Content delivery network services is a corner of the vendor world with no shortage of players, but relative newcomer CloudFlare Inc. is looking to carve out its own niche by wrapping its capabilities in a security story analysts say may appeal to the low-end of the enterprise market.
That story is hinged on providing a cloud-based DDoS protection service that CloudFlare CEO Matthew Prince said is designed to be affordable. Many other DDoS protection solutions are expensive, hardware based and can increase a site’s overall latency, he said.
“We're pretty proud of the fact that we've created a service that is easy, that anyone can afford, and that will not only protect you from attacks, but also make your site faster,” he said.
Making a splash
Launched in 2010, San Francisco-based CloudFlare made a public splash last year when it opted to defend the website of LulzSec, the now infamous hacking group associated with attacks on FOX Broadcasting Company, the Senate.gov website and other targets. There were three factors in the company’s decision not to kick LulzSec off its network, Prince explained. First off, the company does not view it as its role to censor the Web. Plus, the hackers were not launching attacks through the CloudFlare network; removing them would not have taken them offline.
In addition, attack traffic is used to make the CloudFlare network smarter and more resilient, Prince said. “In fact, in the 23 days that LulzSec was active and using our network, our system automatically generated more than a million new rules that today help protect other sites that rely on CloudFlare for protection,” he said.
“One of the unique aspects of CloudFlare's system is that we get smarter with every website that is on the network,” Prince explained. “While it may seem counter-intuitive, us having clients on our network that get attacked means the system learns more about the characteristics of the attack and can better protect the entire network. One of our customers wrote in the other day suggesting our tagline should be: You mess with one bean, you mess with the whole burrito.”
To distinguish between legitimate and illegitimate traffic, the company analyzes a number of different factors, Prince said.
“CloudFlare acts as an umbrella of protection in front of a website,” he said. “What that means is when we detect an attack we can increase the friction for the attacker. In the extreme case, we can block the traffic entirely so it never hits our customers' [servers]. However, in cases where we're less certain whether it's an attack, we can take other steps such as requiring someone to enter a CAPTCHA before they can post a comment that looks like it may be spam to a blog, or turning down the bandwidth and response rate when something appears to be a DDoS.”
DDoS protection services: The competition
Gartner analyst John Pescatore noted that CloudFlare’s path has taken some twists and turns since its founding.
“They started out looking like Incapsula (a division of Imperva Inc.) or Dasient (since acquired by Twitter) as basically a cloud-based website Protection as a Service offering aimed at low price points,” he said. “They then seemed to get pulled into content delivery acceleration -- so now they look at lot more like Akamai.”
Akamai, however, has “a lot of believability” among large, global enterprises, while CloudFlare currently does not, he explained.
“So, I think CloudFlare’s opportunity is going after the lower price points, where Akamai does not have [an] advantage,” he said.
According to Pescatore, demand for cloud-based DDoS protection services is growing much faster than sales of DDoS appliances in the enterprise market. Other vendors providing cloud-based DDoS prevention include Prolexic, Verisign and Neustar.
CloudFlare’s pricing is attractive, but may not be a lasting differentiator, as companies such as Incapsula combine content delivery and security with free offerings as well, said Jim Davis, an analyst with The 451 Group. Incapsula Inc. offers a cloud-based DDoS protection and Web application firewall (WAF) services targeting SMBs, while its parent company Imperva offers a cloud-based DDoS protection service for the enterprise market.
“I think CloudFlare at this point in time is in more of a position to open up a different segment of the market for CDN [content delivery network] and security services more than disrupt existing players,” he said. “While it can protect against DDoS attacks, there are limits to what it will protect against and customers should have a clear understanding of what their needs are before they decide on the free versus pro plans that are offered. Protection against very large-scale attacks [is] still the domain of larger competitors in the CDN space like Akamai as well as specialists like Prolexic.”
Still, Prince claimed the company currently sees more traffic through its network than some of the biggest sites on the Web combined.
“We have sites using us ranging from small, individual blogs, to large media publications, to Fortune 500 companies, to national governments,” he said. “It's a testament to the fact that if you build a great service that solves a real problem and provide it at a reasonable price, customers will come.”
About the author:
Brian Prince has been covering the IT security industry for more than five years. His articles have appeared in a number of publications.