[ignoramous]

> Cloudflare's ddos protection

Yeah, we got hammered once with over 10TB/mo and noped out of Netlify as fast as we could: https://twitter.com/rethinkdns/status/1370342245841342466 Had to pay the bill in full.

Cloudflare's free tier is ridiculous: We do over 30TB+ of genuine traffic for $0. Makes it hard to move to any other platform. As a small tech shop, this is my Hotel California I'm happy to never leave.

[cube2222]

CloudFlare pricing is indeed positively ridiculous.

At OpenTofu[0] we’re using CloudFlare R2 to host the providers and modules registry[1]. Bandwidth is free, you only pay for requests.

This already would be great, but there’s more - you only pay for requests that actually hit R2. So with an almost 100% cache hit ratio, we barely register any billable requests.

Recently someone decided to load test us and generated ~1TB of traffic over 1-3 days. All but a few of these requests were cached, so the whole situation probably cost us less than a cent.

[0]: https://opentofu.org

[1]: https://github.com/opentofu/registry

[EE84M3i]

Is this in line with the TOS? I thought there were restrictions on serving non-website content in the free tier, or does that not apply to the CDN if you're using R2 as an origin?

[adobrawy]

They updated TOS to enable proxing R2 via CDN with cache enabled: https://blog.cloudflare.com/updated-tos

[ignoramous]

> R2 as an origin

We front our distribution service with Cloudflare Workers fronting R2 fronting S3 / Lightsail Object Store (https://blog.cloudflare.com/cloudflare-r2-super-slurper/). That brought our costs down from $500 to $2 serving the same amount of traffic.

[sph]

> Cloudflare's free tier is ridiculous: We do over 30TB+ of genuine traffic for $0. Makes it hard to move to any other platform. As a small tech shop, this is my Hotel California I'm happy to never leave.

Yeah that's how Cloudflare can reach total control over the Internet. With thunderous applause by people that should know better.

I know that my position is outright blasphemous in this day and age, where even self-hosting a static site has become black magic and we need a third party to do it for us.

[Capricorn2481]

I don't understand this take. First of all, moving off of Cloudflare is trivial if you really have an alternative. Second of all, self hosting a static website is easy, but that's not we're talking about here. We're talking about DDoS mitigation, which is not gonna be solved over a weekend hack with a load balancer. At least, not at the scale that matters.

What would the Cloudflare going evil phase even look like? Is it anything like Netlify charging me 100k because they don't provide ANY DDoS protection? I don't see any FOSS tools preventing this problem.

[sph]

You mean that all the people on HN that use Cloudflare's very generous free tier are at risk of DDOS?

Of course there is a benefit to selling your soul to the devil, what's the bloody point otherwise? I do not need to hear all the good things the devil got you, I am telling you that it is silly that "go Cloudflare" is the default advice is any situation because we have become lazy and complacent and we do not really care that we give the keys to the internet to one company.

The Internet gets shittier because people are lazy, and I need better arguments to being complicit to this than "I need DDoS protection for my 100-visitor a month blog."

[Capricorn2481]

> You mean that all the people on HN that use Cloudflare's very generous free tier are at risk of DDOS?

Yes? That's what this story is about. A random small website incurred a 100k charge because someone had the boredom to DDOS them today. Do you think you're not at risk?

> The Internet gets shittier because people are lazy, and I need better arguments to being complicit to this than "I need DDoS protection for my 100-visitor a month blog."

Gonna need you to explain the mechanism here. Because my argument is that Cloudflare is not the devil no matter how much you say it, and that using their service doesn't give them any keys.

What exactly are people lazy about and what are you doing alternatively that makes you different? Just not using Cloudflare? Because that's like not using condoms because you don't want to support a condom monopoly.

[throw1230]

That's not CloudFlare's fault.

[kirubakaran]

I dread the day they go evil

[throw10920]

> Yeah that's how Cloudflare can reach total control over the Internet. With thunderous applause by people that should know better.

