Customize settings of DDoS protection per zone

You guys should considering selling the advanced ddos protection as an addon for other plans. It would exclude extras like the WAF, Railgun, etc but you’d get the advanced protection. It’d be great for smaller sites without a lot of resources. Maybe $50/month for the addon so small sites don’t have to pay $200/month if they get attacked. Thoughts?

probably not that easy as business/enterprise might be on different ips/network segments ???

I cannot comprehend your point here. CF most likely proxy Advanced DDoS Protected traffic by something else than Free/Pro plans which doesn’t have it but I cannot understand what it has to do with being “easy” or not.
What you are telling is essentially “probably not that easy to migrate Free account to Business” which we all know isn’t true. Getting just Advanced DDoS Protection could be understood as “just migrate my Account to Business plan but turn off certain things” which I believe is easy.
Advances DDoS Protection is just a function and CF plans are “packs” of functions.

Basically each plan has certain features. The Business plan has Advanced DDoS Protection, I’m suggesting to sell it as an addon for free and pro customers without the other features of business like railgun. Thoughts?

To be fair I was trying to reply to eva2000 post.

Oh sorry about that. The Free/Pro plans likly have the same protection that business has for L3/L4 (Enterprise offers dedicated IP Ranges and BGP filtering), however the advanced plan also adds in extreamly sosphicated HTTP Request Filtering (for example: you don’t need to buy rate limiting for your site to stay online). It wouldn’t be too hard to enable the feature as an addon :smiley:

I’m new to Cloudflare forum and certainly no IT bof, however i get what you are saying lunorian. I’d like to have railgun installed, but i cant find it in the addon’s - which means that for me to have railgun i need to upgrade to business at a cost of $180.00 extra a month, totally unjustified. Cloudflare unless there is somewhere else that i must hunt to addon railgun at $5.00 a month - please show me where, if not then you seriously need to re-evaluate your upgrade packages, scary the amount of business you could be throwing away due to this.

1 Like

Cloudflare Partners can deploy Railgun to any plan but I believe there was some kind of gimmick to do it and I don’t remember what it was about.

1 Like

is railgun automatically enabled in business and enterprise plans? What other features can be seen as advanced that you would need to enable yourself in a business and enterprise plan?

We are actually thinking of adding an Advanced DDoS add-on in the upcoming months.
Curious as to which features/capabilities are important to you.

5 Likes

It would be really great if we can threshold the number of requests coming to a zone per second/minute. After all we want to make sure our server is not over loaded.

I have seen this in StackPath

1 Like

That is already possible

7 Likes

yup

1 Like

While you can configure rate-limitng rules, the rate-limiting is per source IP and not per attack signature. So if the attack is highly distributed, rate-limiting wont necessarily help mitigate the entirety of the attack.

We plan to provide an option in the CF dashboard to customize the settings of our automated DDoS protection system (called dosd) per zone. The settings include the sensitivity (threshold), override actions, exclude IPs and more. I hope we’ll be able to ship this feature in the next few months.

Would love to hear more about what kind of specific capabilities you’d like to see.

7 Likes

If you need people to test it :stuck_out_tongue:

5 Likes

Will definitely circle back once we have something ready for you :slight_smile:

5 Likes

Sorry for bringing this back up but you mentioned something quite interesting!

We did face some well distributed attacks in the past that were able to solve the JS challenge that was thrown and the only solution was to deliver a captcha (not cool).
Upon further investigation, I realized that a the malicious requests had a different signature before and after solving the challenge.
The user agent and some other headers were the same, however, the ordering of the headers was different and the post-solving requests lacked of some headers as well. Another obvious behavior (to us as humans) is that after solving the challenge these bots never requested for any external resource to the page they were in (you would expect that client A asks for css and other assets if they visit certain path).
I wonder if it’s possible to take this small details into account, I can imagine this kind of checks being extremely expensive in real time scenarios.
Finally, the TLS signature was different as well pre and post solving the challenge, my assumption is that the attack we faced had some embedded browser that was used only to solve the challenge easily.
Note that to get this much information I had to temporarily disable Cloudflare, otherwise we are very limited to know what is really going on, at least on the non-enterprise plans when we receive an attack the main source of information we have is a sudden spike in the traffic which might not be as relevant when the attack is well distributed.

2 Likes

That is interesting. I’ll bring this up with our eng team to see if they have any thoughts.

1 Like

@jnperamo can you please share the zone and when this happened? If you prefer, you can DM me or open a support ticket and provide the details there.

I’d like to share details via DM, I’m unsure if I’m allowed to open them, at a glance I’d guess that you need to send me a DM first.