As a publisher, boosting revenue is often top of mind. Join us for a meet up in San Francisco on Thursday, May 31.

Site monetization experts from VigLink, SayMedia and CloudFlare will be on hand to discuss the best practices for monetizing your site. They will share tips on how to boost revenue through advertising and affiliate programs, and share common pitfalls to avoid. It will be a lively and informative evening.

The event opens at 7:00pm at our office in SOMA at 3rd and Townsend. Sign up here

Monetizing Your Site: Your Questions. Answered
Thursday, May 31, 2012
Doors open at 6:30pm, Panel starts at 7:00pm
CloudFlare Office - 665 3rd Street, Suite 207 (SOMA)

Do you have a meetup suggestion? Would you like to host a meetup of your own at the CloudFlare office? Let us know by commenting below or sending an email to meetups@cloudflare.com.

We hope to see you on May 31!

Several years ago, some suspected cyber criminals on the Internet wrote a family of malware dubbed DNSChanger. About a year ago, law enforcement tracked down the suspected cyber criminals behind this malware, arrested them, and took over the servers they were using to redirect customers to rogue sites.

As a result of a court order, the Internet Systems Consortium (ISC) under the direction of the FBI, has continued to run the DNS servers used by the malware for the last year. However, the court order will soon expire and those servers are scheduled to be shut down on July 9, 2012. When that happens, hundreds of thousands of Internet users whose systems are still infected and/or affected could lose access to the web, email, and anything else that depends on DNS. This is the story of how two Internet infrastructure startups — CloudFlare and OpenDNS — are playing a small part to help solve the problem.

A Bit of DNS Background

Up front, in order to understand this story, you need to understand there are two types of DNS servers: recursive and authoritative. Everyone who uses the Internet needs a recursive DNS server. Your ISP usually provides these types of services or you can use a provider like OpenDNS, Google, DNSAdvantage, other public resolvers, or even run a server yourself to handle your recursive DNS queries.

On the other hand, every domain needs at least one authoritative DNS server. Authoritative servers are where a particular domain's records are hosted and published. Many domain registrars provide authoritative DNS servers, or you can use a service like CloudFlare and we provide authoritative DNS. When an Internet user types a Universal Resource Identifier (URI) aka Universal Resource Locator (URL) into their browser, clicks on a link, or sends an email, their computer queries their recursive DNS provider. If the recursive DNS provider has the answer cached then it responds. If it doesn't have the answer cached, or if the answer it has is stale, then the recursive DNS server queries the authoritative DNS server.

As mentioned above, OpenDNS provides recursive DNS. Their customers are web surfers and they provide a terrific service that helps speed up Internet browsing and protect people on the web from malware. CloudFlare provides authoritative DNS. Our customers are websites and we make those sites faster and protect sites from attacks directed at them. While we're often asked if OpenDNS and CloudFlare are competitive, in reality both services are complementary just using different parts of DNS (recursive and authoritative) to achieve a similar mission: a faster, safer, better Internet.

How Suspected Cyber Criminals Use DNS to Do Bad Things

The DNSChanger malware family was designed to change the recursive DNS server that Internet users’ computers queries. Instead of directing DNS queries at the recursive server you or your ISP configured, the malware modified computer settings to route queries to recursive DNS servers controlled by the suspected cyber criminals.

The job of DNS is to translate a domain name such as dcwg.org, which humans prefer, into an IP address, like 108.162.205.64, which servers and routers can use. If you are a cyber criminal and you can gain control over someone’s recursive DNS then you can direct traffic to certain sites to a fake version of the site. Once DNSChanger had web surfers querying rogue recursive DNS servers, all requests for legitimate websites could be directed to a fake website. For example, even if you typed your bank's domain name into your browser, if the suspected cyber criminals control recursive DNS then they can send you to a malicious site and steal your information.

Over the years DNSChanger operated unchecked, more than a million computers and home routers had their DNS configurations modified. Thankfully, law enforcement was able to track down the suspected cyber criminals behind the malware, arrest them, and seize control of the rogue recursive DNS servers. Unfortunately, hundreds of thousands of computers are still using the formerly rogue recursive DNS servers. On July 9, 2012 the court order directing ISC to operate the servers expires and those servers are scheduled to be shut down. On that date, all systems which still have their DNS settings modified by DNSChanger will effectively be cut off from the Internet.

