Sounds like OP is a casino and plays domain games to avoid regulatory interest. Recommend reading article carefully before reacting to the headline. Hopefully Cloudflare provides a perspective.
I have been hearing stories from developers/entrepeneurs about Cloudflare being very weird to deal with:
"We'd like to talk to you about an enterprise plan."
"No thanks, I'm fine with the free plan."
"Based on your traffic, we'd like to talk to you about an enteprrise plan."
"Is there a traffic limit on the free plan?"
"No, there is no limit. But based on your traffic, we require you to get an enteprirse plan."
[Gives up and gets an enterprise plan]
[6 months later]
"Based on your traffic, we'd like to talk to you about up'ing your enteprise plan to a new monthly pay."
"Is there a cap to traffic in our current plan? I don't see that in our terms."
"No, there is no cap to traffic in cloudflare plans, but based on your traffic, we're going to require you to pay more per month than you are currently paying."
"OK, can you tell me the traffic limit in our current or new plan? So I know what I'm paying for and when I'm approaching it?"
"No. But you need to pay more."
[Wash, rinse, repeat, every 6-12 months]
It seems like while cloudflare technically does not charge for egress, in fact for large egress it's just a game of chicken between the customer and a salesperson every 6-12 months, with the salesperson trying to figure out the most they can manage to get without losing the customer? I mean, I guess that is standard for enteprise sales, but I think usually you at least have some terms to know what you've got for how long without a renegotiation?
I wonder why they don’t just have clear limits - seems like it would make it easier to grok.
Genuine question: Why did you use `grok` in that context?
Under what contexts are you familiar with the term grok?
or don't feel like using an online dictionary when it's quicker than typing a question especially when you take feedback time into consideration. I just don't grok why anyone would do that.
You're on a site named hacker news; why would you expect any other word there?
Are you also weirdly angry that Musk used the term for their “he has one so I also must have one” LLM? *Stole* the term? That’s a special word, and out of the mouth of anyone but Valentine Michael is obscenity.
Rule: whenever someone prefaces a question with “genuine question” it’s actually a troll.
Also here you go: https://en.m.wikipedia.org/wiki/Grok
... in what other contexts would you use the word "grok"?
I think it being difficult to grok is the point, if they laid down exactly how much they want you to pay for bandwidth then it would be easy to go price shopping between them and the competition. But when it's "free" bandwidth, with a fuzzy line where it stops being free, and ambiguous pricing when it does, they can hook people in with a great deal and try to shake them down later.
I still encounter people who refuse to believe that CF bandwidth isn't really free, when you can easily demonstrate that it's not by just observing who uses them. If their bandwidth truly was free and unlimited with no catch whatsoever then every bandwidth giant like Imgur would use CF, but they don't. Imgur uses Fastly, probably because it's cheaper than CFs "free".
Free hits obscuring ruinous costs is a time honored strategy of drug dealers and all kinds of shady businesses.
Yeah our pretty large company switched to CloudFlare thinking of all the dollars they would save with little research but within a year were back at Akamai.
And Akamai is very expensive.
I suspect this is the answer, and it's just "momentum". once you're at a location and you're doing considerable "stuff" the move becomes painful and $200 more a month doesn't seem a lot if you're a company, but if they do that every 6 months or so before you know it's $1000 a month
That's not how the "free until it's not" pricing model works :P
IMHO it's just the price finding model that CF has adopted, I expect in the future they'll release limit numbers... unless they decide not releasing numbers is more profitable (i.e. the used car sales pricing model)
Presumably it gives them a lot more flexibility in deciding who has to pay more.
With published thresholds they’re less able to upsell someone just shy of the limit without publicly changing the tiers. Doing that has the potential to upset existing customers who are over the new limit all at once, while also providing intel to competitors looking to undercut them.
They don't want you to know where you are. It's like Kafka but the liberterian edition.
I thought about using CF in some of my deployments.
After hearing about these sorts of "discussions" from other colleagues, I certainly talked about using their services.
And then I realized that I had to hand them over my DNS? Uhh, no. It could have been "set nameserver to ours in your DNS console".
And also there was the recent SSL spoofing they're doing even with DNS with no hosted websites. And they charge money to send a revocation.
The whole thing is a hot yipes!
In fairness regarding this particular post, the author admits they were probably violating Cloudflare's ToS, and they knew it.
The folks at CF could have been less obtuse in handling the matter. But at the end of the day this is an online casino breaking ToS and they got spanked.
I believed that too, then I noticed they had a feature for the TOS violation that didn't fundamentally change anything. The only difference was you paid for it. In that way it's not your average TOS violation.
I saw that. Not clear to me that there's anything wrong with that. There's a lower tier with more restrictions. You want to do certain things, you need a custom plan. This is not unusual.
The most unprofessional thing CF did in my view was cutting off the customer's service so abruptly. But we have to bear in mind here we're only seeing one side of the story. And again, online casino, violating ToS, using CF's platform to circumvent blocks that were being placed on their website. Potentially to circumvent laws and so forth. That custom quote they received from CF could be pricing in a lot of things, including legal risk.
There's just a lot we don't know here, this isn't a typical customer and the idea that they got cut off abruptly because they told CF they were shopping around is entirely speculation by the post author.
Yeah, those are fair points. I was just surprised to see "you can't do illegal things without custom pricing." It's an interesting avenue.
And then I realized that I had to hand them over my DNS? Uhh, no. It could have been "set nameserver to ours in your DNS console".
And also there was the recent SSL spoofing they're doing even with DNS with no hosted websites. And they charge money to send a revocation.
What's your threat model here? That cloudflare will go rogue and... MITM your users? Can't they do that even if they're not in charge of your DNS? Even if you point an A record to them, that's enough to get a certificate via an ACME http-01 challenge[1].
[1] https://letsencrypt.org/docs/challenge-types/#http-01-challe...
You don't have to. In fact there are some TLDs that they don't even support.
You just need to configure the nameservers and that's it. That's how I do it for mine.
It could have been "set nameserver to ours in your DNS console".
... that's how it works? They give you the nameservers to use, you set your domains up with them.
You can register a domain through them, but don't have to.
You forget to mention that the DDoS traffic causing these issues are also behind cloudflare, but they don't give a damn about them, for obvious business reasons.
Cloudflare controls supply and demand, which, by definition of the law, should be classified as extortion.
should be classified as extortion.
It meets the definition of a RICO "enterprise". The question is, will anyone bring it up for judicial review?
It meets the definition of a RICO "enterprise".
1. It's probably not RICO[1]
2. Are businesses under any obligation to take down shady businesses (eg. DDoS services that are ostensibly stress testing services) absent a court order?
[1] https://web.archive.org/web/20180305062824/https://www.popeh..., specifically sections "Wait. Isn't the defendant the enterprise?" and "So what's "racketeering activity"?"
Look up "www.crimeflare.org/cfs.html" in the web archive on http port 82.
This guy ran a DNS for years to prove it until he disappeared. Lots of nazi websites, ddoxing sites, crime networks, conspiracy sites, ransomware groups and russian misinformation campaigns that he uncovered.
Honestly I don't see another way to gather the data necessary for this otherwise. You have to have the DNS data to be able to imply intent.
We had a similar experience. Stuff suddenly started breaking for 10% of our traffic, support dragged their feet for weeks wrt any sort of insight as to what was going on, and then the answer was “you’re over an undocumented limit, try the enterprise plan”.
Fwiw this was some years ago and we moved most of our stuff away from them in response. I didn't get the feeling that this was malicious from their side, more like growing pains / mediocre support people / etc. But the end result was the same as you describe, except we chose not to pay up.
EDIT: more context: I shared this story on HN once before, jgrahamc responded with “please email me”, we did but it didn't move the needle. This further convinced me that CF just has a lot of stuff going on and something weird about our traffic made them error out. My suspicion is that the enterprise plan was supposed to make it internally defensible to pour more engineering resources into our case, but they were never explicit about that which made us worry enough to not do it.
I think that a large reputable business like CF should be clearer about stuff like this. That said, as someone running an API business, I also hold some sympathy for “customer does something weird an unexpected, it’s hitting a limit we didn't even know we had, srsly now what?”. The answer to that should be “work together with the customer to get to the bottom of things, customer might need to make changes too”. They didn't do that, which disappointed us, but I can relate to the situation nonetheless.
We’re still a CF customer, just not for this part of our offering.
undocumented limit
this makes it sound like the limit is automatic or applies non-discriminately to customers, but my first instinct is that this was manually set by someone, maybe the sales reps again?
