CloudFlare

DISCLAIMER No vendor feedback on presented data

The vendor did not respond to the research; therefore, there is some missing data and information may be inaccurate.

cloudflare-screen-1

Overview

CloudFlare’s motto is “we will supercharge your website”. Its service includes CDN, Web Application Firewall (WAF), DDoS mitigation, analytics, and optimization, and it has an application market with 25 providers at last count. Having said that, this report has a single objective – DDoS, and CloudFlare is reviewed here for its DDoS mitigation traits only.

CloudFlare Enterprise

Deployment & Service Options

CloudFlare’s main deployment is based on DNS diversion (Web Protection). BGP is also available to protect the origin IP, but we did not find sufficient details about the extent of its always-on option.

CloudFlare has only cloud services, with no on-premises appliance or virtual appliances available.

CloudFlare offers 86 data centers. For acceleration, this is a positive figure. It is not a direct factor in terms of DDoS mitigation, but can be important in that it does not impair the latency of your traffic or even support better regulation factors.

CloudFlare not only caters to enterprise, but also to SMB or enterprises with modest DDoS needs. It has a Business plan for only $200 monthly per site, which includes enhanced DDoS mitigation.

         

Diversion Method: DNS

CloudFlare has the basic DNS diversion methods.

Always-on

No posts could be found that matched the specified criteria.

On-demand

No posts could be found that matched the specified criteria.

Non-web protocols

No posts could be found that matched the specified criteria.

No support in non-web protocols

Diversion Method: BGP

No posts could be found that matched the specified criteria.

Always-on

No posts could be found that matched the specified criteria.

On-demand

No posts could be found that matched the specified criteria.

Service Features

SSL support – HSM

No posts could be found that matched the specified criteria.

Emergency response

No posts could be found that matched the specified criteria.

Fully managed service

No posts could be found that matched the specified criteria.

Cloud has many POP. This is foremost an acceleration feature, but is indirectly important for DDoS too.

Number of data centers

No posts could be found that matched the specified criteria.

79

see locations

Entry Level

SMB plans

No posts could be found that matched the specified criteria.

         

Diversion Method: DNS

CloudFlare has the basic DNS diversion methods.

Always-on

No posts could be found that matched the specified criteria.

On-demand

No posts could be found that matched the specified criteria.

Non-web protocols

No posts could be found that matched the specified criteria.

No support in non-web protocols

Diversion Method: BGP

No posts could be found that matched the specified criteria.

Always-on

No posts could be found that matched the specified criteria.

On-demand

No posts could be found that matched the specified criteria.

Service Features

SSL support – HSM

No posts could be found that matched the specified criteria.

Emergency response

No posts could be found that matched the specified criteria.

Fully managed service

No posts could be found that matched the specified criteria.

Cloud has many POP. This is foremost an acceleration feature, but is indirectly important for DDoS too.

Number of data centers

No posts could be found that matched the specified criteria.

79

see locations

Entry Level

SMB plans

No posts could be found that matched the specified criteria.

CloudFlare Deployment & Service Options

Mitigation

Reverse Proxy & Caching

Like with other cloud services, CloudFlare’s first line of defense is its reverse proxy and caching. This by itself blocks many attack vectors, but not all.

Web Challenges

The second, no-less-important, line of defense is the Web Challenges. CloudFlare offers a Javascript Challenge and NoCAPTCHA ReCAPTCHA, but does not have the basic Cookie Validation HTTP challenge. It also does not have the human investigation challenge (e.g., mouse movements) or the hard-core CAPTCHA (which is okay because it has the modern CAPTCHA). Therefore, it only partially provides the Web Challenge Spectrum.

Another annoying factor is that the CloudFlare JavaScript challenge is visible; the client can see that a CloudFlare challenge is occurring. It is not clear why the company does not make this challenge transparent like other vendors do. This might be some kind of advertisement for CloudFlare at the expense of its protected customer user experience.

CloudFlare Web Challenge

Signatures

CloudFlare’s vendor signatures are very good. Unlike other vendors, the company allows you to both see and configure the signature actions, so you know what you get. Customer signatures can be created by expressing in plain English what you want the signature to be, and CloudFlare’s support will create the signature for you. However, even then you will only be able to see the signature name and control its actions, not read its exact definition. This approach may be very convenient, but with respect to our methodology it is considered a disadvantage as opposed to the user being able to directly control the signature content.

         

Proxy / Caching

No posts could be found that matched the specified criteria.

Reverse Proxy

No posts could be found that matched the specified criteria.

Caching

In DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more)

Web Challenges

No posts could be found that matched the specified criteria.

CloudFlare Web Challenges are partial.

Cookie Validation

No posts could be found that matched the specified criteria.

JavaScript Challenge

No posts could be found that matched the specified criteria.

Silent Bot Detection

No posts could be found that matched the specified criteria.

Modern CAPTCHA

No posts could be found that matched the specified criteria.

CAPTCHA

No posts could be found that matched the specified criteria.

CloudFlare Web Challenges are partial.

Signatures

No posts could be found that matched the specified criteria.

Vendor

No posts could be found that matched the specified criteria.

Customer

No posts could be found that matched the specified criteria.

Blacklist (BL) / Whitelist

No posts could be found that matched the specified criteria.

BL IP

BL Geo-protection

Whitelist

BL URL

Rate Limit

No posts could be found that matched the specified criteria.

CloudFlare does not have rate-limit protection.

IP

URL

Geo-protection

DNS

DNS protection

No posts could be found that matched the specified criteria.