This is an emotionally-manipulative, anti-intellectual comment that certainly does not belong on HN. There's no intellectual curiosity or value in this comment - just scoffing, predictions of doom, manipulative statements like "I know that my position is outright blasphemous in this day and age", and other drivel that belongs on Reddit, not here.

[pacifika]

That’s a free tier that doesn’t sound sustainable then, so that raises alarm bells to me.

[DontBreakAlex]

That's because amazon and big telecom convinced you that bandwidth is expensive. It isn't. Once the equipment is there, you might as well use it.

[immibis]

Well, they have to pay for the amortized equipment cost. Which, yes, is much less than you think. The big 3 clouds have set their prices in an age when services were much more expensive to provide, and they make a big deal out of the fact they've never raised their prices - but they rarely lower them, either. Now they have insane profit margins.

The invisible hand of the free market has come to fix that, *but you have to opt into the hand by shopping around.* If you don't, you don't get its benefits! You have to willingly take the choice to move to cheaper providers instead of overpriced ones.

Hetzner Cloud: $1/TB (20TB free) Digital Ocean: $10/TB (few TB free depending on server size) AWS: $90/TB (0.1TB free, used to be 0.001TB free) Netlify: $550/TB (0.1TB or 1TB free)

If you move up from $5/month VPSes, to real dedicated servers, you are now spending a lot more money and therefore you get more free perks. A huge number of providers exist that will give you unlimited or unlimited† bandwidth depending on how much you spend. Renting a powerful server with unlimited 1Gbps should cost a few hundred to several hundred dollars per month, and a powerful server with unlimited 10Gbps (i.e. 3000TB/month) should cost a few thousand dollars per month. You can even get some with 100Gbps (for tens of thousands).

Also consider asking your local ISPs and datacenters. If you live in a central area, you can probably get a comparable connection to a nearby datacenter if not straight to your office, for a comparable price. Data center connections are their bread and butter and they should be able to give you a quote quite rapidly; to your office will be a more custom thing.

Recently I got a quote for AMS-IX peering in Berlin, i.e. a peering in Amsterdam plus a link from Amsterdam to Berlin, about a 600km distance. That would cost 950 euros per month. If 1Gbps, it would cost 300 euros per month. Even though it's not really got anything to do with internet access (transit), I include this number to give some indication of the "true" cost of "raw" bandwidth.

[blibble]

> Now they have insane profit margins.

"your margin is my opportunity"

[whatshisface]

Wouldn't there be at least a handful of competitors if the economics worked out that way?

[oefrha]

A good number of small hosts offer very cheap bandwidth compared to AWS. With Cloudflare’s economy of scale, their costs should be even lower. You only need a ~100Mbps link to serve 30TB/mo, which would cost them ~$10, maybe less.

They’ve written about it before: https://blog.cloudflare.com/aws-egregious-egress

[Saris]

There are tons, the big providers like AWS, GCS, etc are really the only ones who charge ridiculous amounts for bandwidth and everything else.

Those big providers have pretty much normalized high fees and convinced people that's what it costs, the reality is any normal provider like Hetzner for example gives you tons of bandwidth for essentially zero cost included with your servers.

[happytiger]

A good data center can sell you a sustained 10Gbps for, and I’m guessing at going rate, but like 4-7k a month? If you’re making a commitment cheaper, and that’s basically a retail pipe for someone in a colocated facility.

For larger providers, bandwidth cost drops tremendously, especially if you’re well connected as transit is much cheaper and if you are really large or a network provider you may even be routing between your own facilities or in some cases from one customer to another and every large scale isp is going to want a “direct link” to your facility (a peering relationship). Those costs are astronomically small at scale for bandwidth.

The ISP or similar then turns around and sells a sustained network throughout as GB transferred, which isn’t how wholesale bandwidth is sold at all. So the get to charge for the data the pipe moves while they only pay for the connection itself — the markup added to this process is considerable.

