It’s a completely different thing. DDoS protection is not like insurance. Insurance is putting monetary value on a risk and paying off if that risk materialises. DDoS mitigation is a set of technical measures that are implemented. Most of the DDoS protections are features which are implemented (e.g., when the traffic is more than X, require captcha for all requests). It doesn’t have any marginal cost for the provider.
And you can argue the same for the network infrastructure. Once you have the bandwidth, as long as it’s not saturated it is a waste letting it idle.
So I really don’t see how even being under DDoS every day can “eat up your fees”. Maybe you can elaborate?
You can make this argument for literally every business, though. Which business does not have a single pool of resources and multiple clients to consume them?
To me it seems a really arbitrary argument. Insurance companies estimate a risk, and if their chance to pay is almost certain, then for them there is no point in insuring you, they lose for sure so they refuse you.
DDoS protection services don’t pay if their customers get DDoS. Cloudflare doesn’t need to go and deploy more network appliances every time a customer gets DDoS’d, nor they need to hire additional engineers to implement features. They have done this already and if they do it’s a company-wide investment, not a per-client investment.
You can make this argument for literally every business, though. Which business does not have a single pool of resources and multiple clients to consume them?
The majority of factories. They get an order in and produce the product until that order is fulfilled. They don’t have to be running 24/7, it is just that that is the most profitable.
But if you stick to your “analogy”, a factory also chooses who their customers are. And if some are too demanding, they just drop them. Like the casinos.
Also, once factories have machines etc., they might prioritize one customer over another, but I doubt they decide a customer is not profitable. In fact, digital businesses don’t have by design the problems posed by the physical world, and this is especially true in b2c businesses…
I should have elaborated on it a bit more, my bad.
While it’s true that DDoS is more of an active technology rather than a CYA thing.
It does however also act as insurance when it comes to the “blame game”: if your site goes down it’s not your fault but the provider’s fault, meaning you might be able to recoup lost profits through a lawsuit.
Of course the only way to avoid this for the provider is to provide better and stronger systems, which normally would grow homogenous through more customers and/or growing fees for all customers, which would pay for better capacity and stronger protection by itself.
However here we have a client that is a high value target that others might want to take down at all costs.
Even if they didn’t sue, a strong enough attack might, alongside naturally expected DDoS on other clients, not only take down this customer’s server, but others as well, which really isn’t something you want, for the reasons stated above.
And rapidly increasing security could be not worth it, as it could devolve into an arms race by proxy with a high risk of the customer leaving if you raise their fees to much, leaving you with a system which’s maintenance will now dig into your profits due to a lost big income stream, or make other customers leave if you raise the general fee.
To be honest, I have never even heard of anybody who sued a service provider for failing to mitigate DDoS, or for letting an attack through a WAF, etc.
I am quite positive that the contracts/T&C you sign when you subscribe to the services are rock solid, otherwise cloudflare would be under extreme liability. Also, usually you have the ability to customize the DDoS settings, choose thresholds etc. I really can’t imagine a company having any real chance of getting the provider to reimburse you. The only service that usually has SLA is the uptime of the CDN, which if breached should be compensated. I am quite sure that in the cheap plans the SLA is probably not very high.
Also, what you say about a customer that someone might want to take down is true for all customers that require DDoS protection. If they didn’t, they wouldn’t pay for the service on the first place. Cloudflare serves a bazillion customers who are much bigger targets than a casino, I don’t think they were afraid of the exposure. Also, when cloudflare receives a high DDoS attack, for them is awesome marketing. Imperva, Akamai, Cloudflare are basically identical and the selling point is exactly “how big can they tolerate?”.
Honestly rather than speculating on what we don’t know, I propose a simpler option: cloudflare plans are designed to get customers one foot in the door with a super cheap plan, to them each individual customer has basically no marginal cost. However, once the customers are in they can identify the ones they can squueze and find reasons to push more expensive plans. If they bump 1/30 of them, even if they other 29 will leave, they are in plus (250x29 < 10000 x 1).
To me this seems simply a business strategy. They specifically say “Unlimited & unmetered DDoS attack mitigation” in the cheapest plan, afterall.