Yeah so I think it might’ve been a real system limit of sorts. Something timing out somewhere, some pipe getting clogged in a way that their edge nodes couldn’t scale their way out of the way they usually do. Eg because the scaling/monitoring code didn't detect that particular pipe getting clogged etc. We had weird long-running http requests at the time.
Note, this is pure conjecture, I’m just well aware from my own engineering experience that stuff can break under varied load in all kinds of unexpected ways. A large part of the work of an infrastructure business is going “woa shit I hadnt expected that we could fail in that way too” and then building infrastructure to be able to handle that case. You simply can’t predict everything your customers are going to throw at you. I think this was what happened + not sufficiently knowledgeable/experienced support. But I admit that I’m really just guessing.
The alternative would be that CF purposefully dropped 10% of our traffic to convince us to upgrade to enterprise, and despite our bad experience, I don’t believe they’re that kind of business. And if they were they handled it very badly because it took them 3 weeks of feet-dragging to even bring up the upsell.
I wouldn't trust a company after they pulled this stunt just once. Why are you letting them do this to you(r company)?
it's not me -- which is why i'm not nervous about talking about it on HN. I work in the non-profit sector and don't currently use Cloudflare. Just stories I've heard from others.
I'd guess that the cost of switching/cost compared to other alternatives/cost compared to business value/revenue, remained sustainable for the customer, who didn't want to deal with a switch.
In truth, this is kind of how "enterprise sales" has always worked? The salesperson trying to figure out the biggest price that won't lose the customer? But additionally having unclear terms and unclear length of contract (or really no contract locking in your terms/payment) is definitely in the vendor's favor...
Sounds like auth0…
But they have explicit limits?
Our experience has been quite the opposite once we were forced to migrate from a free plan (a long time ago after what felt like abusing the free plan due to the amount of bandwidth we were using).
The bandwidth caps and all included features were clearly spelled out in the entetprise contract and when we went over, they didn't push for a contract renegotiation unless the overage lasted like 3+ months. And we frequently got new features included in for free.
In fact, recently they asked to renegotiate the contract due to some obsolescence and we ended up significantly dropping the bill as a result. Kind of backfired on them, I wonder if the account manager is kicking herself for this.
Do they offer tangible benefits to justify the higher fees?
That's the thing that gets me about all types of subscriptions / pay walls. You have my attention momentarially, make your best pitch as to why paying you is in my interest.
Can any1 explain how HN algo works that this post, which at time of writing has 355p, 180comments while being posted 1 hour ago, isn't even on first page (ranked 31)???
Flags below the [flagged] threshold are invisible but still act to downweight the post.
I've noticed that cloudflare complaint threads get flagged with surprising and unwarranted regularity.
Almost, like … maybe one of the “protection” providers might have ways to suppress bad media?
puts on tin foil hat and looks around nervously
A more charitable interpretation is that lots of techy HN'ers would rather defend CF against an unknown company, as some sort of tribal allegiance - the same way Apple has a huge cult following. Nonetheless the end result (flagging/downranking) is wrong - hell, I had to find this thread by going to my previous comments as I couldn't find it on the front 2 pages. If that isn't considered an abuse of systems (again, charitably speaking, unintentionally), I don't know what is.
I don’t think we need any conspiracy theories. I can easily see people getting tired of these kind of articles and the predictable torrent of outraged comments.
They are valuable in keeping people aware of what’s going on. But only to a point and people will endlessly argue over where that point is and scream censorship and over ups by corporate interests.
It gets rather grating after a while. Even more so when I suspect an article is omitting key facts to generate the attention they want.
I haven’t flagged this article but I can easily see why people would.
if you check sites that track HN's rankings, it was ranked #1 for a while, then it suddenly dropped to #27 and continued declining https://hnrankings.info/40481808/
yes that's pretty blatant isn't it
thanks for sharing. I didn't even know this was a thing! Comparing to 4 or 5 others, this definitely looks more like a step function into obscurity unlike the other lol
My guess for why this would be flagged: its a gambling website so people are unsympathetic. Definitely an abuse of the flagging system.
Maybe HN needs a flagging ring detector as well as its voting ring detector.
I though flagged content showed a "[flagged]" in the title?
Yeah I commented, refreshed and was shocked to see it disappear. It's ironic that we're (reasonably) asking for transparency about a post which is kind of about non-transparency.
It could have flags on it or maybe the flamewar detector got tripped.
Moderator action seems unlikely because it’s still on the second page.
Remember, on HN there is such a thing as commenting too fast
If a thread is too interesting, it gets penalized, can't have too many people commenting on an exciting topic
Cloudflare was the company that went viral for the firing of an account rep not hitting her goals. I wonder if it’s overall indicative of not a great culture in terms of relationships with enterprise customers.
Cloudflare was the company that went viral for the firing of an account rep not hitting her goals.
How is that something worth going viral over? Salespeople get fired all the time for not meeting their sales goals. Engineers similarly get fired all the time for not meeting their productivity goals. If you don't do your job well, don't expect to keep it.
And if I recall correctly, in this particular case, she was a green employee who hadn't even made a single sale yet! What more obvious of a layoff target is there than that? Would you keep a green unproven salesperson over a proven veteran salesperson who's landed 9 figures in sales?
While I agree with you, I think the call is for companies to be less psychopathic and stop onboarding people within 90 days of mass layoffs.
Especially in a world where people pick up their whole lives and relocate for jobs. Recent joiners aren't getting any sustainable kind of severance either. The idea is if you're hiring them you have a minimum commitment to support their success.
Yes she was an obvious fire, but it's also the organization's fault. Enterprise deals also take way longer to close than that...
All that said, salespeople can and do move jobs a lot. I'm sure she'll be fine.
I think the call is for companies to be less psychopathic and stop onboarding people within 90 days of mass layoffs.
Was there any indication that the "mass layoffs" were planned 90 days in advance?
That wasn't how I interpreted this phrasing. I read it as "it is worth being critical of an org that does mass layoffs and then goes on to hire new people to fill vacated roles shortly after the layoffs were finished".
That timing shows that it's not just implementing headcount and budget reductions, which are somewhat defensible if still tragic. It was instead a forced turnover, which in some cases can be a route to wage suppression.
That timing shows that it's not just implementing headcount and budget reductions, which are somewhat defensible if still tragic. It was instead a forced turnover, which in some cases can be a route to wage suppression.
Apparently the person in question was fired within 3 months of being hired[1]. If this is true it seems like a stretch to characterize it as "forced turnover" or "wage suppression".
It takes around that long to plan and for public companies they don't just suddenly come to that decision within a single quarter, but also that's missing the point.
If you're a public company and you go from healthy to mass layoffs within a single quarter then your investors (and employees) should be a lot more concerned.
If you're a public company and you go from healthy to mass layoffs within a single quarter then your investors (and employees) should be a lot more concerned.
1. According to the CEO the layoffs in question were for "~40 sales people out of over 1,500 in our go to market org"[1]. Is that really a "mass layoff"?
2. Did you not remember that the layoffs coincided with reversal in macroeconomic conditions? Specifically, the reversal from "inflation is transitory" to "inflation is persistent and the central bank will hike interest interest rates".
She did say that she didn't bring in any customers...
She did say she was around for only 6 months and enterprise sales cycles can last 12+. Though I guess if you’re engaging in scammy behavior it can be much less… maybe she wasn’t willing to do that.
Sorry, but if you‘re onboarded in a Sales Team you‘re at first getting small fry customers to get used to your Job. Cloudflare is massive and a complete no-brainer for 95% of companies. Not only that, she couldn‘t even land a single enterprise upcharge. Cold calls are hard, but upsells are much easier because companies are pretty much vendor locked with CF.
If you can‘t land a single customer in 6 months under these circumstances, you‘re likely just not a good fit.
From personal experience I know that 10TB per month is like 30k/year and SSL for SaaS is around 40k/year on the enterprise plan. No idea about pricing for having your own IP.
I have no idea why Cloudflare would ask you to use these two features. SSL for SaaS is only useful if you want to add domains and certificates via API.
I have had my fair share of negative experience with Cloudflare but this is next level bad. Unfortunately companies can chose who they want to do business with but it shouldn't be like this.
From personal experience I know that 10TB per month is like 30k/year
Is this true? We are at 3TB and growing so I'm slightly concerned
It's not even 100Mbps sustained. That is nowhere near 30k/year or you're getting ripped off.
For 3k/month you can get a good quality 10Gbps link. That's 3.2PB with a P.
