Cloudflare is a global technology company that provides a wide range of internet services and security solutions. Their core offerings include:
- Content Delivery Network (CDN) services that help websites load faster by distributing content across a global network of data centers
- DDoS (Distributed Denial of Service) protection to defend websites against malicious attacks
- Web security features including a Web Application Firewall (WAF), SSL/TLS encryption, and bot management
- DNS (Domain Name System) services that help route internet traffic efficiently
- Zero Trust security solutions that help organizations secure their networks and applications
Cloudflare has great offerings, a strong API, and many tools. I’m not super familiar with all of Cloudflare’s offerings because I am a free user who has been using it for many years, but I was never much involved in business or enterprise deployments.
This might change in 2025, and I will be looking into Cloudflare in more detail.
Layer 3&4 vs Layer 7 DDoS
Lately, in the news, they posted about the largest DDoS attack they defended against. They notably pointed out that no human intervention was necessary. I can relate to this. But when it comes to HTTPS DDoS floods on layer 7, I still regularly have issues defending. This kind of news is easy to delete and confuse people thinking this level of no-intervention protection should be standard. Sadly my experience is different.
On October 29, a 5.6 Tbps UDP DDoS attack launched by a Mirai-variant botnet targeted a Cloudflare Magic Transit customer, an Internet service provider (ISP) from Eastern Asia. The attack lasted only 80 seconds and originated from over 13,000 IoT devices. Detection and mitigation were fully autonomous by Cloudflare’s distributed defense systems. It required no human intervention, didn’t trigger any alerts, and didn’t cause any performance degradation. The systems worked as intended.
https://blog.cloudflare.com/ddos-threat-report-for-2024-q4/ (2025-02-02)
https://blog.cloudflare.com/de-de/ddos-threat-report-for-2024-q4
Business ethics
Cloudflare has been in the news a few times for having questionable business practices. It’s impossible to independently verify these claims, but they are worth considering.
Risk of running on Business or Free plan
We’ve been on the Cloudflare Business plan ($250/month) for years. They suddenly contacted us and asked us to either pay them $120k up front for one year of Enterprise within 24 hours or they would take down all of our domains. While this escalated up our business we had 3 sales calls with them, trying to figure out what was happening and how to reach a reasonable contract in a week. When we told them we were also in talks with Fastly, they suddenly “purged” all our domains, causing huge downtime in our core business, sleepless nights migrating away from CF, irreparable loss in customer trust and weeks of ongoing downtime in our internal systems.
https://robindev.substack.com/p/cloudflare-took-down-our-website (2025-02-03)
Cloudflare lays of emplyee for missing sales target
A recent viral video showing a poorly handled layoff at Cloudflare has sparked discussion about corporate accountability in terminations. While the incident itself was problematic, CEO Matthew Prince’s response stands out from typical corporate communications. Though not perfect, his statement acknowledged the company’s failings, admitting the video was “painful to watch” and that they “don’t always get it right” – a refreshing departure from the usual corporate deflection and denial. This level of leadership accountability, despite some lingering employee blame-shifting, marks a decent first step. However, true recovery will require more than words: Cloudflare needs to demonstrate tangible changes in manager training, HR practices, and accountability measures to prevent similar incidents in the future.