
No posts could be found that matched the specified criteria. |
|||
Fully managed service
No posts could be found that matched the specified criteria. |
Cloud has many POP. This is foremost an acceleration feature, but is indirectly important for DDoS too. | ||
Number of data centers
No posts could be found that matched the specified criteria. |
79 see locations |
||
Entry Level |
|||
SMB plans
No posts could be found that matched the specified criteria. |
![]() |
|||
---|---|---|---|
Diversion Method: DNS |
CloudFlare has the basic DNS diversion methods. | ||
Always-on
No posts could be found that matched the specified criteria. |
|||
On-demand
No posts could be found that matched the specified criteria. |
|||
Non-web protocols
No posts could be found that matched the specified criteria. |
No support in non-web protocols | ||
Diversion Method: BGPNo posts could be found that matched the specified criteria. |
|||
Always-on
No posts could be found that matched the specified criteria. |
|||
On-demand
No posts could be found that matched the specified criteria. |
|||
Service Features |
|||
SSL support – HSM
No posts could be found that matched the specified criteria. |
|||
Emergency response
No posts could be found that matched the specified criteria. |
|||
Fully managed service
No posts could be found that matched the specified criteria. |
Cloud has many POP. This is foremost an acceleration feature, but is indirectly important for DDoS too. | ||
Number of data centers
No posts could be found that matched the specified criteria. |
79 see locations |
||
Entry Level |
|||
SMB plans
No posts could be found that matched the specified criteria. |
Like with other cloud services, CloudFlare’s first line of defense is its reverse proxy and caching. This by itself blocks many attack vectors, but not all.
The second, no-less-important, line of defense is the Web Challenges. CloudFlare offers a Javascript Challenge and NoCAPTCHA ReCAPTCHA, but does not have the basic Cookie Validation HTTP challenge. It also does not have the human investigation challenge (e.g., mouse movements) or the hard-core CAPTCHA (which is okay because it has the modern CAPTCHA). Therefore, it only partially provides the Web Challenge Spectrum.
Another annoying factor is that the CloudFlare JavaScript challenge is visible; the client can see that a CloudFlare challenge is occurring. It is not clear why the company does not make this challenge transparent like other vendors do. This might be some kind of advertisement for CloudFlare at the expense of its protected customer user experience.
CloudFlare’s vendor signatures are very good. Unlike other vendors, the company allows you to both see and configure the signature actions, so you know what you get. Customer signatures can be created by expressing in plain English what you want the signature to be, and CloudFlare’s support will create the signature for you. However, even then you will only be able to see the signature name and control its actions, not read its exact definition. This approach may be very convenient, but with respect to our methodology it is considered a disadvantage as opposed to the user being able to directly control the signature content.
![]() |
|||
---|---|---|---|
Proxy / CachingNo posts could be found that matched the specified criteria. |
|||
Reverse Proxy
No posts could be found that matched the specified criteria. |
|||
Caching
In DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more) |
|||
Web Challenges
No posts could be found that matched the specified criteria. |
CloudFlare Web Challenges are partial. | ||
Cookie Validation
No posts could be found that matched the specified criteria. |
|||
JavaScript Challenge
No posts could be found that matched the specified criteria. |
|||
Silent Bot Detection
No posts could be found that matched the specified criteria. |
|||
Modern CAPTCHA
No posts could be found that matched the specified criteria. |
|||
CAPTCHA
No posts could be found that matched the specified criteria. |
CloudFlare Web Challenges are partial. | ||
Signatures
No posts could be found that matched the specified criteria. |
|||
Vendor
No posts could be found that matched the specified criteria. |
|||
Customer
No posts could be found that matched the specified criteria. |
|||
Blacklist (BL) / WhitelistNo posts could be found that matched the specified criteria. |
|||
BL IP |
|||
BL Geo-protection |
|||
Whitelist |
|||
BL URL |
|||
Rate LimitNo posts could be found that matched the specified criteria. |
CloudFlare does not have rate-limit protection. | ||
IP |
|||
URL |
|||
Geo-protection |
|||
DNS |
|||
DNS protection
No posts could be found that matched the specified criteria. |
|||
SCORE |
73% | Over protection is good, but not perfect. |
![]() |
|||
---|---|---|---|
Proxy / CachingNo posts could be found that matched the specified criteria. |
|||
Reverse Proxy
No posts could be found that matched the specified criteria. |
|||
Caching
In DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more) |
|||
Web Challenges
No posts could be found that matched the specified criteria. |
CloudFlare Web Challenges are partial. | ||
Cookie Validation
No posts could be found that matched the specified criteria. |
|||
JavaScript Challenge
No posts could be found that matched the specified criteria. |
|||
Silent Bot Detection
No posts could be found that matched the specified criteria. |
|||
Modern CAPTCHA
No posts could be found that matched the specified criteria. |
|||
CAPTCHA
No posts could be found that matched the specified criteria. |
CloudFlare Web Challenges are partial. | ||
Signatures
No posts could be found that matched the specified criteria. |
|||
Vendor
No posts could be found that matched the specified criteria. |
|||
Customer
No posts could be found that matched the specified criteria. |
|||
Blacklist (BL) / WhitelistNo posts could be found that matched the specified criteria. |
|||
BL IP |
|||
BL Geo-protection |
|||
Whitelist |
|||
BL URL |
|||
Rate LimitNo posts could be found that matched the specified criteria. |
CloudFlare does not have rate-limit protection. | ||
IP |
|||
URL |
|||
Geo-protection |
|||
DNS |
|||
DNS protection
No posts could be found that matched the specified criteria. |
|||
SCORE |
73% | Over protection is good, but not perfect. |
Cloud does not offer rate limit at all! This has impacted the DDoS resiliency. Although it is true that rate limit is no longer a first line of defense, it is still an important one. Rate limit is important layer of defense in stopping DDoS attacks against RESTful API, where web challenges commonly cannot be used.