Getting the Word Out

The DNSChanger Working Group (DCWG), a loosely affiliated organization comprised of some of the world’s largest and most competent ISPs, search engines vendors, software vendors, security companies, and others, has been working to get the word out about the problem and reduce the impact of the shutdown of the DNSChanger recursive servers. The DCWG launched a website (dcwg.org) to provide information about the malware, let people test whether they are infected, and provide recommendations on how to fix their systems. CloudFlare first became involved when the folks at dcwg.org reached out to us because their site was under heavy load after attention from major media outlets. CloudFlare helped keep the dcwg.org website online under the load caused by media attention over the last 10 days. We offloaded more than 95% of the traffic to the site, ensuring the site ran fast and stable even when it was being featured on the front page of cnn.com.

Unfortunately, one of the challenges in trying to address situations like DNSChanger is that you only know to go to the dcwg.org website if you already know about it. What you needed was something akin to an emergency broadcast system that would inform people who were infected that they had a problem as they surfed the web. In the process of working with the DCWG, we realized we might be able to help.

Some of our engineers created an app named Visitor DNSChanger Detector App. Any website on CloudFlare can enable the app with a single click from our apps marketplace. The app installs a small bit of Javascript on the page that tests visitors to see if they're infected. If the tests do not detect anything, nothing happens. If the tests indicate that the DNSChanger recursive servers are being used, then a banner is displayed across the top of the page and visitors are directed to instructions on how to clean up the infection (more on that in a second).

While we've made it extremely easy for publishers on CloudFlare's network to help get the word out, we didn't want to restrict participation to only those sites using our service. We therefore decided to release the code for the checks publicly and as open source so anyone who can install a few lines of Javascript on their web pages will be able to install it on their own sites to inform their potentially infected users. You can access the code from the following GitHub Repo. We're hopeful that sites both large and small will take the time to install the code in order to help inform their visitors who may be infected.

What Should People Notified of This Infection Do?

While CloudFlare is able to assist with informing web surfers they have an infection, we aren’t particularly well situated to actually fix the problem. After all, it isn’t our customers that are directly impacted, but rather the customers of our customers. Many of the folks infected can get help from their ISPs, but for some this might not be an option. CloudFlare reached out to David Ulevitch, the CEO of OpenDNS and he saw this as a great opportunity to further OpenDNS's mission of helping build a better Internet. We added OpenDNS as a resource for publishers to display to their customers when the Javascript detects the use of the DNSChanger recursive servers.

The Power of the DNS

This incident illustrates to me the importance and power of the DNS system that underpins the Internet. The suspected cyber criminals were able to modify DNS settings to steal advertising revenue and perform other illegal activities. CloudFlare uses authoritative DNS in order to provision powerful tools to make sites faster and even help create a sort of emergency warning system for the Internet. OpenDNS provides high performance recursive DNS caching services for their customers. Combined, we hope to help the DCWG get the word out so the hundreds of thousands of Internet users still impacted by the DNSChanger malware will be able to take steps to ensure they’ll be able to use the Internet on July 10, 2012 and beyond.

CloudFlare had an outage across much of our network today. The outage began at 20:19 (GMT). It affected approximately 75% of traffic to CloudFlare's network. The length of time for the outage varied depending on region, but the maximum period of downtime was approximately 15 minutes. I wanted to quickly get information out about what happened, why it happened, and what we're doing to ensure it never happens again.

Routes, Routers and Routing

To understand the problem, you need to understand a bit about how Internet routing works. The Internet is a massively interconnected network. Networks send packets to each other across routes. These routes are set for each network by routers. A route defines the path for packets to take to get to a particular IP address. One network will announce that it is responsible for a particular set of IP addresses. That fact is then shared to upstream routers so if they see a packet bound for a particular IP they can send it in the correct direction.

