Do I get charged for DDOS?

This is how Argo is billed; (keep reading for question)

How Argo Is Billed

  • Argo is charged per domain, so you will be billed for the amount of data transferred (both upload and download bandwidth) between Cloudflare and your visitors on each domain using Argo.
  • You will not be charged for any web traffic related to a DDoS attack or traffic that is blocked by Firewall Rules.
  • Argo is also usage-based, so each invoice reflects the prior month’s usage. For example, your September invoice will include charges for Argo usage in August.
  • To monitor the usage of Cloudflare add-ons or subscriptions, you can enable email notifications. When enabled, you will receive a notification to the billing email address on file when the traffic, queries, requests, or minutes watched exceed your desired threshold.
  • Argo billing includes charges for cache hits and requests to and responses from the Cloudflare network.

However, I was charged for the bandwidth which was clearly due to a DDOS attack. How can I say that? Because normally I usually my website use about 100-200GB of Accelerated GB’s

However, in December 2023 my website got DDOSed and the used bandwidth shot up significantly high:

And as you can see, the bandwidth went from 158GB to 783GB for the same website, which clearly means there was a unusual hike in the usage i.e. DDOS attack.

I do not understand why was I charged for bandwidth was blocked by Cloudflare’s DDOS protection + WAF rules.

I just received another invoice which has even more charge due to DDOS.

Can anyone tell me if this is how Argo tunnels are supposed to work? Or is there any issues in the charge calculation on CF’s part.

Thank you.

I have exactly the same issue. All my traffic was low except a huge spike on 30.01.2024. The problem is that there was ~23 TB which means approx 2.200 USD of unexpected charges. The attack originated mostly from USA.

Hier the traffic for the day:

the header requests:

and here the argo recording of the trafic:

Is there a way to block trafic?, like lets say use argo up to xx GB but not for spikes/attacks? I repeat this caused us 2200 USD aditional costs, I mean we do have some other protection means but if cloudflare does not react to stuff like this. We deactivate Argo currently as this cannot be controlled in any way.

Diging even deeper none of the requests reached our systems in any way. Here a link from google analitics with actually a quiet day:

Also the server side loggining did not record any unusual calls or requests, meaning only the elements existing in argo cache were targeted and no page load occured on our systems apparently. However we will continue investigating this fruther. For example the main IP from which the attacks started is . no request reached our servers , usually the other dynamic non cahced page element should come from our server and not from cache,


May I ask if you’re using a free or a paid Plan? :thinking:

Kindly, I am afraid You should reach out to Cloudflare Support directly by creating a ticket via the link to review your billing details and resolve any discrepancies. Nevertheless to provide those information and details related to the DDoS attack.

Please do so and share a ticket number here so I could escalate this.

As per my logic, argo should only route traffic if the client reaches my website. In my case, all the clients (bots) did not even reach my origin server. They were served with CF’s challenges in 99.9% cases, still I got charged for data. I have WAF, Country blocks, rate limits, everything setup and over 99% of the requests got dropped or blocked by CF and I still got charged.

My ticket is 3124108. They claim that that is exactly how argo works and I should be the one doing research before using a product. I have no clue why am I getting charged for a client’s data which did not reach to the actual website.

Support told they are rechecking the charges and I am waiting for a constructive reply.

I got DDOSed on 11th Feb, and guess what, again saw 300% increase in argo cost in 12 hours. Cloudflare Tunnel helps my website, but it hurts when someone decides to DDOS and I have to pay for it even if I have 0 logs of any clients even reaching my origin server.

All clients are served with challenges, how is argo used in this?

I am using the Pro plan

From 3 GB per day to 60 GB in a single day.

200Million requests in 2-3 hours, clearly a DDOS attack.

Thank you for sharing. I’ve escalated your ticket.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.