Yeah that's why I was asking
Start making a backup plan
From personal experience I know that 10TB per month is like 30k/year
What the hell? That's way more than AWS costs, 90% of which would be egress fees. And cloudflare has done a lot of marketing to rightfully call out those egress fees as far too high.
It's the whole enterprise plan, you can't only buy traffic. So you also get all the features which you don't need or want as you can see from the screenshota shared in the original post.
Even on the enterprise plan they don't really start to talk to you about traffic until you are like 3x over your contracted traffic for a couple of months.
It sucks, it feels like they are competing against themselves because they don't have clear pricing or limits.
Unfortunately companies can chose who they want to do business with but it shouldn't be like this.
If you have a contract with them then they can't arbitrarily choose who they do business with. OP would presumably have a chance at a lawsuit against cloudflare here, the success of which would depend on how well cloudflare argued the ToS violation. A lawsuit might not be worth pursuing here, but this isn't a case of "it can't be helped".
10TB per month is like 30k/year
That can’t be right. I’ve hit 10+ TB within a few weeks on free tier and everything was fine
- "This also means that if a country DNS-blocks our main domain, a secondary domain may still be available. This could arguably be seen as a violation of the Cloudflare TOS, as they wrote above."
Attorneys love it when people put everything in writing like this.
Devil's advocate:
If a country A decides to block twitter.com but forgets to ban x.com which remains available ... is Twitter engaging in illegality / violation of CDN terms of service?
Like most things in the legal system, it depends on intent. It's pretty obvious that twitter's rebrand to x.com was an actual rebrand and not some way of evading domain bans.
The author claims a reasonable intent and they give a traffic number that proves they're not doing "domain rotation".
The author claims a reasonable intent
Right, I'm not arguing that they're guilty, just that the legal system doesn't operate off pure black and white rules like "if you have two seemingly unrelated domains then you're trying to evade bans".
and they give a traffic number that proves they're not doing "domain rotation".
Are you talking about the part where they said "95% of our traffic through the main domain"? Without additional context behind that number it's a stretch to claim that "proves" they're not trying to evade bans. For instance if their country is banned in country A, but country A is a small country that only makes up 3% of their overall traffic, they can confidently claim "95% of our traffic through the main domain" while still theoretically using alternate domains for ban evasion purposes.
This has always been my concern about establishing a presence online. I've considered blogging about my experiences at work or the cool stuff that I've built and it feels impossible for me to know when I've crossed a legal boundary. How do I know for sure if I'm sharing proprietary stuff or confidential stuff. The lines of legality seem to get blurry real quick.
This is legally equivalent to "we have domain aliases". Lots of sites have those. Do you think that's really the problem here?
Is this why cloudflare manages to be cheap?
It's unclear as it shouldn't be possible to be cheap. That said, in a world of data, Cloudflare being a massive man in the middle (MITM) probably means something [1].
[1] Cloudflare decrypts your traffic, reads it, and then forwards it. They see all encrypted data going to and from your website, in plaintext.
This data collection project has a name: "Project Honey Pot" (and had excellent relations with FBI), look closely the story that led to Cloudflare.
Wow. This is a travesty if I've ever known one. Hopefully, that can be posted and upvoted on HN.
I actually like Cloudflare very much from a technical perspective, so I wouldn't want to hurt them.
In fact, the company vision and values (as the team grew) may have changed over the time, but originally it seems it was somewhat of a different spirit (and closer to a data collection network).
Their business model is described in their S1 filing: https://www.sec.gov/Archives/edgar/data/1477333/000119312519...
* Cloudflare operates at a scale where its caching saves a lot of bandwidth, which saves ISPs money, which makes Cloudflare an attractive partner for peering and co-location.
* CDN is a platform on top of which Cloudflare can offer a lot of additional services that used to be expensive dedicated middleboxes.
They manage to be cheap because it's massively multitenant infra
This post was definitely demoted by HN. It stayed in the first position for less than 5 minutes and, as it quickly gathered upvotes, it jumped straight into 24th and quickly fell off the first page as it got 200 or so more points in less than an hour.
I'm 80% confident HN tried to hide this link. It's the fastest downhill I've noticed on here, and I've been lurking and commenting for longer than 10 years.
I had to search for it. I was under the impression that HN removed it for some reason.
Does HN has stake in cloudflare?!
Ranking is strongly impacted by the flamewar-detector. Affected threads are automatically downranked to cool things down until a moderator steps in and manually reviews it.
Page 3 at #70 after four hours.
That’s why I use hckrnews-com as HN front-end.
yep, it happens every single time a negative story about cloudflare appears
more than a coincidence
Why is HN demoting this article?
It was at the top of HN, then quickly buried to #20-#30. It is now at #27, being a hour old with 318 points.
It is actually more likely it is the opposite, that it got temporarily boosted to get exposure, and then fell back as interest vaned. If mods want it gone, then it will be gone.
175 comments and +350 points in 1 hour is anything but "vanished interest" imho.
In the last 10 minutes, it got 35 more upvotes, but dropped from 27 to 30.
Yep, from #1 to bottom of the first page in 5 minutes...
It was significantly downranked after about an hour on #1: https://hnrankings.info/40481808/
As far as I can tell, the issue with this is:
OP runs a casino/gambling site. Gambling is a regulatory mess (I have spent far too long dealing with this as an RNG supplier), and so it's very hard to comply with every jurisdiction, and each one needs you to prove compliance to operate in that jurisdiction.* Gaming companies spend a lot on compliance and tracking, but since the internet is the internet, it's pretty hard to enforce perfectly, so some countries and ISPs take this into their own hands.
Due to that, IPs hosting gambling and gaming sites often get regionally blocked by internet providers or otherwise flagged as hosting illegal content. Those regional blocks consequently affect the reputation score of the IP, and if you are a traffic aggregator like Cloudflare, can cause other customers to have issues. One of the most aggressive and annoying regulatory environments for gambling companies is the US, so it's very possible Cloudflare has had some trouble due to gambling use of their IPs in states in the USA.
Cloudflare wanted them to use the BYOIP features of the enterprise plan, and did not want them on Cloudflare's IPs. The solution was to aggressively sell the Enterprise plan, and in a stunning failure of corporate communication, not tell the customer what the problem was at all. The message from Cloudflare should have been "Enterprise plan + BYOIP or ban, and maybe we'll work with you on price" but it was instead "you would really like the Enterprise plan."
*As an aside - we're lucky in that respect being a tech supplier with relatively uniform rules, but our customers (the gaming companies) get the short end of the stick here.
I also wonder if the company in the article didn’t know that (either by reading between the lines as you did or via other correspondence they didn’t mention) and weighed that in their decision to go with Fastly.
BYOIP isn’t just expensive—if your content is bad for IP reputation the time-to-flagging of your IPs is going to be way shorter on BYOIP than on shared IPs due to there being less dilution. And that’s without getting into the challenges around rotating/renting IPs on a continual basis.
I do agree that CF did not communicate that well or professionally—if the sales emails are the only comms that happened here.
I think it is possible that the company posting this didn't realize that this might be the issue, but you are right that they may know. It may have been a small company, even doing that much bandwidth. Online gambling sites tend to push an entire video game when you are playing on their site.
Many gambling companies are fine just doing BYOIP or running dedicated hosting infrastructure that is on providers who are explicitly running hosting for that industry (although they are moving to cloud). There is a good reason this separate infrastructure exists. In general, I would not assume they are rotating IPs: this is not a scam, it's a business, and they are largely fine with being blocked in places where they can't legally operate.
BYOIP is reasonable, though I doubt anyone actually does legislation blocks by IP. Since like half of companies on the internet use Cloudflare or other multi-tenant infrastructure everyone is aware that you can't block an IP address and hit one target. The only thing I've seen is DNS blocks (both DNS protocol directly and based on TLS SNI).
FYI, we also fully block users from the US (due to regulations).
My problem here is mainly the unprofessional communication and huge mess of mixing "compliance" with sales, without giving any clear information or options. And then the removal of our account without warning while we were still talking to them.
You would be surprised how big of a hammer ISPs will use when they are told to hit something. They live in a very different world than many modern web software companies - they are the plumbers for lots of things you take for granted, and look at the world the way a plumber does. Thanks to TLS, the plumbers can't see the HTTP headers to figure out what's actually flowing, so they sort of end up whacking all of it.
Generally, low-reputation IP addresses are associated with scams, spammers, and other similar things. Gaming somehow gets lumped into this bucket in some jurisdictions, but that hurts you worldwide (similar with other "sin businesses" like porn). These blacklists get published (I think there's some parts of BGP that make this happen, but I'm not quite sure what the mechanism is), and being on any one of them hurts your traffic everywhere because it becomes suspect.