SCORE

73% Over protection is good, but not perfect.
         

Proxy / Caching

No posts could be found that matched the specified criteria.

Reverse Proxy

No posts could be found that matched the specified criteria.

Caching

In DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more)

Web Challenges

No posts could be found that matched the specified criteria.

CloudFlare Web Challenges are partial.

Cookie Validation

No posts could be found that matched the specified criteria.

JavaScript Challenge

No posts could be found that matched the specified criteria.

Silent Bot Detection

No posts could be found that matched the specified criteria.

Modern CAPTCHA

No posts could be found that matched the specified criteria.

CAPTCHA

No posts could be found that matched the specified criteria.

CloudFlare Web Challenges are partial.

Signatures

No posts could be found that matched the specified criteria.

Vendor

No posts could be found that matched the specified criteria.

Customer

No posts could be found that matched the specified criteria.

Blacklist (BL) / Whitelist

No posts could be found that matched the specified criteria.

BL IP

BL Geo-protection

Whitelist

BL URL

Rate Limit

No posts could be found that matched the specified criteria.

CloudFlare does not have rate-limit protection.

IP

URL

Geo-protection

DNS

DNS protection

No posts could be found that matched the specified criteria.

SCORE

73% Over protection is good, but not perfect.

CloudFlare Mitigation Coverage

Rate Limit

Cloud does not offer rate limit at all! This has impacted the DDoS resiliency. Although it is true that rate limit is no longer a first line of defense, it is still an important one. Rate limit is important layer of defense in stopping DDoS attacks against RESTful API, where web challenges commonly cannot be used.

Infrastructure Protection

The entire Infrastructure Protection (BGP) was not available for us to review.

UX & Reporting

CloudFlare’s look and feel is good. However, it is somewhat too simple for a modern cloud service, so it is hard to fall in love with it. Still, it is definitely functional and its navigation is excellent. You can easily find your way around it.

Deployment

Deployment of a new web site (DNS) is very easy. It was not available for me to review the network protection (BGP).

All the basic security configurations are very easy to accomplish.

Real-time monitoring (RTM) was not available for me to review.

Security Events

CloudFlare does not offer email alert or syslog.

The security events as shown on their portal are very informative and easy to review. They do not, however, send email, nor do they send a syslog. They will call you under attack and allow you to access the logs with REST API. We assume that only a limited number of users will develop a REST client just to collect the security logs.

Forensics

Forensics can start well by the detailed logs they provide in the portal. However, you will not be able to view a capture file, nor record a real-time capture file

WORTH NOTING Vendor Signatures Visibility and Control

CloudFlare is the only vendor that offers vendor visibility and control in its vendor signatures (signatures that the vendor provides to all customers). This visibility means that you can see the name of the signatures and understand what each one is protecting; you can also control its action. This is a white-box approach that this report positively acknowledges, as it provides the user with great value.

Pricing

We did not receive any pricing information or a pricing model for the CloudFlare Enterprise service level.

         

Look and Feel

No posts could be found that matched the specified criteria.

Good

Ease-of-Navigation

Excellent

Deployment

New website (DNS)

Excellent

New network (BGP)

Unknown

Security

Block IP

Excellent

Block URL

Full Service

Web Challenge

No posts could be found that matched the specified criteria.

Excellent

Signatures (vendor)

No posts could be found that matched the specified criteria.

Excellent CF is unique, as you can both see and control their vendor signatures.

Signatures (customer)

No posts could be found that matched the specified criteria.

Full Service

Security

Real Traffic

Unknown

Blocked Traffic

Unknown

Block IP

Unknown

Events

CloudFlare does not offer email alert or syslog.

Web logs

Excellent

Email

Call

Syslog

REST

Forensics

DDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.

vDTP 05

ARE YOU READY?

Answer seven online questions and get a free report assessing your protection status with recommendations for improvement


Free DDoS Assesment

Detailed alert

Excellent

Event capture file

Score

69%
         

Look and Feel

No posts could be found that matched the specified criteria.

Good

Ease-of-Navigation

Excellent

Deployment

New website (DNS)

Excellent

New network (BGP)

Unknown

Security

Block IP

Excellent

Block URL

Full Service

Web Challenge

No posts could be found that matched the specified criteria.

Excellent

Signatures (vendor)

No posts could be found that matched the specified criteria.

Excellent CF is unique, as you can both see and control their vendor signatures.

Signatures (customer)

No posts could be found that matched the specified criteria.

Full Service

Security

Real Traffic

Unknown

Blocked Traffic

Unknown

Block IP

Unknown

Events

CloudFlare does not offer email alert or syslog.

Web logs

Excellent

Email

Call

Syslog

REST

Forensics

DDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.

vDTP 05

ARE YOU READY?

Answer seven online questions and get a free report assessing your protection status with recommendations for improvement


Free DDoS Assesment

Detailed alert

Excellent

Event capture file

Score

69%

CloudFlare UX & Reporting Coverage

CloudFlare Business (for SMBs)

The CloudFlare Business plan costs $200 monthly ($2,400 annually) per web site, and gives you DDoS protection with some important limitations: no phone support, no real-time monitoring and no network protection (BGP). Despite these limitations, it provides a good DDoS entry point for organizations with clear DDoS needs but without the budget for full-fledged protection.

Additional Relevant Chapters:

Additional Relevant Chapters:


  

  

Newsletter

Stay up to day with the latest DDoS news

Error: Contact form not found.