The entire Infrastructure Protection (BGP) was not available for us to review.
CloudFlare’s look and feel is good. However, it is somewhat too simple for a modern cloud service, so it is hard to fall in love with it. Still, it is definitely functional and its navigation is excellent. You can easily find your way around it.
Deployment of a new web site (DNS) is very easy. It was not available for me to review the network protection (BGP).
All the basic security configurations are very easy to accomplish.
Real-time monitoring (RTM) was not available for me to review.
CloudFlare does not offer email alert or syslog. |
The security events as shown on their portal are very informative and easy to review. They do not, however, send email, nor do they send a syslog. They will call you under attack and allow you to access the logs with REST API. We assume that only a limited number of users will develop a REST client just to collect the security logs.
Forensics can start well by the detailed logs they provide in the portal. However, you will not be able to view a capture file, nor record a real-time capture file
WORTH NOTING |
Vendor Signatures Visibility and Control CloudFlare is the only vendor that offers vendor visibility and control in its vendor signatures (signatures that the vendor provides to all customers). This visibility means that you can see the name of the signatures and understand what each one is protecting; you can also control its action. This is a white-box approach that this report positively acknowledges, as it provides the user with great value. |
We did not receive any pricing information or a pricing model for the CloudFlare Enterprise service level.
![]() |
|||
---|---|---|---|
Look and Feel
No posts could be found that matched the specified criteria. |
Good | ||
Ease-of-Navigation |
Excellent | ||
Deployment |
|||
New website (DNS) |
Excellent | ||
New network (BGP) |
Unknown | ||
Security |
|||
Block IP |
Excellent | ||
Block URL |
Full Service |
||
Web Challenge
No posts could be found that matched the specified criteria. |
Excellent | ||
Signatures (vendor)
No posts could be found that matched the specified criteria. |
Excellent | CF is unique, as you can both see and control their vendor signatures. | |
Signatures (customer)
No posts could be found that matched the specified criteria. |
Full Service |
||
Security |
|||
Real Traffic |
Unknown | ||
Blocked Traffic |
Unknown | ||
Block IP |
Unknown | ||
Events |
CloudFlare does not offer email alert or syslog. | ||
Web logs |
Excellent | ||
|
|||
Call |
|||
Syslog |
|||
REST |
|||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity. ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement |
|||
Detailed alert |
Excellent | ||
Event capture file |
|||
Score |
69% |
![]() |
|||
---|---|---|---|
Look and Feel
No posts could be found that matched the specified criteria. |
Good | ||
Ease-of-Navigation |
Excellent | ||
Deployment |
|||
New website (DNS) |
Excellent | ||
New network (BGP) |
Unknown | ||
Security |
|||
Block IP |
Excellent | ||
Block URL |
Full Service |
||
Web Challenge
No posts could be found that matched the specified criteria. |
Excellent | ||
Signatures (vendor)
No posts could be found that matched the specified criteria. |
Excellent | CF is unique, as you can both see and control their vendor signatures. | |
Signatures (customer)
No posts could be found that matched the specified criteria. |
Full Service |
||
Security |
|||
Real Traffic |
Unknown | ||
Blocked Traffic |
Unknown | ||
Block IP |
Unknown | ||
Events |
CloudFlare does not offer email alert or syslog. | ||
Web logs |
Excellent | ||
|
|||
Call |
|||
Syslog |
|||
REST |
|||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity. ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement |
|||
Detailed alert |
Excellent | ||
Event capture file |
|||
Score |
69% |
The CloudFlare Business plan costs $200 monthly ($2,400 annually) per web site, and gives you DDoS protection with some important limitations: no phone support, no real-time monitoring and no network protection (BGP). Despite these limitations, it provides a good DDoS entry point for organizations with clear DDoS needs but without the budget for full-fledged protection.
Additional Relevant Chapters:
Additional Relevant Chapters:
Stay up to day with the latest DDoS news
Error: Contact form not found.