What is a difference in Cloudflare rate limiting feature on free vs paid account?

I am new to cloudflare and I have few questions about cloudflare but I did not get clear answer on internet and stackoverflow. Link to my question is mentioned below -

Please suggest. Thank you!

I replied there.

A DDoS attack and a rate-limiting are two completely different things, they can be complimentary, but one does not exclude the other.

The DDoS attack is usually (especially for the free plans) only for specific types of attacks, where the traffic is identifiably bad and often simply trying to consume your resources without expecting a response.

Rate-limiting on the other hand can be used for limiting the querying ability by specific users, for whatever reason (be it computation time, login protection, API resource management, etc.). These queries are possibly benign and/or valid, which won’t trigger the DDoS protection (immediately at least, it may obviously).

So if I don’t buy this add-on, how will they charge per request, good or bad?

They say they protect users from DDoS attacks even on a free plan, so what is a point of buying rate-limiting feature? Is there a limit to requests/bandwidth for free plan users?

They don’t charge per request or bandwidth because they don’t rate limit (up to extreme cases where they will force the website to bypass Cloudflare’s proxy if there is impact on the network as a whole, which are very extreme and for the almost totality of users of the free plan are out of reach) normally. If you want to rate-limit an endpoint then you buy the add-on (with the possibility of paying after the initial 10k good reqs/month per account).

Note that the higher the plan the lower the time intervals you can set, on the free plan is an higher interval than on Pro which is higher than Business.

More info: https://www.cloudflare.com/rate-limiting/

1 Like