Cloudflare Review

Several issues related to their services highlight that it may be better to stay free and handle your DDoS protection yourself.


Subscribing to Cloudflare (from its website) means changing your nameserver IPs and your web server IPs. 

Many people don't understand issues related to using the Cloudflare service:

Those people who want to hide:

In fact, Cloudflare is used by many people who want to hide the IP of their web servers from local authorities, governments or customers. That's why the Russian government threatens to block all the websites hosted on Cloudflare. Cloudflare at some point didn't cooperate with the Russian authorities and refused to provide the real web servers IP behind Cloudflare who violated the Russian law. 

http://rkn.gov.ru/news/rsoc/news24880.htm

Article in english

As governments become more and more efficient at blocking websites, we may see in the future this kind of issue coming back in other parts of the world. I will not talk about the moral aspect of it but from an IT decision maker point of view. If you have a clean website on one IP from Cloudflare you may suffer from a government decision to block the Cloudflare IP ranges which are public on the Cloudflare website.

 Bad neighborhood:

Subscribing to the free Cloudflare service means getting a new IP address for your server. It is very much like migrating your website to a shared hosting website since many other websites that use Cloudflare also use the same IP address than you. Since the Cloudflare service is open to everybody several of those websites can be spammy. In SEO, this is what we call bad neighborhood. 

You grant all powers to Cloudflare:

Since you use the nameserver from Cloudflare and a Proxy IP from Cloudflare, Cloudflare is the almighty who can do everything. They can stop access to your website. They can slow down access to your website too. They can inject code inside the code of your webpage thanks to the proxy. By the past, the app. smarterrors was a feature that was on when subscribing to Cloudflare. This feature replaced your 404 page by Cloudflare 404 page. So, in this case, it was the crème de la crème in terms of power delegation. They replaced your own pages with their own pages. 

Also, they can spy on everything that the visitors send in clear to your web server. At the end, it is worth than giving your house keys to the NSA. 

One more weak point:

if for some reasons the Cloudflare service is down, your website is also down. Are Cloudflare benefits offsetting this plausible scenario? From time to time, you may see an error 522 issued from Cloudflare when your website isn't available. In this case, you aren't able to know whether the issue come from Cloudflare or whether it comes from your web server. 

Even if the downtime is short, on a yearly basis downtimes related to Cloudflare can be significant for online businesses.

Ddos protection:

Unfortunately, the DDoS protection service of Cloudflare is unclear. It is only a drop down menu defining the level of protection but it does not say anything. On the other hand, there are Anti DDoS techniques that are published and used to face DDoS attacks from a firewall. By the way, and unfortunately, i have seen a website that has been taken down with a DDoS attack even if they used Cloudflare. 

The Pros:

From a technical point of view, Cloudflare is the best CDN. The IP addresses from their network have very good reputation. They are considered generic for Google rather than country specific. Also, their free service is pretty reliable for a free proxy. 

It is also a DNS server free service:

Since Cloudflare is also DNS free service, it is possible to minimize the pressure on your own DNS server and use cloudflare as a DNS server since it is possible to put the cloudflare nameservers on behalf of your nameservers. 

Conclusion:

Even if they provide good services from a technical point of view, the different issues related to the Cloudflare network model highlight that it may be better to stay free and have a longer ping & handling your DDoS protection yourself rather than giving everything to Cloudflare.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
4 Comments
Partner at a tech services company with 51-200 employeesReal User

Unfortunately this review is misleading and wrong in several instances.

You do NOT get a new IP address for your server. Your server stays the same, and fully under your control. CloudFlare is essentially a CDN, just like Akamai or LimeLight. You point the DNS for your website to CloudFlare, and they provide all the performance and security features, and pull content from the Origin (your server). It's the same as every major CDN, which are used by every major website. It's not weird or scary, and you don't change your server IPs. You don't even have to change your name servers (with Business and above) you can just change your website's record to be a CNAME to a CloudFlare hostname.