Routers exchange routes between each other using something called Border Gateway Protocol (BGP). When two networks interconnect, they generally trust each other's routes. If a routing change is announced by one router, the immediately connected upstream routers will pickup the routing change. They will subsequently pass the change on to other routers that are further upstream.

Bad Route to Hong Kong

Today we had a scheduled maintenance for our Hong Kong data center while its systems were being upgraded. The data center was taken offline by shutting down all the in-bound Anycast routes. This, as we intended, caused all traffic that would have gone to that data center to hit the next closest facility (either Singapore or Tokyo).

While the systems were being upgraded, our network team worked to optimize some of the routing in Hong Kong. At some point, the out-bound routes were entered into the in-bound interface. The out-bound routes describe our entire net range so the net effect was the router in Hong Kong was announcing that it was the correct place to send all traffic bound for CloudFlare's IP space.

Our upstream provider trusts our routes so, via BGP, they were quickly relayed throughout their network and to their upstreams. The result was traffic from around the world was directed to the Hong Kong data center, which was offline. We realized the issue and announced the corrected routes. It took approximately 15 minutes from the beginning of the problem to when the routes were corrected network wide. About 25% of CloudFlare's in-bound traffic comes from direct peers. This traffic was not affected by the routing because the direct peers trusted our routes more than the ones they were receiving from other upstreams.

Future Prevention

We are implementing systems to run all routing changes through a verification layer that double check before any routes are announced. We are also talking with all our upstream providers to enable additional checks on their networks that do not automatically propogate major routing changes without confirmation.

This is only the second significant outage in CloudFlare's history (here's our post mortem from the other). Any period of downtime is completely unacceptable to us. On behalf of our whole team, I apologize for the problem. We have learned from this experience and are already implementing the safeguards to ensure it will not happen again.

No matter whether you run a personal blog or the IT operation of a corporate enterprise, you have discovered that in addition to running a web site, and updating its content or application, a web site comes with difficult operational challenges. CloudFlare handles these WebOps challenges with a simple, five minute change to a web site’s settings.

From Flickr user flightlog

CloudFlare’s WebOps-as-a-service covers five main areas: Security, Metrics, Acceleration, Reach and Transformation (SMART). With CloudFlare, every website owner (from the smallest to the largest) gains access to the tools that have been reserved for the largest web sites in the world.

Security

Web sites are constantly attacked by hackers from around the world. Some look to turn a web site into a command-and-control server for a network of malicious bots, or to use a site to host a fake bank for phishing, steal sensitive private information (such as credit card information), or host malware. Attackers can range from organized criminal groups that use the threat of attacks to extort money to simple vandals.

What is worse is that attacks are a never ending battle. Everything from the operating system of the server hosting a web site to each individual fragment of code (such as blogging software) is a potential attack point, and must be constantly updated and fortified to evade the latest threats. This creates an enormous management burden for a web site owner and requires expertise that few possess outside of the world’s largest web sites.

Because of CloudFlare’s global reach and traffic we are able to automatically block attacks as they occur, and instantaneously roll out patches that prevent newly discovered vulnerabilities from ever exposing your servers to attack.

Additionally, CloudFlare’s global network means that Distributed Denial of Service attacks (DDoS) can be controlled and absorbed before they ever reach your server. Web sites around the world rely on CloudFlare for DDoS protection precisely because it is so difficult: effective DDoS protection requires an intimate knowledge of the operation of the Internet and a 24/7 operations team on hand to deal with attacks as they emerge.

Many web site owners also find that SSL encryption is necessary to ensure that connections to their web site are encrypted, and their visitors protected. But SSL is complex to set up and requires specialist knowledge. CloudFlare’s SSL service enables web sites to be SSL-enabled with a single click.

Finally, for publishers, CloudFlare’s ScrapeShield app automatically protects valuable content against automated scraping tools and tracks content that is stolen.

Metrics

Every web site owner knows that metrics are critical to track who visits your site, which pages or content are popular and how visitors come to find your site to begin with. CloudFlare makes it trivial to enable any number of metrics services with single click deployment of the service on to every one of your pages, and provides its own metrics service with highly accurate data as an additional complement.

For example, adding Google Analytics or Clicky to a CloudFlare site is a simple one click operation. No need to change the code yourself; CloudFlare automatically inserts the JavaScript necessary and within seconds metrics start to be collected.

