Cloudflare free tier DDOS protection

[Virtovo]

I've never used cloud flare before and want to take advantage of its caching and DNS features.

One thing I'm not sure of is how the free tier handles DDOS attacks?  Does it block access to websites under a DDOS attack or will it pass the DDOS through to the customer?

Thanks in advance for any answers.

 

[Kris]

Up to a certain threshold they will absorb the attack.

If you're on the free tier and it starts to affect their PoPs / gets large in side, they'll disable and pass it on to you. 

 

[Virtovo]

Up to a certain threshold they will absorb the attack.

If you're on the free tier and it starts to affect their PoPs / gets large in side, they'll disable and pass it on to you. 

That's perfect.  Just what I was looking for.  I'd prefer them to pass it on rather than just disabling.

Thanks for the advice.

 

[mojeda]

If you get attacked too many times I think they kick you out. At least that's what I've heard in the past.

 

[joepie91]

If you get attacked too many times I think they kick you out. At least that's what I've heard in the past.

I've only heard people say this in the context of "I've heard from a friend who was told by a friend of a friend...". I have yet to speak to anybody who has actually had this happen to themselves. I've gotten hit a lot in the past (on AnonNews), and I was never kicked out or even so much as warned; they just passed on traffic directly to my server for the duration of the attack (if it was a big one), every single time.

 

[splitice]

They will kick you out we have had many clients come to us regarding this.

The worst part is actually that they pass it through, it reveals your backend to the world and from then on the attacker can take you down without involving cloudflare (bypassing mitigation).

 

[Aldryic C'boas]

They will kick you out we have had many clients come to us regarding this.

The worst part is actually that they pass it through, it reveals your backend to the world and from then on the attacker can take you down without involving cloudflare (bypassing mitigation).

You're referring to their free service with that latter bit though, right?  I dunno if I would blame them for that - not really in their interest to provide protection at a loss.

 

[splitice]

Yes - Free / Pro.

 

[Aldryic C'boas]

I could see something like an upstream nullroute to hide the backend for their paying clients (like what we do)... but yeah, no reason to stick their neck out when there's no guarantee the person they'd be protecting is worth the effort >_>

Slightly offtopic.. but I see quite a few instances where a client will have filtering with us, GRE'd to another location, with Cloudflare on top of that... kudos to the guys good enough with networking to pull it off, but holy hell that becomes a fustercluck quick when trying to troubleshoot "sir why so lag" >_<

 

[Dylan]

They will kick you out we have had many clients come to us regarding this.

Kicking out -- as in no more CloudFlare at all, including DNS -- and routing directly for the duration of the attack are two very different things. They're pretty upfront about doing the latter for the free plan in case of very large attacks. That's why they don't advertise anything below Business as including DDos protection (even though in practice you generally do get it for smaller attacks).