Cloudflare announced that it will no longer kick websites off its distributed-denial of service (DDoS) attack mitigation service if defending them affects its ability to protect its other customers. The company also reaffirmed that it won't charge websites more if they're hit by an attack.
DDoS attacks disrupt websites and online services by overwhelming them with more traffic than they can handle. These attacks have recently grown in popularity and impact for a couple reasons. The first is that insecure Internet of Things (IoT) devices are being compromised and recruited into massive bot armies used in these attacks. The second is that groups sell DDoS attack services to anyone willing to pay for them.
Combined, that means pretty much anyone can bring down a site or service they don't want online, provided they're willing to build their own bot army or rent someone else's. We've seen it happen: Twitter, Spotify, and others were brought down when Dyn was targeted by a massive DDoS attack, and similar campaigns have caused headaches for companies like Blizzard and Square Enix by disrupting their online games and shops.
Those developments, together with new tricks like "pulse wave" DDoS attacks that affect multiple targets in rapid succession, will make attack mitigation services like Cloudflare's increasingly valuable. That means policies regarding pricing and what lengths the company will go to defend its customers will also become more important, which is why Cloudflare's announcement of unmetered mitigation is such a big deal.
Here's how Cloudflare CEO Matthew Prince explained it:
Today, on the first day of our Birthday Week celebration, we make it official for all our customers: Cloudflare will no longer terminate customers, regardless of the size of the DDoS attacks they receive, regardless of the plan level they use. And, unlike the prevailing practice in the industry, we will never jack up your bill after the attack. Doing so, frankly, is perverse.We call this Unmetered Mitigation. It stems from a basic idea: you shouldn't have to pay more to be protected from bullies who try and silence you online. Regardless of what Cloudflare plan you use — Free, Pro, Business, or Enterprise — we will never tell you to go away or that you need to pay us more because of the size of an attack.
Prince said Cloudflare reached that decision after it realized that "our network today is at such a scale that we are able to mitigate even the largest DDoS attacks without it impacting other customers." That network handles a new DDoS attack targeting Cloudflare users every three minutes, he said, and has a total mitigation capacity of over 15Tbps, which should be enough to stave off even large attacks.
We'll see how well Cloudflare lives up to its promises. Researchers predicted last year that we'd soon witness DDoS attacks that direct "tens of terabits" of traffic at a single target. If those attacks are coordinated well, they could potentially overwhelm Cloudflare's network despite its high mitigation capacity. For now, at least, the company's customers no longer have to worry about losing their protection at a critical moment.
So much for not showing your hand.
Now that a maximum bandwidth is known, the blackhat will compete to see who can take them down the quickest for the Cloudflare Trophy.
For comparison due to 15 terabits being a bit hard to imagine;
15 terabits / 8 = 1.875 terabytes a second
Or best case 1875 google gigabit fiber connections in a bot net.