Cloudflare turns seven this week and it wants to give your network a present. Should your website come under Distributed Denial of Service (DDoS) attack, it will never charge you additional fees, or (and this is important) kick you off the network.
Cloudflare CEO Matthew Prince has pledged unmetered DDoS mitigation, regardless of the size of the attack and no matter what level of service you have from the free tier all the way up to the enterprise level.
As Prince explained, this is a pretty radical move by the company, but he feels like it's the right way to go and will actually help grow his business. That's because the new policy is removing a big fear companies feel in an age when DDoS attacks are becoming increasingly common occurrences and it costs a lot of money to defend against them. "A lot of folks in this space, as you get larger and larger attacks, have traditionally charged you more. This is practical because they cost more [in time and resources] to defend against," Price explained.
Typically when you have a DDoS attack, no matter which service you have been using, the vendor charges based on the network bandwidth you are using at the peak of the attack. "The trouble is that these attacks are sending 100s of gigabits of attacks per second, and the bill could be hundreds of thousands of dollars on bandwidth charges alone," Prince said.
The end result is customers often got kicked off the services before the bill got so big, and the network resources became so great. Prince says kicking people off his service "felt gross." That's partly because he was giving up on a customer but also because he was giving into the attackers and he didn't see a big difference between the attackers trying to extort money and companies like his presenting the victim with a huge bill after the attack was over.
Several years ago on the company's birthday, they made a decision to offer free encryption, a move that was highly unusual at the time. "When we turned on encryption by default and for free, people thought we were crazy, and we couldn’t pull it off. Four years later, it’s pretty much an industry standard," he said.
Prince's hope is that that his company's shift to unmetered mitigation will have a similar impact. "If you fast-forward four years from now, it could just be something that DDoS providers don’t charge more for. It will make the internet better," he said.