I agree with you that this mix of compliance, engineering, and sales is gross. If this was the issue, they should have just told the OP.
After they deplatformed KiwiFarms, I thought that's an isolated case but turns out they are just unprofessional. I can't have pity for a casino service anyways.
Didn’t they also deplatform stormfront and a few others they didn’t like?
Yes but then people argued it's about these websites being bad. Turns out it's just about money, considering Cloudflare has no problem with CP or other website calling for violence and celebrating it.
a web forum that facilitates the discussion and harassment of online figures and communities. Their targets are often subject to organized group trolling and stalking, as well as doxxing and real-life harassment.These actions have tied Kiwi Farms to the suicides of three people targeted by members of the forum.
Sounds like a pretty abhorrent website
Who wrote that?
The recommendations to, basically, not keep all your eggs in one basket and have backups of config are surely good ideas. But if you have to plan on dropping cloudflare in some arbitrary 24 hour window, perhaps it’s CF that’s the problem. This sort of stuff and other recent articles about CF are so worrying that it’s now being run by the finance team (hence why every email they got in this article was from sales teams rather than any technical folks).
Also; if not registering domains on CF does anyone else do at-cost or otherwise super cheap pricing?
I’d say be wary of any public company and actively make plans to get out of any company that gets acquired by private equity.
Actually had a sales call with Cloudflare in the last month and I got some bad vibes from the whole experience. We did not end up going with them.
May I ask who you ended up going with? We had a similar experience recently and have some concerns with anything on CF.
We already have DDoS protection from our colo provider and it wasn't clearly advantageous to switch to Cloudflare. We were mainly interested in zero trust but I don't know what we're looking at as of now; we still use various VPNs which, while not exactly fashionable, do work for us.
Wisdom of the ancients: Always make sure your domain services are completely independent from your other service provider(s), regardless of whether Cloudflare is involved. (Sorry, no recommendations at this time.)
$250/month sounds like nothing at all for a site with a claimed 4M MAU. The enterprise rate of $10k/month sounds a lot more reasonable. If everything presented here is accurate, I'm not understanding the sharp discrepancy in pricing tiers. If anything they should've already been paying more than $10k/month for massive traffic on the basic plan and then be able to save money by paying for massive scale when negotiating rates for the enterprise plan.
Also this sounds like an online gambling site of questionable legality, knowingly serving customers in jurisdictions where it's illegal, so I can't say I have too much sympathy, and I feel like Cloudflare effectively fired them as a customer when they realized what they were up to.
According to Cloudflare themselves, 80TB traffic should cost around $100/month. See: https://blog.cloudflare.com/aws-egregious-egress
That's just one of many components of what you pay them in total, though.
Still far from $10k/mo.
The amount shouldn't matter, it's the unprofessional response from CF that's of concern. Also, the author doesn't necessarily say that they would be unwilling to pay more or even negotiate a higher price. The author has made it explicit that CF were more or less unwilling for any practical conversation. That, to me, is the problem. A lack of professional courtesy, communication, and transparency. Obviously there may be details from this exchange which have been omitted but if I were in this position, I would be equally upset.
Racketeering is easier and more profitable than actual services.
Shocking how often "gatekeepers" fall to the temptation.
Speaking of racketeering, it's an enlightening experience to search for "stresser" or "booter" providers (euphemisms for DDoS-as-a-Service) and look up their NS records to see who helping them ward off competitors DDoS attacks and keep their origin servers hidden. 9 times out of 10 it's Cloudflare, with the few exceptions being DDoS-Guard, who more or less specialize in facilitating crime.
I wouldn't be the least bit surprised if DDOS protection providers were using DDOS on their prospective customers via proxy. Problem, reaction, solution. Did you pay your "protection" money this month, Luigi?
See also early "anti" virus industry.
We had a site hosted on CF business plan with fairly large bandwidth usage (completely legal, had a lot of media). They approached us with an enterprise plan but we did not have the budget for it.
Asked for a little time, they said fine and we moved much of the bandwidth usage to a couple of dedicated servers on OVH I think.
Never heard from them after that.
How do you deal with DDoS attacks against said OVH servers?
By default, every OVHcloud product is supported by the Anti-DDoS infrastructure to defend against malicious activity. https://us.ovhcloud.com/security/anti-ddos/
Can I ask how much bandwidth we are talking?
We are doing about 3TB
I will remind HNers: is Cloudflare not the company that leaked sensitive data through cache files that were indexed by at least Google, and when the tech community were up in arms about the massive leakage of sensitive data, the CEO’s strategy was to turn up here and criticise Google for not deindexing quickly enough?
You get what you pay for.
I remember them criticising Google for not being faster at removing cached files. I don't remember them blaming Google for their screw up.
And let's be honest, if a big provider wants to offer cached versions of pages, they probably should have a way to purge those files in case there's a problem (eg: malware).
I don't remember them blaming Google for their screw up.
You're putting words into my mouth.
That's one of the main reasons I'm leary about them. Such a big f-up is difficult to forget. It shows that they have a move fast and break things culture which for a company that is responsible for critical infrastructure feels wrong.
has this happened to any businesses that were not questionably legal?
There are links in the article, for example:
"Small SaaS banned by Cloudflare after 4 years of being paying customer"
https://news.ycombinator.com/item?id=34639212
Also:
In both examples you provided it was less "banned" and more "switch to a higher priced plan or we'll kick you off". In both cases they seem to be bandwidth related, and in the second case specifically they mentioned having hundreds of terabytes bandwidth but were upset for being told to upgrade to the $200 plan.
Thanks, I was genuinely curious
Do we know of any alternative services providing at least the basics of what Cloudflare does?
Such as:
- Unmetered DDoS protection (i.e. no absurd base fee for it existing)
- Unmetered rate limiting (protection against cost attacks on the next)
- Reasonably priced object storage (i.e. not more expensive than numbers listed here https://blog.cloudflare.com/aws-egregious-egress)
Easy to build in a few weekends, grab a few geodistributed racks with Mellanox NICs and do HW offload. Obj storage is a similar NVME DMA approach.
CloudFlare does not provide unmetered anything, at best they provide services on a discretionary basis while trying as hard as possible to make it appear this is not the case. It's better to think of their product line as a CRM system with some CDN features on the side
To be fair to CloudFlare - let's replace "unmetered" with "fair use".
Very typically free = actually "fair use".
Where it gets murky is when this becomes a shotgun sales tactic.
When we told them we were also in talks with Fastly, they suddenly "purged" all our domains
Holy shit.
What’s especially shocking is how closely coupled sales and engineering are. Like I get they talk, but for a sales call to end in engineering pulling the plug…
To me it's pretty clear: Trust & Safety (NOT engineering; they don't appear to be involved) likely raised an alarm saying "Customer X is breaking TOS - no immediate resolution available, but something might be possible given extensive legal & engineering review. Recommend switching to enterprise so we can study how to make it work."
In that light you can see why Sales would be sent as the messenger. But I agree they shouldn't have been involved. Sending a T&S representative would have been better. But then again it looks like from screenshot #2 that they kind of did that? They just didn't have a direct call with T&S.
What a way to more quickly show your customer the door.
Im reading between the lines here but it seems like the traffic amount, the saas subscription tier, and the actions required to remidiate some issue were all unaligned.
1. Its quite possible thar CF having this site on some multi-tenant infrastructure could be threatening. Not unreasonable at least to ask them to have their own IP block.
2. If thats the issue then a clear explanation should have been provided. Routing to sales is inexcusable. Someone isnt being transparent.
3. If it’s a pure cost / revenue issue then say that, set a deadline and negotiate. This is bad karma and even though CF is clearly the market leader, what they do isnt rocket surgery. Not worth it.
My thoughts here are also all speculation, but when you mentioned multi-tenant issues my mind immediately went to a situation I've seen all too many times before:
- a companies ops team identifies a tenant that is too heavy/burdensome for multi-tenant infra and is causing issues. These issues can cost a serious amount of money if you factor in dev/ops times to resolve, other customers impacted, etc. Certainly more than what a hypothetical single multi-tenant customer could be paying
- they escalated internally and need the tenant moved to enterprise asap to resolve
- the only reason the tenant was on multi was because sales sold them the wrong thing, so now it's on sales to explain how to fix this
- improper handling internally results in this landing only on sales, with no backup, and with their task being to get them to take enterprise
- when the customer refuses enterprise they go "we've tried nothing and we're all out of ideas"
Again, this is totally speculation and I'd hope CF has more mature practices than this but this is a scenario I've seen before in much smaller orgs.
