Unlimited DDoS protection the new norm after Cloudflare announcement

Late last month, global distributed denial of service (DDoS) protection provider Cloudflare announced that it would no longer charge customers extra when they were under attack.

The company claims to have nearly 10 million customers and a presence in 117 cities around the world, with enough capacity to handle more than 15 terabits of traffic per second. It provides DDoS protection to enterprises, small businesses, and even personal websites. The company also works with a number of large data center providers.

The unlimited DDoS billing was rolled out to all its customers, including those getting the free version of the service, said Matthew Prince, CEO at Cloudflare, Inc. “We finally got to the point where we think we have so much scale, and can deliver our service more efficiently, that we’re waiving surge pricing for all our plans,” he said.

Surge pricing too often meant that smaller companies found themselves with either high bills they couldn’t afford or no services because they exceeded their contracted maximum volume. Cloudflare is not the first DDoS protection provider to offer unmetered pricing, but its decision might signal the end of the practice. That would have a significant effect on limiting damage from DDoS attacks.

Why unmetered DDoS protection will be standard

Protecting small websites benefits everyone, Prince said, because it can help Cloudflare identify attacks and stop them as close to the source as possible. “Even low-end customers help contribute to the overall knowledge,” he said. Prince expects other DDoS protection providers to follow suit. “What I think will happen is this will become the industry standard,” he said.

That’s good news for customers. “The last thing you want is an unpredictable cost model that can fluctuate depending on the attack size,” said the director of security operations at a 25-year-old private equity firm. “The focus should be on effective defense strategy, not the uncertainty of a fluid billing model.”

For some companies, having DDoS protection in place is part of their business model. “We viewed it as an investment in good customer service, given the prevalence of such attacks,” said Paul Mazzucco, CSO at TierPoint, LLC, a data center service provider. For the past few months, the company has been providing DDoS protection at no extra charge, regardless of the size of the attacks.

TierPoint is getting its DDoS protection through Radware Ltd., which bills based on the amount of legitimate traffic that a company gets. “Our pricing is not bound by an attack size they may face,” said Carl Herberger, the company’s VP of security solutions.

Similarly, Neustar, Inc. charges customer for clean traffic. “Becoming a victim of a DDoS attack is never a choice made by a customer,” said Joe Loveless, the company’s director of product marketing. “Being online means being susceptible to attack.”

Metered DDoS pricing used to be more common, said Theresa Abbamondi, director of product management for Arbor Cloud and Services at Arbor Networks, Inc. That created a risk for customers, she said. Arbor has been pricing based on clean traffic when it launched its service four years ago, one of the first vendors to do so. “Most of the purpose-build anti-DDoS vendors quickly moved to this type of clean traffic pricing model, and it became the standard in the high end of the market,” she said.