CloudFlare also collects and makes available its own highly accurate metrics. Because CloudFlare sees every page view and hit for each web site it is able to provide 100% accurate metrics based on the actual visits made by visitors to your web site.

CloudFlare does not rely on JavaScript inserted into a page to track metrics unlike other common metrics tools. Rather, CloudFlare sees and reports on every page request even from visitors that deliberately block JavaScript or tracking tools. CloudFlare is also able to report on malicious traffic (in the form of hackers and bots) as it sees, blocks and records those visits as well.

Acceleration

Study after study has shown that web site speed is directly linked to revenue and visitor satisfaction. Even a tiny millisecond delay in the load time of a web page causes people to leave a site (and, perhaps, never come back) which means lost engagement and revenue. Page speed is also taken into account by large search engines when deciding on how highly to rank a page, and therefore can play a significant part in your search engine optimization (SEO) efforts.

CloudFlare’s content acceleration and caching services mean that web sites using CloudFlare see automatic acceleration of their web site just by signing up. CloudFlare automatically caches content so that it can be delivered quickly to a site’s visitors around the world, and optimizes content that can’t be cached so that it is delivered as fast as possible. On average, our customers’ web sites load 2X as fast after signing up for the service.

CloudFlare also has a collection of available acceleration tools that can be enabled with one click. These tools perform content optimization, such as minimization of image sizes, minification of JavaScript, loading JavaScript asynchronously and preloading parts of a page, further improving page load times.

Not only does CloudFlare cache and optimize your content, it also reduces the bandwidth used by your web server. This means that your web site saves money on bandwidth while at the same time improving performance for your visitors.

Reach

CloudFlare operates data centers around the world and uses an Anycast network that directs a web site’s visitors to the server nearest to them. After signing up for CloudFlare, your web site will have instant global reach---within five minutes of signing up with CloudFlare a web site is distributed around the world and visitors from every corner of the globe see an instant performance upgrade.

CloudFlare’s global network also means that Internet outages around the world do not affect your web site. Our team constantly monitors data center and Internet performance to ensure that the best route is taken for every individual visitor to your site ensuring that visitors, wherever they are, experience fast and always available web sites.

Additional CloudFlare services keep a web site online even when the actual web server is down and perform geolocation so that web servers can instantly understand where visitors come from.

CloudFlare can also automatically enable IPv6 on any web site so that visitors from the newest reaches of the Internet can visit web sites that continue to use the older IPv4 protocol—all with the click of a single button in the CloudFlare management UI.

Transformation

As traffic from a web site protected and accelerated by CloudFlare passes through CloudFlare’s servers it is transformed. Some transformations target security (such as filtering out bad requests) and others performance (such as optimizing JavaScript).

But CloudFlare’s available transformations go a step further: CloudFlare is able to modify your web site’s pages automatically. For example, turning on a service like Google Analytics can be achieved in a single click in CloudFlare’s management interface. Once enabled CloudFlare will automatically insert the appropriate JavaScript in every page. There is no need for you or your staff to make any changes to the web site itself.

CloudFlare can also protect sensitive content from potentially malicious users. For example, email addresses can be automatically detected and obfuscated so that humans can read them but machines can’t (helping to cut down on spam). A “Server Side Exclude” feature allows a web site owner to mark content so that it is hidden from suspicious visitors (such as potential bots scraping content).

Another transformation provides automatic hotlink protection for images so that valuable bandwidth isn’t taken by third-party web sites that embed images directly from a CloudFlare protected site.

CloudFlare can automatically minify HTML, JavaScript and CSS to make it smaller and load faster, and CloudFlare’s ScrapeShield app can insert tracking beacons on your web sites to detect and track content theft.

As new devices proliferate (such as tablets or smartphones) CloudFlare’s transformation features reformat a web page for optimal viewing on those devices, automatically. What’s best is that every single transformation requires nothing more than signing up for CloudFlare’s SMART webops service.