What stands out as odd to me is that CF seems to be pushing away a $10k/month customer. No business can reasonably be expected to accept sudden price changes like that, even if they'd paid, they would've moved away within a year.
Given that the article is an online casino that seems to be using potentially ToS violating domain rotation, and that they pay so little per month for apparently millions of users, I for one will not form an opinion on CF based on this article before CF has a chance to defend itself.
It has become apparent that doing business with Cloudflare is a liability.
This is the nail on the coffin, but make no mistake, Cloudflare has been a liability. It's a massive Man In the Middle decrypting all traffic, including OkCupid and 4chan for example. Imagine all those 4channers learning they aren't actually anon.
That's literally their business and why people use Cloudflare.
Caching, detecting+modifying headers, routing traffic, ...
I'm a SysOps engineer at a fairly large online casino.
So they did a good thing taking it down, no?? Addiction as a businessmodel is not that cool
Sidestepping the whole ethical conversation and just taking it as a good action for the hosting provider to do it still fails the sniff test as Cloudflare (according to this story at least) didn't seek to take it down rather sought to make more off of it.
Sure, but if two bad entities fight I don't care about any of them, let them fight to death.
The OP does not give their company nor domain name. I wonder if this is related to recent efforts by the Dutch to collaborate with Cloudflare to prevent online gambling companies operating in the Netherlands.
https://igamingbusiness.com/legal-compliance/legal/cloudflar...
We do already fully block the Netherlands since a long time ago since their regulations don't allow us to operate there.
The KSA license doesn't sound too unreasonable on the surface. What was the hang-up?
Notable, their Enterprise plan quote included BYOIP. I think that's the kicker. Cloudflare likely got a few of their anycast load balancing IPs blocked in one country, causing a huge disruption, because this customer that makes them no money wasn't in full compliance with local laws.
If that is the “key” they should be transparent and explicit about it. Now it seems CF is a Mafia that realizes one of their extorted business should be squeezed to death for more cash.
Casinos should indeed be squeezed to death, and the money should go back to their victims
This doesn't pass the sniff test. From the actions Cloudflare took and their communication, it's very clear that there was something about the way their services were used that they were unhappy about. The post doesn't include what that problem was, but I have a very hard time believing that the author was not in the know and just got their account nuked without any further commentary, especially after being in a number of calls with real human beings from Cloudflare. Surely they'd have plenty of room to both ask and tell to figure out what the issue is. More than anything, this sounds like they knowingly did something shady and are now trying to shift the blame.
So CF is ok with shady for 10k but not for .25k?
Maybe... Same ratio: I might be ok to do shady stuff for 100k a month, but not 2.5k a month
This is my first post on Hacker News as I primarily just browse. This situation kept me intrigued, wanting to know how it would unfold.
The Google Cloud situation and all these little happenings, including the proliferation of Gen AI into everything, make me long for the days when companies had their mainframes onsite, in closets or separate rooms, away from CDNs and cloud networks. It seems like a better idea to use these cloud networks as a separate off-site backup rather than for primary use.
I’d love to learn more about what will happen next in this saga. I’ve seen a post where a Cloudflare exec has posted here on HN before. They probably won’t say anything for legal reasons, but what repercussions can Cloudflare expect for this? Will they be, or can they be, sued for this downtime and the related expenses?
Unfortunately it's difficult and expensive to scale those traditional solutions to the modern world of billions of internet users located all over the world. It's still quite slow to access a server on the other side of the globe. It's less noticeable for an american user accessing an american company's resources.
Did you ever notice the bit in EULAs that states that maximum liability to the vendor is capped at what you paid?
When big cloud goes down, you get a few days of credit. That's it.
I'm a SysOps engineer at a fairly large online casino. We have around 4 million monthly active users. We had been happy Cloudflare customers since 2018 on the "Business" plan which has some neat features and costs $250/month for "unlimited" traffic.
Sorry to be “that guy,” but, you’re serving 4 million people at a casino and paying $250 a month for shared multi tenant infra, and you’re SURPRISED you have problems? Really?
To be honest, I’m glad these sorts of businesses get kicked off Cloudflare because it causes problems for others sharing the same IP space and infra. I’ll let someone else with experience discuss how many times a day the network would see a hacking or DDoS attempt against the online casino, which is by far the favorite target of hackers. But in general, I just don’t want any of my infra touching the same stuff as these guys.
Like another person here, I am assuming that Cloudflare ops told someone “tell these guys to get their own IPs and upgrade,” and then the message went to Cloudflare’s (utterly lousy!!!) sales people to try to fix before shutdown, and then it all turned into the mess we see here.
The true moral of the story, I think, is, if you’re running an online casino on a shoestring budget, expect bad things to happen to you. Of all kinds.
What happened to net neutrality? Why bring in sales if the issue is a legal one.
Well, this is disgusting behavior CF. I wonder if OPs company suing CF?
Indeed. Based on what has been shared by OP, they could have a case.
If OP’s business was in fact illegal, CF should have stated it. Now it seems CF is an evil sales driving monster. A monster that grew so big it thinks it can do whatever it likes.
The sad part is that, assuming OP is not leaving out critical parts, multiple people play parts of this evil machine. I’ve seen how sales people think. But this is next level toxic culture. The second customer threats of leaving for the competition, they freak out and pull a bigger lever to destroy them. And the fact that a company allows this to happen…
I would never do business with CF. Good thing i don’t right now. Cause i will definitely take it elsewhere.
Isn't there some kind of law against companies extorting the customers and being evasive about their terms of service and their prices?
Customer protection laws usually only work for individuals, not companies.
I'm a SysOps engineer at a fairly large online casino.
And for some reason Cloudflare's the bad guy.
For some reason both cannot be the bad guy?
This is a really important lesson here. Don't put your eggs in one basket, and if network delivery/etc. is core to your revenues and livelihood, don't trust a random third party host to look out for you.
10TB/80TB at 120k/yr, either way, Cloudflare is taking you for a ride.
If you aren't self hosting, you're really doing it wrong.
10TB/month is 30 megabits/sec on average. Not much for a CDN. They probably need Cloudflare more for DDOS protection than anything else, I'd think?
Meta:
455 points, 3hrs old, but on the 2nd page of HN. What's up with the algo?
I'm not sure. It was on spot one on the first page, then something happened and it got downranked: https://hnrankings.info/40481808/ maybe due to being flagged by people (according to another comment).
I guess it's due to general negative sentiment towards casinos, which may be understandable but doesn't (in my biased opinion) change anything about CF's behaviour in this post. I would have left it out but it's necessary in order to provide the full context.
I’ll be honest, the high pressure to pay almost seemed like a well devised scam or phishing email.
Scammer does recon on victim. Notices they use CF. Use high pressure sales tactic to get them to pay a hefty sum up front or else lose access.
But as you read on, I see company did their own DD and followed up directly with CF executives and teams. Confirmed account is locked at CF.
In this case, CF is acting scammy.
I wonder if they are having liquidity issues thus the push for high pressure sales tactics and blackmail.
Make backups of your configuration on Cloudflare. It's an unexpectedly large pain to recreate all those configurations
Better yet, configure CloudFlare through terraform, so all your config exists in your own repo all the time. It also helps day to day since it's not that hard to accidentally flip some switch in the dashboard.
But yeah, do research alternatives. CF has too much power already and will either ignore issues, destroy you, or pay lawyers to protect people trying to get you murdered, depending on their mood. There are better options.
Can a sales rep de-platform you?
I hope that’s not the case, because that would allow for bad behavior by reps trying to manufacture end-of-quarter sales.
EDIT: why the down votes?
Once you upgrade to Enterprise it's a nonstop 6 month cycle of asking you to pay more.
Couple this with the fact you have a new rep every 6 months and you get some pretty annoying nag service for the entire duration of your contract.
Huh. Now that was some high-stakes poker right there. It seems the casino knew they were breaking the TOS and paying too little and Cloudflare caught up with that. Then knowing their situation they decided to ask for payment for all the expenses of the previous years (and some extra). In quite passive-aggressive manner.
But the casino still decided to stretch the penny and alas, whoever at Cloudflare was in charge got quite upset their extortion-tactic failed. So they decided to resolve it the American way and kick them out with zero warning - ouch! How fascinating.
I myself like using Cloudflare as it's quite affordable to setup and use. Makes me sad to know they have to resolve to tactics like this to finance their service. Well, at least I don't work in dubious businesses that violate TOS so perhaps I can at least wish for a graceful termination when my Enterprise bill is due.