The idea that people are using CloudFlare in order to hide their server IP is pretty silly. To hide it from malicious attacks maybe (that's why CloudFlare's security services are so valuable), but CloudFlare is a US company and subject to all lawful subpoenas, just like every other US based service provider. I don't speak Russian, so I can't respond to the article linked to.

The rest of the "negatives" are true for ANY CDN provider. The benefits far outweigh the risks for most websites. CDN performance gains, FEO features, DDOS protection, app integration, etc... are very valuable.

CloudFlare DDOS protection is quite good, and I believe still holds the world record for successfully absorbing the highest traffic DDOS attack on record. CloudFlare started out as a security firm, and their security and DDOS features are top notch. Saying you should mitigate DDOS yourself is just silly. Very few companies have the available bandwidth to handle and mitigate a full-scale DDOS attack.

I don't work for CloudFlare but this review appears to be full of inaccuracies and FUD.

26 May 15
Business process Advisor for RTP at a energy/utilities company with 10,001+ employeesReal UserPOPULAR

1. New IP for your server:
if someone or somethings pings any of your domain name that uses cloudflare, he will get an IP from cloudflare not the IP of your server.

2. this part of your sentence is just an assumption: "they provide all the performance and security features". They don't describe their techniques to protect websites. On the other hand, with Firewall, it is always possible to explain how you protect the server, For instance, if we get 500 pings in less than 1 minute we then discard the packet from this particular IP for 30 minutes. It is the kind of lines that we can code in any linux based servers easily.

I am surprised that people trust cloudflare from their marketing communications only. Would you trust me if i tell you that i protect your house without telling you how i am going to protect your house?

3. Hiding behind cloudflare:
Since cloudflare is also a DNS service, we only see the DNS records provided by cloudflare. They all point to an IP from Cloudflare. Cloudflare acts as an umbrella. The real IP server is never displayed.

4 and most important.
I know the case of a website that have been taken down as i said. I guess the webmaster thought his website was well protected by behind cloudflare. Unfortunately for him, the Ddos was so fierce that the web hosting company asked him to move his website out of the web server. Using cloudflare gives a false sense of protection.

IT leads, your network admin team should be solely accountable for the security of your servers. Don't delegate that to anyone. they should learn Iptable, sysctl, firewalld, Microsoft firewall...

26 May 15
Partner at a tech services company with 51-200 employeesReal User

1) Yes, the domain name for your website will resolve to a CloudFlare IP, just like any other CDN. This is not the same as changing the IP of your server. Two very different things.

2) I trust CloudFlare because I've met with, and had in depth technical discussions with their founders and many of their senior technical staff. I've also used them successfully to protect and speed up websites that run billions of dollars of eCommerce per year. Similar to how people trust Akamai, Apple, or anyone else. You can get some more info (admittedly high level, they aren't giving away their secrets publicly...) here - https://www.cloudflare.com/ddos

I doesn't matter how great a firewall you have, Cisco, F5, etc... or how amazing your firewall rules and IDS/IPS tools are, if your upstream internet connection is saturated by the attacking traffic. CloudFlare's ability to mitigate large scale DDOS attacks cannot be matched by iptables or Cisco firewalls unless you're attached to multiple 10 GB dedicated providers...

3) Correct. This is also true of every CDN. This isn't nefarious, this is how CDNs work. Also by protecting the origin IP, that prevents people from trying to attack your Origin, going around the CDN.

4) Can you provide details or a source for this? Did your friend engage CloudFlare and get assistance or an explanation? Right now this is just an unverifiable anecdote. Whereas CloudFlare successfully mitigating the worlds largest DDOS is verifiable and written about many places, including here - https://support.cloudflare.com/hc/en-us/articles/200170216-How-large-of-a-DDoS-attack-can-CloudFlare-handle-

What website do you run without a CDN, solely protected by iptables, with no CDN performance gains?

26 May 15
Regional Account Manager - Technology Evangelist at a tech vendor with 51-200 employeesReal UserTOP 10

Devon, thank you for the great insight and facts.

-MG

03 December 15
Guest

Sign Up with Email