For someone operated a global CDN, which is basically what they do, they have racks of storage and computer collocated all over the world and optimize the living crap out of their network to reduce their costs and make it run on as many peering relationships as possible. It’s an expensive and complex business to set up, but once it’s set up you get a fairly good and consistent return out of it.

The reason for this article is related to the nature of that business: it’s the issue of liability.

When you have policies where you protect your clients from downsides and excessive use on the network, you suddenly have to assume the role of paying attention to what’s on the network and policing it’s contents. That’s not possible with a massive system like this generally, so they push the liability down to the customer and discount the mistakes that come up. That’s why things are set up like this… this kind of stuff isn’t their business at all really. They are looking for the customers that convert and pay, which is very profitable, and the free tier is often thought of as a sustainable cost if you are large enough scale, as it substitutes for the rather massive expense of marketing and sales which is one of the largest expenses in a bandwidth focused business. CAC is the free tier.

There also competitors, but the benefits of scale are tremendous in terms of cost efficiency. A large provider might be paying just a very small fraction of a penny or less (even “free”) compared to what a small provider is paying. So that’s why you end up with fewer competitors because it truly is a business that benefits from economies of scale.

There are other smarter people on here who can correct any mistakes I’ve made or provide better pricing or whatever, but that’s the more in depth answer.

[nromiun]

There are a lot of them:

https://getdeploying.com/reference/data-egress

[bravetraveler]

Have you not... looked? They exist - arguably too many of them. Clouds aren't a good indicator of reasonable pricing.

[neurostimulant]

In EU, yes. EU cloud providers offers bandwidth on the cheap, much cheaper than anywhere else.

[danogentili]

I believe it's quite the opposite, cloud has normalized absurdly high traffic fees, and that is what should be raising alarm bells.

[fernandotakai]

cloudflare has a blogpost that kind of explains a bit on cost of bandwidth https://blog.cloudflare.com/the-relative-cost-of-bandwidth-a...

(from 2014, so it might be super outdated)

[rnts08]

Yes, cloud services have inflated both bandwidth and amortized hardware costs to absurd levels. You pay for not having to know what to do in order to run something online. Until it breaks.

[kkielhofner]

Peering.

Here's how it works:

1) I have a big network and I exchange traffic with another big network. Think of "eyeball" networks like last-mile ISPs (Comcast, mobile providers, etc) where a substantial portion of end-user traffic is going to handfuls of well known networks - Cloudflare, AWS, Netflix, etc.

2) Comcast and Cloudflare say "Hey, I send you X TB/PB/etc and you send me X TB/PB/etc. We both currently pay another provider to route that traffic between us. Let's not do that."

3) In locations where it makes sense they basically throw a cable across datacenters, POPs, internet exchanges, etc. The cost for this is typically extremely low - it's basically a port on a switch/router on each side and MAYBE a "cross connect fee" from the facility. This is usually billed in the tens of dollars/mo if at all. It takes very little time/effort to configure this but of course the details are more complex - multiple ports, multiple facilities, etc.

4) Both sides start routing traffic between their networks over their new shiny direct cables and extremely high speed ports. Faster throughput, lower latency, improved reliability, frees up bandwidth to the transit provider they were using previously, and most importantly the cost of bandwidth between the two networks goes to zero.

This is all well known and publicly available because it's visible in the global routing table(s). Cloudflare, for example[0].

All of the large providers do this and AWS, etc charging in bandwidth per GB (especially at their rates) is more-or-less pure profit.

I have a theory that AWS, etc capitalize on people not really understanding this anymore. AWS is 20 years old - that's an entire generation of CTO/CIOs on down that are completely unfamiliar with these details and think $0.10/GB or whatever is "just what bandwidth costs". It is not.

[0] - https://bgp.he.net/AS13335#_peers

[bombcar]

People don’t really and have never fully understood this - and why Netflix using a lower tier provider with bad peering caused companies to … not upgrade their links.

[lifthrasiir]

I have heard that they rather drastically constrain QoS instead, which does sound reasonable. So you are still not charged for abusive traffic, but your service will be much slower than what is actually possible with paid tiers.