Using this as a blatant example of why digital anarchism is needed nowadays
Or how to do ransomware 100% legally in 2024
Every business with this size should have another CDN as failover, relying on a single provider is proven to be dangerous.
causing… irreparable loss in customer trust
I'm a SysOps engineer at a fairly large online casino
Oh no, a casino losing the trust of its customers? Those places are normally so scrupulous!
Just wow. We were in the midst of negotiations with Cloudflare and I’m Going to hard nope after reading this.
I’m guessing they aren’t doing that well and are looking for revenue to cover the holes.
So when they asked to pay the 10k monthly, was that to gain time to move or was the price acceptable? Does it say anywhere?
I moved away from Cloudflare—to self hosting our network infrastructure—because, while this didn’t happen to us, I was very aware that it could. We had a great deal on Enterprise for a couple of years, but zero guarantees that it would last (and some indications that it wouldn’t). I wanted to stop praying that they wouldn’t alter the deal.
The way Cloudflare approaches situations like this is not ideal for anyone.
You start using the service and don't pay a lot, so you make plans around a certain level of expenses. Then out of the blue you receive an "urgent" email from a sales representative and suddenly you have to go from $20 or $250 to $thousands right away.
Obviously it's not in CF's interest to keep a customer that doesn't pay enough, but dropping a "bomb" on the customer and make them feel like they're about to be kicked out from the service makes the customer lose trust on CF.
CF can probably match Fastly's price. If they had acted differently in this and other similar situations, they could keep the customer, be paid more, trust wouldn't be affected, and there would be no bad PR here.
Since the CF management that posts on HN usually say this is not supposed to happen, perhaps someone needs to sit down and look at the incentives sales reps have? Even if you don't care about the customers, this is affecting the CF brand a lot.
Naively, I imagine that Cloudflare’s math looks something like this:
(Amount owed by customer at end of month times the probability of on time full payment) minus Cost of providing service to customer for one month = profit
Since this is an online casino, could the risk of late/under/no payment be quite high?
The Cloudflare CEO & co-founder is quite active on Twitter[0] and somewhat active on HN[1], would be interesting to get his perspective on this.
I guess it's the natural cycle of money always spreading its tentacles to everywhere, and specifically applying pressure after sufficient metastasis and entrenching.
This reads more like a shakedown than anything. Even if the casino was being dodgy, CF went in asking for more money, not demanding that they stop doing whatever it is they were doing.
Please stop using cloudflare, cloudflare captcha and google captcha is spyware and it needs to go away.
captc
How is this not still #1? 488 upvotes in 3 hours. It was number one, the right to the third page? sus...
A paragraph ends with:
This could arguably be seen as a violation of the Cloudflare TOS, as they wrote above.
And the very next paragraph begins with:
In any case, we receive >95% of our traffic through the main domain that’s been unchanged since our founding, and were happy to resolve this issue in whatever way...
And then they complain about paying up?
The only issue I see here is around the aggressiveness on the CF side. But, I was not in those meetings and the way above reads tells me that I might have been slightly mad so perhaps the CF was just taking it out on them?
Anyway. I don't think this is a CF foul.
Doesn't matter if you're an asshole company or not: always have an exit plan and test it.
At the moment the account got banned, I would guess that the CloudFlare sales team had this down as a "60% likely to close, estimated close in 6 weeks".
There is just no reason they would suspect that they were going to lose the deal to Fastly at this moment. They were very much the default winner.
Extortion or not, I just can't fathom that they ragequit the deal at this moment, because they were about to win it.
It therefore seems likely that after looking into it they disqualified it as a business category which is against their TOS or whatever.
Or that the enforcement and sales teams have very similar, overlapping triggers for engagement, etc.
Cloudflare's behaviour here was shitty and this is not the only report. By all means their reputation is very generous free tier and a horrible experience in paying.
BUT seriously who ragequits a winning deal? Another comment summed this up - the attention caused them to take a look and realize they don't support shady-ish casinos, possibly (seeming to) evade US legislation, etc.
Beyond Fastly, what are viable non-extortionist alternatives to Cloudflare?
Sounds like the famous Oracle licensing team.
If you depend on one vendor, as CTO always have a plan-b prepared that you can pull out and execute. Stall, stall, stall while you're executing your plan.
$120k will never be enough, price hike is incoming for renewal.
After reading this article carefully I have a few thoughts. Firstly you were knowingly in violation of TOS after they pointed it out to you. Violating their TOS is a fast way to have your account suspended.
Secondly I'm a little confused why they would require you to pay a year upfront? I would like to hear from cloudflare as to why they required this? It's pretty fair for them to ask you to pay a year in advance because of the risk that you carry as a gambling company.
Cloudflare needed you to have to enterprise plan to remove liability from them. It's not even a big request, they have specific pricing plans for a reason.
Or CF had already decided to kick them off the platform and tried to get some money before they did so.
While the author could improve the narrative in his article, the historical issues with Cloudflare combined with, yet another one, paint a stark picture.
Combine it with the stories I hear about Sales, the numerous other PR fumbles already mentioned in this thread, and the months I’ve personally waited (while on a paid plan!) for ticket responses only to get cookie cutter responses is, quite frankly, embarrassing.
CloudFlare puts in a good front, and their products seem decent, but they really have questionable business practices that should make anyone think twice before using them.
But for $10k a month cloudflare is ok with that? Either it's acceptable or it's not, there is no way that this looks good for cloudflare either way.
The point is more that the author is an unreliable narrator and you need to apply a little salt to the rest of the story. Cloudflare absolutely shouldn't be taking bribes to permit regulatory evasion. But if they are, I want more evidence than a substack post.
It also seems strange they dont know their Traffic Numbers.
I mean you dont need accurate Data but surely most would know by heart their traffic in rough figures? Or am I the old dog where every new Web Dev are so used to Cloud and Serverless they have no idea what they are using?
Eh, your traffic is a total cost you pay per month. That's how I would look at it. The one figure I know best of all is annual revenue, and how our annual revenue this year is on track to do compared to last year's.
As far as exact volume of QPS or TB/month or whatever, I really couldn't say.
And here I am with a dashboard of anything taking more than 20ms and working knowledge of sales tax in 200 places around the world.
Very impressive
Depends on your scale. I would probably know the traffic for the project I looked at last, but the whole account? No way. Half of it I've never touched and would have to talk to different teams. I'd only look at that when discussing the contract again. Or if their TAM flags us crossing some threshold.
It would be completely different for a small project of course, but once you're counting in TBs... it's less important.
People seem to have a very laissez faire take on egress which I’ve never understood given the really impressive markups the cloud providers charge on it. But yeah, it seems like the attitude is that as long as you’re using “cloud-native” services (AKA locked-in proprietary offerings) then cost is low and doesn’t matter anyway because it’s opex, not capex.
I spend a lot of time wondering if the Emperor is wearing any clothes.
Over 90% of our traffic is cached, since it is static assets. I can look up how much traffic reaches our origin, but the main factor is the number of static files hit. We used Cloudflare Analytics (part of the business plan) to track this, and since it didn't really impact our tech much until now I don't have an exact overview. I mainly know which (uncached) endpoints are hit how much. Fastly is currently saying 15TB per week which seems roughly the same range as Cloudflare's 80TB / month number.
It was the opposite? To comply with regulation.
and...
Do you have a suggestion to make that not possible? It doesn't seem fair to punish them so aggressively because that might happen. The "may" there isn't a statement of intent.
A reasonable scenario to me seems to be: An automatic "upgrade to the enterprise plan" requirement was triggered, and then in the process of the sales calls to make that happen, Cloudflare got serious eyes on the customer for the first time (whereas at a paltry $250/month previously they wouldn't have), and realized exactly what line of business the customer was involved in, and decided to fire them.
This actually seems reasonable, and a potential part of the narrative the original poster would be likely to leave out.
Again, none of this explains why they asked for 120k/year and shut it down after they didn't pay.
It doesn't matter the reasoning - its the execution wherein lies the issue - this is an extortionary business practice plain and simple.
By the way, it appears gambling sites are fine on CF [1].
[1] https://community.cloudflare.com/t/using-the-services-for-on...
I was rushing to judgment until I heard this... pretty plausible.
In support of your theory particular is I don't think enterprise sales "ragequits" a conversation when the customer is mid-evaluation based simply on the idea that they are considering multiple options.
Why would they walk away at this point, let alone ban the customer.
From the write-up I bet CloudFlare had it as a "60% to close" in their CRM at this moment. It doesn't make sense for them to drop the ban hammer in this moment.