Summary

CloudFlare is a 24/7 WebOps team for any web site, no matter the size. It provides security, metrics, acceleration, reach and transformation with minimal change. And as CloudFlare enhances its services, all web sites using CloudFlare receive the benefit, automatically. CloudFlare’s customers range from individual bloggers to Fortune 100 corporations, and even national governments.

We are excited to welcome GoSquared as the next CloudFlare app. The GoSquared team is based in London, but we were pleased to meet them on a recent visit to California. Both of us are excited to help make their real-time web analytics service incredibly easy to turn on for CloudFlare-powered sites.

GoSquared analytics allows you to react and respond to activity on your website in real-time, as it happens. Watch their video to learn more:

GoSquared provides all your essential metrics in one beautiful dashboard that is scalable to any device and looks great on a large screen, keeping the whole team driven by data. GoSquared also has a powerful API available for anyone to integrate real-time data into their site.

GoSquared features

With GoSquared you can respond, engage, and act now. Not tomorrow.

• GoSquared's real-time dashboard allows you to view what's happening on your website in a single glance.
• See what's popular on your site right now.
• See where your visitors are coming from and whether they're engaging with your content.
• Monitor the impact and effectiveness of campaigns in real-time.
• Receive detailed alerts when traffic levels on your site are out of the ordinary.
• React to visitor activity on your site before the opportunity has passed.
• iPad app so you’re always in the loop

Easy instant on

Via CloudFlare Apps, you can turn on GoSquared instantly, with the right size plan for your site. No code to deploy. Interested in learning more? Visit the GoSquared App page today!

CloudFlare customers have websites of all sizes, so we're pleased to introduced a new advanced server monitoring and outage management service from Panopta as a CloudFlare App. Appealing to both enterprises and SMBs, Panopta will be the first to tell you if your infrastructure is down and provide you with tools to fix it.

What makes Panopta different? They offer three simple and unique areas that separate them from the rest of the market.

• Deep and Wide Monitoring
• No False Alerts
• Intelligent Alerting

No False Alerts
 
Panopta guarantees no false alerts. No more chasing problems that aren't there.

Intelligent Alerting
 
Alerts are escalated to the right people at the right time, so you can rest assured that problems will be fixed as soon as possible.

Getting Started

Panopta offers four different plans, including:

$15/month for Solo
$50/month for Basic
$100/month for Intermediate
$250/month for Advanced

See all the details and sign up for Panopta's advanced server monitoring service now, via CloudFlare Apps.

Immediately, the first monitor will be set up for the home page of your site, with opportunity for detailed customization and additional monitors within the Panopta control panel. Try it now!

CloudFlare's traffic grows in a number of different ways. The most obvious is that we sign up more websites. We also grow as the natural traffic to sites using CloudFlare increases as they get more popular themselves. Another way we grow is less obvious but extremely cool: as CloudFlare makes the web faster, visitors end up surfing more pages.

Save 25ms, Get 30% More Page Views

We had a really good example of this in just the last couple days. Our networking team was able to work some routing magic to more efficiently get traffic to our Singapore data center. This, on average, saved about 25 milliseconds -- 0.025 seconds, a tiny sliver of time, about 1/12th the time it takes you to a blink of your eyes -- for requests from countries in the region including Thailand, Malaysia, and Indonesia.

The graph above shows traffic over the last 9 days from TOT, one of the largest ISPs in Thailand. You can see from the graph that traffic rises and falls depending on the time of day, which is normal, but if you look at the peaks you'll see they step up dramatically in the last two days.

Digging into the details, there was approximately a 30% increase across bandwidth, hits, and page views in the region after the improved routing. The increase holds even if you control for the day of the week, remove new sites that signed up over the period, and compare other regions that also benefited from the routing so as to control for other potential explanations like weather, news events, or anything else would have had more people surfing the web in Thailand in the last few days. In other words, just eliminating 25ms in latency resulted in a 30% increase in traffic. That's really cool.

Faster Means More

The very nature of the way that TCP, the protocol of the Internet, works means that any performance benefit tends to be amplified. Google, Amazon and the other Internet giants have known for a long time that faster means higher engagement and more Internet use. At CloudFlare, we have network engineers that have helped build the networks for some of those Internet giants now at work tuning connections to save milliseconds for the rest of the web. We'll continue to add data centers and improve routing toward our mission of making a faster, safer web for everyone.

