Site owners have new choices when weighing the protection they want from distributed denial of service (DDoS) attacks that flood sites with junk traffic.
Cloudflare has dropping surge pricing, a common approach in the industry that means a customer's bill rises in line with the amount of traffic generated by an attack on their site or application.
Downtime costs money so it makes sense for a business to pay up to what it would forego in such an event, and thanks to the poorly secured routers and other IoT devices, DDoS attacks can now hit targets with traffic at over a terabit per second -- well above what most sites are equipped to handle.
Cloudflare has also used surge pricing for its DDoS protection service but now its CEO, Matthew Prince, says the practice of charging more after a large attack is “perverse”. Its new unmetered mitigation service means all -- whether they’re using the free or paid for service -- will remain protected no matter the size of an attack. It also won’t charge more if a customer is hit with a massive attack.
“Cloudflare's higher tier plans will continue to offer more sophisticated reporting, tools, and customer support to better tune our protections against whatever threats you face online. But volumetric DDoS mitigation is now officially unlimited and unmetered,” he said in a blogpost.
Until now, Cloudflare had “rough thresholds” that depended on what DDoS protection level customers opted for, according to Prince, but he says in general it tried to keep customers online unless an attack impacted other customers.
Today, Cloudflare’s network spans 150 data centers or points of presence that offer it 15 terabits per second (Tbps) DDoS mitigation capacity, which is large enough to withstand the biggest DDoS attacks without impacting other customers, Prince noted. The largest DDoS attacks on record came from the Mirai botnet in October 2016, which were powered by millions of IoT devices and hit sites with traffic recorded at rates of up to 1.2 Tbps.
The company explained the new unmetered model was enabled through network automation software, which spreads traffic across a global network of commodity hardware rather than pushing traffic to a smaller core of “exotic network hardware”. This has allowed it to do away with “scrubbing” traffic, a traditional approach to DDoS mitigation that cleans traffic on a provider’s server before forwarding it to a customer’s server.
Cloudflare’s new model comes as cloud platform giants introduce bundled DDoS protection for customers on their respective platforms. Microsoft has now launched its own DDoS protection service for Azure customers, which answers Amazon Web Services' (AWS) DDoS protection for its customers, Shield, announced in December.
Until now, Microsoft customers hosting apps on Azure needed to use third-parties, including Cloudflare, if they wanted DDoS protection. Cloudflare meanwhile has partnered with Google to expand its capacity and protect customers using Google Cloud.
Microsoft’s new service is called Azure DDoS Protection Service. It offers a “basic” level bundled at no extra cost for all web apps run out of Azure, and a more sophisticated service called “standard” level. AWS's two-tiers include the bundled “standard” and $3,000-per-year “advanced".
Both firms differentiate the levels with more data and support. Microsoft’s basic service is enabled by default and features persistent monitoring, automatic mitigation for Level 3 and Level 4 network attacks, and Level 7 protection with an application firewall. AWS similarly is enabled by default and promises to protect against Layer 3 and 4 attacks, while offering more advanced features for “standard” customers, such as real-time notifications, and investigation support. These are available for $3,000 a month for customers on at least a year contract.
The standard level for Azure allows admins to adjust protection policies and uses machine learning to tune their virtual networks over time, as well as offering event logs, alerts, and telemetry data. Microsoft profiles an Azure application’s traffic patterns to detect unusual traffic and stop attacks when they’re discovered. The service also tells the application owner when an attack is detected. It can be configured through the Azure portal and if it’s enabled on a virtual network, PowerShell too.
Microsoft hasn’t revealed pricing for the DDoS Protection service yet, but when it does reach general availability it will offer “cost protection”, which will “provide resource credits for scale out during a documented attack.” AWS’s Shield also offers “cost protection”, which offers service credits for charges due to usage spikes on AWS Elastic Load Balancing, CloudFront, and Amazon Route 53.
For now, the standard service is available in Azure’s East U.S., West U.S. and West Central U.S. regions.