PS: explanation or not, this is deeply shady behaviour from CloudFlare. Just perhaps a little less so.
It wasn't just that they were considering multiple options. Looking at the timeline, this was about a month after their initial soft gloves approach/enforcement action and they drug their feet the entire way through it.
Once CF got to the top of the leadership chain at their company and it was clear that all the relevant decision makers were involved in the conversation but were unwilling to pay, they just folded their cards, resumed the initial enforcement action, and moved on with their day.
If this was a small account they probably wouldn't have even blinked twice with just striking down the user for causing reputation harm and violating TOS but since they were a large account CF clearly went out of their way to meet with them multiple times and try to find a solution. But after a month of little to no progress while the account continues causing reputational harm and is unwilling to budge, they just called it quits and moved on.
It's not just 10k a month. it's 10k a month for the plan that allows you to BYOIP (Bring your own IP addresses). That was cloudflare's issue.
Their business was causing IP reputation damage and all plans but the enterprise BYOIP plans share the same IP pool.
Essentially it was "use your own IP pool and pay us for the cost of maintaining that pool for you or GTFO".
This wasn't just a normal sales rep hitting them up. This was trust and safety (i.e. the moderation team) coming to them with a compromise that would allow them to stay on the platform. They chose against that and were dragging their feet.
The timeline of the article also really makes this clear. This wasn't over the course of 24 hours. This started a full 4 weeks prior with sustained back and forth. They only included a few images of emails from the discussions but the article makes clear that there was more discussion happening.
And to quote the article. After receiving the ultimatum, they got an entire extra week to deliberate.
Then finally when they told CF that they were just buying time while looking to move elsewhere, CF dropped their act of goodwill and the moderation team resumed the moderation action they would have taken in the first place had this been a smaller account.
----
So yeah it sounds bad from the snippets but this was basically "hey you are a big customer and you are breaking rules we would normally ban anyone else for but if you can compensate us we'll spend the labor hours and infra to let you keep operating in your own little quarantine box.". So this really should be seen as an act of goodwill rather than malice.
It's called "extortion"
It's not extortion if you would have been banned off the platform flat out had you been a smaller account.
I'm not defending Cloudflare's exact actions in this scenario, but it seems reasonable that there are cases where yes, for $10k Cloudflare is okay.
Risk can be mitigated, especially if you take care to know what the risk is, but risk mitigation and the salaries of the risk mitigation teams are not free.
The answer of "no, we will not host you unless you pay us enough money to hire people to make sure we're not breaking laws by hosting you" makes plenty of sense, and an online casino that is likely dubiously legal in many countries is definitely a place where you might use that answer.
I'd also expect there are cases where Cloudflare enter into enterprise agreements with customers, get a good hard look at exactly what's happening, and then tear up the agreement and walk away.
And all of that is fine when communicated properly. Even if OP is an unreliably narrator are we to believe they also left out some of CF's emails?
To me it looks like https://substackcdn.com/image/fetch/f_auto,q_auto:good,fl_pr... is entirely the wrong email to send in the situation and if you are as old as I am and come from where I come from, you will have flashbacks to "reading between the lines" of the party daily in the 1980s. The real content is at the bottom:
Big red flashing lights: the right questions are 1) why is T&S involved at all 2) What are their concerns which forces such a hurried deadline? 3) What are the consequences of missing this deadline.
The right email would start with something like this:
That's not true at all. That line of argument gets close to "if this product is free for open source, why is it not free for me? either it costs something to operate or it doesn't." You don't get to price the service.
In this case "the service" would be to look the other way on illegal activities for $10k/mo.
I'm not saying cloudflare can't do it, I'm just saying it's wrong.
I can reason my way into it, I think objectively. To protect their IP reputation, CF required BYOIP. This costs them something, and de-jure requires an Enterprise plan. Which for the customers usage costs $X. Is it right? Ehhhhhh. Does it follow corporate logic? Yeah. (Sales logic? YES)
That isn't how the world deals with risk.
If you think something your client wants could explode into a liability, you can turn them away or you can just make sure their bill covers your exposure.
If it's a legally questionable service, there's likely to be plenty of abuse contact, or they're going to be a big target of crime, they're going to end up paying more. This is the same reason why some industries (eg porn sites) have always paid more for card processing.
If it's legal but burdensome (somehow) to host a particular industry, requiring more money to deal with the increased burden seems reasonable. For instance, if their legal department needs to deal with complaints from various countries, that probably costs more than $250/month.
That being said, I doubt that's the core issue in this case.
How does paying $10k a month solve that?
It's 10k a month for them to set up a dedicated IP address pool so that they could BYOIP and buy their own IP addresses instead of getting the IP addresses in cloudflare's main IP address pool repeatedly banned or reputation harmed.
i.e. it's a $10k fee for maintaining the infrastructure for a quarantine around their services
Why can't they communicate than then? BYOIP also costs nothing to produce.
They did. Repeatedly. You see it mentioned in the few emails the OP chose to share. But they also didn't share the other communication they had over the month long discussion they had with cloudflare.
That's not really accurate. Cloudflare is entirely built around one big unified anycast network. If you want to provision an entirely separate network that maintains all the same features they are using from the main cloudflare network, that's going to require provisioning a lot of cpu time and routing table slots at a lot of different sites plus whatever admin and engineer overhead comes from maintaining this quarantined service.
The costs for announcing the customer's IPs and making sure that only they are the ones actually sitting on them would be minuscule. Nowhere near $10k/mo. Maybe $100/mo.
Anycast/unicast changes nothing here. Anycast simply means that the same prefix is announced in multiple different PoPs.
This is literally all written communication they gave us. The only other thing was calls. Not calls with anyone that had any knowledge about what any issues were, but calls with sales.
Big difference between:
And
As a network engineer I'm well aware of what it costs to add prefixes to what you announce over bgp, some miniscule additional CPU overhead, likely unmeasurable. Even slow mips processors could process full table bgp.
For $10k / mo paid 1 year in advance, your cloud provider does a legal review of the situation and figures out how to make your problem work on both the technical and legal level. It's not a "special plan", it's consulting.
Edit: "How do you know?" -- I don't know it's actually what happened, but when switching to enterprise, you don't go from 10% margin to 98% margin. The added costs actually represent added budget for the provider to deal with your "special case". ALL enterprise pricing tiers are disguised consulting contracts.
Great theory!
The only questions that come to mind: how do you know? If that was the case why didn't they tell the customer?
Or they had already decided to kick them out and tried to get some money out of them first.
Nice place you got here. It'd be a shame if something happened to it.
Except the "place" isn't Mom and Pop's bodega, it's a casino dodging countries blocking its main domain.
Assuming that is what was happening, why would CF suddenly be okay with an illegal site if they pay more? Might as well call it the criminal enterprise plan then.
Hmm. My take is the casino structured its business to comply, not to evade interest. Further, I don't see how Cloudflare benefits by taking on the risk to charge more to help a customer avoid scrutiny. More like: they know it's a humming business and want a piece.
The way I read the screenshots of the emails from the articles seemed to suggest that something the authors company was doing was causing issues with IP reputation on CloudFlares range.
Them very aggressively highlighting the BYO IP feature and then even suggesting third parties to rent IPs from strikes me as a significant detour from their normal “script” (having dealt with their AU sales team before).
this is exactly what is happening. Cloudflare uses an anycast network, so IPs are shared by default.
this customer is damaging Cloudflare IP reputation which hurts other customers. Cloudflare can either fire the customer to protect other customers using Cloudflare IPs, or force this customer to use their own IPs and damage/manage their own IP reputation.
unfortunately this is expensive and OP is mad they can't do their legally fraught gambling operation on Cloudflare's addresses for free
This is directly contradicted by the contents of the article, perhaps you should re-read it.
They're mad that cloudflare cut them without real warning. And they should be! Anyone can get on a big company's bad side, and if there aren't extremely important messages being withheld by the author this makes it scary for anyone to use cloudflare.
If a custom IP is going to be mandatory, they need to say that and give a deadline, at the very least.
CF calls and says there is a problem with traffic. They want to push an enterprise plan. Customer says no.
CF calls and says there is a problem with domains. They want to push an enterprise plan. Customer wants to solve problem, dropping domains, making changes. CF says, only enterprise plan will remedy the situation.
There is obviously a sales script involved.
“get back to Trust & Safety"
Heard that story several times, it's always another team, e.g. "Licensing" that need to be satisfied, or that if you don't pay up, that team will be off the leash. Also heard the pay-for-a-year-upfront for several large vendors who pull this. The reason is, some sales reps need to make numbers, so they shake the tree and see who falls down:
"Cloudflare has absolutely no information on when they will force you into custom billing, but when they start "urgently" needing to talk to you you're probably not going to get out until you have a juicy custom contract with them."