Things you should know about right away
1) You do not need to change your name servers when activating through a hosting partner. You would still manage your DNS entries at your hosting provider or registrar.

2) CloudFlare can only be enabled for CNAME records when activating through a hosting partner. To enable CloudFlare on your root domain (yourdomain.com), which is an A record, you need to have your hosting partner set a 301 redirect from your root domain to www. Not only will the redirect help accelerate and protect the root domain, this will also make the statistics in your CloudFlare account accurate.

Note: If you have a naked domain, 'yourdomain.com', and you don't want your visitors to go to 'www.yourdomain.com', then you need to signup directly with CloudFlare.

3) What you should do if you see any of the following error messages after enabling CloudFlare:

"Host Not Configured to Serve Web Traffic" error message will appear on the first request to your site after activating through a partner, then will go away after a few minutes. If it lasts for more than 10 minutes, then contact your hosting provider and our support teams will work together to resolve.

"CloudFlare-nginx 502 Bad Gateway": This is an issue on the CloudFlare network. We deal with these quickly (less than 10 minutes). We publish all announcements regarding our network status on @CloudFlareSys. 

"Website is Unavailable": Either your server is offline and we don't have a copy of your site in cache or something on the origin server is blocking CloudFlare's IPs.

If your server is online, then work with your hosting provider to find out what could be blocking CloudFlare's IPs on your server. The most common culprit is a security solution like a firewall like CSF or IP tables. As soon as the block is removed, the error page will disappear.

Key CloudFlare features
SSL
If you have SSL on the domain(s), you will need to upgrade to a Pro account. The cost for a Pro account is $20.00 per month for the first website and $5.00 for each additional site. In addition to the SSL support, you will also receive additional security and performance benefits.

Note: You will find the option to upgrade to Pro in your CloudFlare account.

Development Mode
If you are making changes to the static content on your website, temporarily bypass CloudFlare's cache so any changes appear immediately. You can find Development Mode either right in your hosting provider's control panel or by logging in to your CloudFlare account under CloudFlare Settings. 

PageRules

PageRules gives you more powerful performance and configuration options, including:

Advanced Caching Configurations

Excluding URLS from CloudFlare's default caching and security options

Setting URL forwards and redirects

Recommended (Free!) Optional CloudFlare Features
CloudFlare has developed web content optimization features called Rocket Loader and Auto Minify. Both Rocket Loader and Auto Minify are designed to load your site's resources even faster than the default CloudFlare configuration.

Rocket Loader: Rocket Loader will speed up the delivery of your pages by automatically asynchronously loading your JavaScript resources. Rocket Loader works well for websites that have a lot of ads, widgets or plugins.

Auto Minify: Removes all unnecessary characters from HTML, CSS, and JavaScript to reduce file size.

Note: Both of these features are still in beta. If you encounter any issues, such as a broken plugin or JavaScript not working properly, then please turn the feature off and report any bugs to our team. 

To turn on Rocket Loader and Auto Minify, you need to log in to your CloudFlare account and go to CloudFlare Settings.

IPv6 Gateway

Make your website IPv6 compatible, by turning on the CloudFlare IPv6 gateway.

Where you can find out more about CloudFlare
The CloudFlare Support Center has answers to a number of questions. Searching our knowledge base is the fastest way to get a quick response to the majority of questions. Don't see the answer to your question? Please contact CloudFlare.

Updates and Giveways
We frequently post about product updates, early beta access to new features, system issues, and giveaways, so we recommend that you follow us on Facebook, Twitter or Google+:

Facebook
Twitter
Google+

Thank you for joining CloudFlare in partnership with your hosting provider.

SiteLock is a website security monitoring service that protects your online reputation and provides additional security to your website.

There have never been more threats to your website than now. Hackers use malware, SQL Injection, Cross-site scripting and more sophisticated techniques to steal your customer data or redirect your traffic, ruining your site’s reputation.