[throwaway290]

So you'd be either slow or pay them "for protection". Something that reminds me of;)

[stavros]

Capitalism? Mob-style "protection" would be if Cloudflare were the ones who DDoSed you if you didn't pay.

[gkbrk]

Yeah. Instead Cloudflare hosts the websites of DDoS sellers and refuses to take them down or tell you who they are. A lot of these DDoS-for-hire services use Cloudflare to hide their real IP.

[throwaway290]

How naive if you think the mob would disclose when it's affiliates trash your shop.

[EasyMark]

I think a lot of people don't understand how cheap bandwidth is and is decreasing in cost practically every day. Amazon and Google have a lot of people fooled. Go ask someone operating in China and East Asia (and Japan) how much they're paying for local solutions.

[underdeserver]

These guys know what they're doing. If and when Cloudflare dies we'll find something else.

[ilogik]

it's 100% not sustainable. Use it while it's good, but don't get vendor locked in, because sooner or later they will increase the prices

[ignoramous]

> it's 100% not sustainable

As a business for Cloudflare?

  Cloudflare in 2014 blogged about how they work relentlessly to bring down bandwidth costs by peering aggressively where possible [2] (which apparently means $0 for unlimited bandwidth [3]). And where they can't / don't [4], egress is 5x (est) the ingress (one pays for the higher among the two), but this creates an opportunity for an arbitrage and give away DDoS protection for free.

  This is pretty similar to Amazon's free-shipping offer for Prime customers despite it being one of the biggest loss makers to their retail business. Prime basically has since forced Amazon to bring down costs through building expensive and vast distribution & logistics network that spawns the globe. Doing so was a considerable drain on the resources in the short-run, but in the long run, it has become an unbreachable moat around its largest business.

  Analysts like Ben Thompson (stratechery.com) and Matthew Eash (hhhypergrowth.com) have written in detail about Cloudflare's modus operandii over the years, with both agreeing that Cloudflare's model is so brilliantly disruptive that even Clayton Christensen would be proud of it.

https://news.ycombinator.com/item?id=33337183

[EasyMark]

This is why we still use services on VM's and open source containers. We can move our services anywhere, including selfhosting. AWS and Google offer some amazing solutions, but lock in ain't worth it if you can manage your own stack via serverless/vm solutions.

[dbbk]

They've been going for at least 10 years...

[raffraffraff]

Their stock performance would agree

[actionfromafar]

While a funny comment, stock performance is at best loosely coupled to sustainability as a company.

[blitzar]

By the time it isnt sustaninable I will have IPO'd and be the next offensive new money tech billionaire writing threads on twitter telling you the secret to success is the 5am grindset and everyone who isnt sinking 5mil into the next big thing (tm) can have fun staying poor.

[nickjj]

> Cloudflare's free tier is ridiculous: We do over 30TB+ of genuine traffic for $0

It's not really ridiculous if you think about what you're giving them.

You are massively benefiting their platform by providing them data which they use to train their services and then sell those services to other customers.

I'd make a case that the data they collect is the most important part of their business and the free tier is a major component of this.

[dim13]

If you are not paying for it, you are not the customer; you're the product being sold.

[dmw_ng]

I don't think it's fair to call it their free tier - it's their discretionary tier, there are numerous cases of the rug being pulled as and when it suits their business requirements to do so. Being left homeless vs. urgently coughing up is exactly the wrong problem to be dealing with mid-attack, I can't see any way to consider it free by any practical definition

[aperture147]

I know that putting all eggs on one basket and giving it all to Cloudflare is not a good idea, if they have an outtage then I would also have it to. But when they are down, one third of the internet is down with them too. With 240$ a year for CDN, 60$ a year for serverless and $0.015 / GB-month for S3-compatible storage with free egress, I don't think anyone could find a better alternative than CF. I'm mixing with AWS, CF and self-hosted machines and the infra cost is less than 5k$ a year. Now I can spend the remain hard earned money for some fresh marlboro cigarettes.