Compliance:
Evasion:
This is more like one gang hitting up another for "protection" payments. I had to laugh when they called it "Trust & Safety".
I mean, sure, they’re probably doing some sketchy regulatory dodging or whatever. Which part of this can Cloudflare solve by having them pay $120k/year to them?
Over-charging is a legal way to effectively deny service. When I'm offered jobs I don't want, I sometimes tell them my salary is 3x what I really need.
I feel like you would probably consult with a lawyer before saying you’d do assassinations for 3x your salary needs ;)
The part where Cloudflare is happy to turn a blind eye to any “issues” if they get their $$$, apparently
The post mentions BYOIP. I assume Cloudflare wanted OP on BYOIP to mitigate risk, and Cloudflare wanted them to pay for the privilege.
Taking a step back, why would they even care if their platform is supposedly neutral and not responsible for the content ?
If they can indeed stop providing services to a casino, why cannot they shutdown a website spreading pro-war propaganda, or a website selling illegal services ?
It means they are making editorial choices, instead of just being the technological provider and being a neutral "internet pipe".
Not sure it's really in their best interest to self-police in the end, as they could lose their DMCA safe harbor provision ?
This.
That said, we're seeing this across so many platforms, from datacenters to social network sites.
They blew their safe harbor provisions years ago and yet remain untouched despite this.
It’s not “editorial” to choose to stop serving (or charge more money to) a customer whose actions pose legal difficulties or risks to your business. If some country’s vice division contacts cloudflare legal due to a customer’s illegal online gambling presence, I guarantee that cop does not care about a US/EU copyright law.
The same thing is true for IP reputation, just without an external official complaining. If other CF customers are negatively impacted by one customer’s action, CF isn’t violating safe harbor by booting that customer or passing on the costs of mitigating that impact. That’s just running a business, not exercising editorial review of hosted content in violation of safe harbor provisions.
Because their main network all uses one big IP address pool and the blocks by various regions/countries against their site were probably not just DNS blocks but also IP address blocks.
So they now have an account whose activity is getting their IPs banned in countries where they operate.
So they told the account owners they needed to pay for an enterprise account and a dedicated IP address pool maintained by cloudflare. That's why CF kept talking about BYOIP in the emails.
i.e. "Pay for us to build you a quarantine with your own IP pool or leave ASAP"
Yeah, there's some pretty key info being left out. I don't doubt that Cloudflare communication sucks especially when dealing with their sales team (aka bizdev which is what OP was originally contacted by), but the second screenshot is pretty damning.
My guess: Their account fell out of the non-enterprise TOS for some reason which is being obscured in the post (probably domain rotation related). Their T&S team proposed moving to enterprise for a custom resolution. OP's company refused, their account was purged because they had gotten several warnings about it.
I'm sure this sounds frustrating to the average HN dev who runs a legitimate startup with cloudflare on top and is now biting their nails worried to death about what will happen to them. But "online casino" immediately raised a million alarm bells in the post.
I did mention the multiple-domains issue in the post. It would not have been amazing for us to remove our secondary domains, but we would have been very happy to do it if it had resolved the issue. We asked them again and again but they would not give us any detail or options apart from their 120k/year package. Note that BYOIP (which I guess they could reasonably have required to isolate us even if we only use a single domain) is available for a fraction of the cost elswhere (e.g. fastly).
Since we already left Cloudflare the only reason I finished writing this article is to warn others. I think it's still relevant to many companies regardless of what you think of casinos, since very unprofessional sales tactics (unprofessional as in business threatening) seem common place with them. Do look at the linked other posts and comments here from other people affected that don't have anything to do with casinos.
I'm happy to answer questions as well.
And the part where they offered to remove the secondary domains and couldn't get an answer?
"Now this needs a bit of context on what they are talking about. We do have multiple domains that mostly act as mirrors to our main domain. We have these for a few reasons. One is that since we are a casino, we have different regulatory requirements we need to comply with in many countries. For example, many games are only available in some countries. Some countries we block completely. Then we have a few different domains that remove certain game groups or site features - for example our social features (chat, user tipping / interaction) or our sportsbook. Another is that we use them to target different global user groups and affiliates and track conversions long-term. This also means that if a country DNS-blocks our main domain, a secondary domain may still be available. This could arguably be seen as a violation of the Cloudflare TOS, as they wrote above."
Looks like they COMPLY with regulatory interest, to me.
When it comes to laws and taxes, "comply" and "evade" tend to be synonyms.
"In order to comply with tax regulations and donor laws, we had to structure our activities in order to make it possible for political donations to be classified as regular consulting income".
At least from discussions I've had over the years with my accountants, comply and evade are very different. Evasion is when you are doing something that's explicitly illegal. Optimization and compliance is when you comply with the law while trying as much as possible to reduce your tax. In some cases, there's a bit of a grey area where you use multiple structures that according to your accountant should comply with the law but in a way that has never actually been tested legally. That last part tends to be named "optimization" rather than "compliance"
If 90 or 95% of their traffic comes from a single domain (and presumably has for a while), that still doesn’t make OP sound guilty. If there was a legal issue Cloudflare legal should’ve stepped in, not their sales team.
That was the part that bugged me. This workflow is very busted from a user standpoint, though I'm sure it works very nicely to Cloudflare!
It smells like the "problem" was detected by automation, but instead of being able to reach anyone technical to work through it, you can only call sales teams.
In my opinion it's one racket vs another.
This has been my experience with 80+% of these loud complaints about services, especially regarding "losing Google traffic". Dig into it just a little and you find out the complainer was doing something extremely shady that the service is often too polite/proper to call out in a public forum.
Is the casino illegal in the jurisdiction they're based out of?
It doesn't seem so, so there is at least a valid reason for Cloudflare to keep them as a customer as they're not violating the laws where they have their business in.
With a casino, the issue isn't just domains, it's also IPs. That's why they pushed BYOIP so heavily.
I do encourage you to read the whole article cause there is some fine details in there. The main point is that we were happy to remove any domains apart from our main domain (which gets > 95% of our traffic) but Cloudflare did not give us that option or any other detail on the supposed issue.
This shouldn't matter, in general Cloudflare responds to complaints about allowing illegal content with "we're a neutral utility, we forwarded your complaint to the site's webhost". To me, the article showed that Cloudflare was being extremely aggressive with selling the customer on an enterprise plan and repeatedly invented excuses to get them on the phone with their sales team. They then took the site offline and locked them out of their account when the customer started talking with other CDNs.
This is literal theory crafting lol. CloudFlare never said or implied that in their emails, yet you seem to know more than the CF reps themselves?
Well HN is the unofficially official Cloudflare Support forum. I think we will hear from them soon. From past experience normally their response time for anything Cloudflare on HN is within 2-3 hours.
Obviously you work for CF. I did read the full post.
Nah, you have different domains so you can track and maintain flows, also the regulations might even stipulate having domains in the locale, the headline is very much accurate after reading the article.
Using localized versions of your services to comply with regional laws and enhance user experiences (i.e. make money) is SOP for practically every international $bigco. Online gambling is regulated and legal in ~50%-70% of the world; without actual evidence to the contrary, it’s completely reasonable to assume that this is a legitimate business. I’m really struggling to agree with the “two sides to every story” replies being left here about how there’s likely shady activity going on behind the scenes, when to me the post read as candid and transparent about the nature of the nature of the business, the admitted legitimacy of CF’s TOS violation claims against them, and the content of the communications with CF.
My 2c: It’s scummy that CF did this. It looks like they were disingenuous about the severity of the violations and used it as an excuse to get more $$$ from an already paying customer to make the manufactured problem go away.
So the thing that stands out in the article, is that cloudflare's initial communications (and the final communications, when they moved to ban) implied issues with their behavior (trust and safety team, terms of service violations), but in between it sounds like the didn't talk about ToS at all, just sales team asking them to buy enterprise. Though it's possible OP is omitting some explanation given by as why enterprise plan would alleviate ToS issues.
If that's the take, that means Cloudflare is okay with 'breaking laws' so long as they can take a heavy cut of the ill gotten gains? </sarcasm>
Let's not try to find reasons to harm the messenger and stick to the facts -- a paying customer was suddenly extorted for hundreds of thousand of dollars out of nowhere.
It is a good article, good to have practical details of how this goes down... but really an international casino cant afford more than $250 a month?