SiteLock will alert you if your site is vulnerable to these issues, as well as if your site gets blacklisted for any reason by search engines or spam monitoring tools. SiteLock combines two types of scanning to provide an additional layer of security beyond the existing protection of CloudFlare to ensure your investment is protected and your reputation is safe.

Proactive scanning: Searches your site and network for common weak spots hackers exploit to inject malicious code into your site

Blacklist monitoring: Monitors search engine and spam blacklists to make sure your customers are seeing your site and receiving your messages

SiteLock’s security offers all of these features:

• Daily 360-degree scanning for
  • SQL Injections
  • Cross-Site Scripting (XSS)
  • Applications
  • Viruses
  • Malware blacklisting
  • Spam blacklisting
• On-Demand Expert Services to help you fix any security issue on your site
• Alerts & Email Notifications
• Dashboard Reports

In addition, SiteLock provides a Trust Seal for sites that are secure. The SiteLock Trust Seal provides customer confidence and has been proven to substantially increase your sales and conversions, with 70% of web visitors looking for a verifiable 3rd-party certification before providing personal data.

SiteLock is now available via the CloudFlare Apps.

CloudFlare provides a broad level of protection from a wide range of attacks. We do this while minimizing false positives or annoyances to legitimate customers. CloudFlare didn't begin as a DDoS mitigation service, but we've rapidly found that we are good at protecting sites from these attacks. Today we're offering a new security mode to make our DDoS protection even better.

A Brief History of DDoS

In the OSI model, traditional DDoS attacks targeted the Layer 4. The so called "transport" layer of the network stack specifies the protocol (e.g., TCP or UDP). These attacks flood an interface with garbage traffic in order to overwhelm it's resources in one way or another. Usually, the attack fills up the capacity of a network switch or overwhelms a server's network card or CPU's ability to handle the traffic.

CloudFlare has largely mitigated these attacks by building out significant capacity across our network. We have fat pipes and lots of machines to absorb floods of traffic. We also make broad use of the Anycast protocol which has the effect of scattering the load of a distributed attack across multiple data centers, reducing the exposure of potential single point of failure. The result is that no packets from a traditional Layer 4 attack will ever reach a site behind CloudFlare.

HTTP-Based Attacks

A new breed of attacks targets Layer 7, the "application" layer. These attacks focus on specific characteristics of web applications that present bottlenecks. For example, the so-called Slow Read attack sends packets very slowly across multiple connections. Since Apache opens a new thread for each connection, and since connections are maintained as long as there is some traffic being sent, you can overwhelm a web server by exhaust its thread pool relatively easily.

CloudFlare has protections in place against many of these attacks, and in real world experiences we generally reduce the HTTP attack traffic by about 90%. For most attacks and most of our customers, this has been enough to keep them online. However, the 10% of traffic that gets through our traditional protections can still be overwhelming to either customers with limited resources or in the face of very large attacks. We wanted to help in these cases too, so today we're announcing something new.

I'm Under Attack Mode

Introducing "I'm Under Attack Mode." The name is pretty self-explanatory: it's a new security level you can set for your site when you're under attack. The effect is that we will add an additional set of protections to stop potentially malicious HTTP traffic from being passed to your server. While we perform a number of additional checks, the only thing noticeable to legitimate visitors to your site is that when they first arrive they'll see an interstitial page for about 5 seconds while checks are complete. Think of it as a challenge where the tests are automatic and visitors never need to fill in a CAPTCHA.

After verified as legitimate by the automated tests, visitors are able to browse your site unencumbered and won't see typically the test page again. Javascript and cookies are required for the tests and recording the fact that the tests were correctly passed. We've also designed the new checks to not block search engine crawlers, your existing whitelists, and other pre-vetted traffic. As a result, enabling I'm Under Attack Mode will not negatively impact your SEO or known legitimate visitors. What's also cool is that data on attack traffic that doesn't pass the automatic checks is fed back into CloudFlare's system to further enhance our traditional protections.

While CloudFlare did not start as a DDoS mitigation service we have realized this is an area where we can provide a lot of benefit in an easy and affordable way. I'm Under Attack Mode is the first of several new features we'll be releasing over the coming month to offer a full gauntlet of DDoS protection. Stay tuned.