This was flagged to my attention and I've reviewed all the interactions between the author and our team. The site in question was using the free version of CloudFlare's service. On February 2, 2013, the site came under a substantial Layer 7 DDoS attack. While we provide basic DDoS mitigation for all customers (even those on the Free CloudFlare plan), for the mitigation of large attacks a site needs at least the Business tier of CloudFlare's service. In an effort to keep the site online, our ops team enabled I'm Under Attack Mode, which is available for Free customers and enhances DDoS protection.
The attack continued and began to affect the performance of other CloudFlare customers, at which point we routed traffic to the site away from our network. While we encouraged the site owner to take advantage of the Enterprise tier of service given their needs and traffic levels, the site would have been brought back onto CloudFlare's network if they had upgraded to the Business tier of service ($200/mo) which included Advanced DDoS mitigation.
To be clear, CloudFlare does not bill based on traffic. However, resources are not infinite and when an attack against a Free customer begins to affect the performance of other customers we will take measures to protect the overall integrity of the CloudFlare service.
Matthew Prince, CEO, CloudFlare, @eastdakota (Twitter)
I think if the $200/mo tier was officially suggested to them, they would've jumped on that (depending on how miffed they were about the outage). However, suggesting a $200/mo plan which then gets switched to a $3000/mo plan is enough justification to just leave and be done with it.
You keep calling it an attack. This was normal (growing) traffic for the site.
From the comments on the site:
"I didn't notice any "attack" when CloudFlare began to route all traffic directly to us. It looked like normal web traffic - much of it, but no more than usual."
He said; she said. A Layer 7 attack is not necessarily something one might "notice." The very nature of such an attack is "normal" looking. I think it's impossible for us to say who is right -- OP or CloudFlare -- without substantial hard-data. Ultimately, it's not the basis of the article, and the OP is looking for a different service -- unmanaged, limited-downlink bandwidth -- than what CloudFlare is looking to provide -- managed, edge network.
Irregardless if it's an attack or not, CloudFlare's personell did not handle this well.
Yes, I know they did offer one hell of a starter/"sweet lolipop to sucker you in" pack - but that's still not what's being discussed.
It has been re-iterated many times in this thread - but CloudFlare had a sane person on the other end that was willing to open his wallet - that's something one should act on quickly.
keep in mind that the author's words are... his words. Perhaps he's not putting out the full story? How can you know which side is "right" on an issue such as this?
All we know is that the author ran on the free plan, and probably should have upgraded from the free plan when he started seeing his site getting large amounts of traffic.
In the end all is well, he got another service that served his purposes.
"While we encouraged the site owner to take advantage of the Enterprise tier of service given their needs and traffic levels, the site would have been brought back onto CloudFlare's network if they had upgraded to the Business tier of service ($200/mo) which included Advanced DDoS mitigation."
This reads like "We encouraged the site owner to pay 15 times more than they needed to."
Which is it, do they need the business tier, or the enterprise tier?
I've been a happy CloudFlare customer so far, but the lack of transparency in rules and pricing is concerning. You don't charge for bandwidth, but can disable sites at your discretion if it causes problem in your infrastructure? This sounds a lot like ISPs that offer "unlimited" bandwidth but start throttling you at some predetermined but unknown cap.
Was the customer contacted when these actions were taken? That seems to be the biggest issue I see. A simple email would have rectified a lot of the confusion here.
I don't get this. While it's cool that you don't charge based on bandwidth or TCP connections, it sounds like you basically do when that bandwidth is associated with an "attack".
Doesn't this make CloudFlare customers more vulnerable to attacks, since an attack will result in a monthly fine for the rest of the site's lifetime? (whereas a normal site just pays a one time cost)
The attack continued and began to affect the performance of other CloudFlare customers, at which point we routed traffic to the site away from our network. While we encouraged the site owner to take advantage of the Enterprise tier of service given their needs and traffic levels, the site would have been brought back onto CloudFlare's network if they had upgraded to the Business tier of service ($200/mo) which included Advanced DDoS mitigation.
To be clear, CloudFlare does not bill based on traffic. However, resources are not infinite and when an attack against a Free customer begins to affect the performance of other customers we will take measures to protect the overall integrity of the CloudFlare service.
Matthew Prince, CEO, CloudFlare, @eastdakota (Twitter)