It’s a completely different thing. DDoS protection is not like insurance. Insurance is putting monetary value on a risk and paying off if that risk materialises. DDoS mitigation is a set of technical measures that are implemented. Most of the DDoS protections are features which are implemented (e.g., when the traffic is more than X, require captcha for all requests). It doesn’t have any marginal cost for the provider.
And you can argue the same for the network infrastructure. Once you have the bandwidth, as long as it’s not saturated it is a waste letting it idle.
So I really don’t see how even being under DDoS every day can “eat up your fees”. Maybe you can elaborate?
It is similar in that there’s a pool of resource shared between all the clients, and the service provider can shift this resource around when in need.
You can make this argument for literally every business, though. Which business does not have a single pool of resources and multiple clients to consume them?
To me it seems a really arbitrary argument. Insurance companies estimate a risk, and if their chance to pay is almost certain, then for them there is no point in insuring you, they lose for sure so they refuse you.
DDoS protection services don’t pay if their customers get DDoS. Cloudflare doesn’t need to go and deploy more network appliances every time a customer gets DDoS’d, nor they need to hire additional engineers to implement features. They have done this already and if they do it’s a company-wide investment, not a per-client investment.
The majority of factories. They get an order in and produce the product until that order is fulfilled. They don’t have to be running 24/7, it is just that that is the most profitable.
But if you stick to your “analogy”, a factory also chooses who their customers are. And if some are too demanding, they just drop them. Like the casinos.
OK, sorry. Digital services businesses.
Also, once factories have machines etc., they might prioritize one customer over another, but I doubt they decide a customer is not profitable. In fact, digital businesses don’t have by design the problems posed by the physical world, and this is especially true in b2c businesses…
I should have elaborated on it a bit more, my bad.
While it’s true that DDoS is more of an active technology rather than a CYA thing. It does however also act as insurance when it comes to the “blame game”: if your site goes down it’s not your fault but the provider’s fault, meaning you might be able to recoup lost profits through a lawsuit.
Of course the only way to avoid this for the provider is to provide better and stronger systems, which normally would grow homogenous through more customers and/or growing fees for all customers, which would pay for better capacity and stronger protection by itself.
However here we have a client that is a high value target that others might want to take down at all costs. Even if they didn’t sue, a strong enough attack might, alongside naturally expected DDoS on other clients, not only take down this customer’s server, but others as well, which really isn’t something you want, for the reasons stated above. And rapidly increasing security could be not worth it, as it could devolve into an arms race by proxy with a high risk of the customer leaving if you raise their fees to much, leaving you with a system which’s maintenance will now dig into your profits due to a lost big income stream, or make other customers leave if you raise the general fee.
To be honest, I have never even heard of anybody who sued a service provider for failing to mitigate DDoS, or for letting an attack through a WAF, etc. I am quite positive that the contracts/T&C you sign when you subscribe to the services are rock solid, otherwise cloudflare would be under extreme liability. Also, usually you have the ability to customize the DDoS settings, choose thresholds etc. I really can’t imagine a company having any real chance of getting the provider to reimburse you. The only service that usually has SLA is the uptime of the CDN, which if breached should be compensated. I am quite sure that in the cheap plans the SLA is probably not very high.
Also, what you say about a customer that someone might want to take down is true for all customers that require DDoS protection. If they didn’t, they wouldn’t pay for the service on the first place. Cloudflare serves a bazillion customers who are much bigger targets than a casino, I don’t think they were afraid of the exposure. Also, when cloudflare receives a high DDoS attack, for them is awesome marketing. Imperva, Akamai, Cloudflare are basically identical and the selling point is exactly “how big can they tolerate?”.
Honestly rather than speculating on what we don’t know, I propose a simpler option: cloudflare plans are designed to get customers one foot in the door with a super cheap plan, to them each individual customer has basically no marginal cost. However, once the customers are in they can identify the ones they can squueze and find reasons to push more expensive plans. If they bump 1/30 of them, even if they other 29 will leave, they are in plus (250x29 < 10000 x 1).
To me this seems simply a business strategy. They specifically say “Unlimited & unmetered DDoS attack mitigation” in the cheapest plan, afterall.