Recently, an online casino website experienced a severe disruption when Cloudflare abruptly disabled its services. Robin Dev, a systems operations engineer at the casino, provided a detailed account of the sequence of events in a blog post, shedding light on the extent of the disruption and its aftermath.
The casino had been using Cloudflare’s Business plan for years to manage traffic and protect against DDoS attacks. However, to the casino's surprise, Cloudflare suddenly demanded that they switch to an Enterprise plan costing $120,000 annually, citing unspecified "critical issues" with the account configuration.
Account settings email (Source: RobinDev SubStack)
Robin Dev writes:
We scheduled a call with their "Business Development" department. It turns out the meeting was with their Sales team, and they didn't have any "serious issues" to report. They asked us whether we would like to consider Enterprise. We politely declined, but we were a bit confused as to the tone of the email.
When the casino declined the upgrade, Cloudflare accused the site of domain rotation activities, which is against their terms of service. Despite the casino’s efforts to clarify and resolve the issue, Cloudflare deleted all related domains and settings, forcing the casino to migrate to a different provider, Fastly. This migration resulted in significant downtime and posed operational challenges, further complicating the situation.
A respondent on a Reddit thread commented:
Set aside the bandwidth and compute resources. You’re going to pay a premium because the provider is much more likely to experience abuse, fraud, and legal hassles. I expect you’ll find that’s true at Fastly, too.
A user familiar with the issue posted an analysis on a Hacker News thread. The post states, "Some countries and regions regulate gambling sites independently, and some providers may block IP addresses hosting gambling sites. Such blocks can impact the reputation score of the IP address, and providers like Cloudflare, which handle traffic from multiple users, may affect other users." Because of this, Cloudflare had to request casino sites to use BYOIP, a feature that allows them to use their IP addresses.
On another Reddit thread, a respondent commented:
If Cloudflare is telling you to BYOIP, you’re definitely doing some shady shit that they don’t want them impacting the reputation of their prefixes. Yet, it could have been handled way better.
With another stating:
The article says it's a casino, and various countries block them due to their laws, etc. It's reasonable for CF to not want their IP ranges bulk blocked. But that's not doing shady shit from the customer's part.
Lastly, Robin concludes that Cloudflare might push organizations into their Enterprise plan for reasons like hitting high traffic levels or aggressive sales tactics. They offer pricing based on what they think you'll pay, not on measurable metrics or features. It's important to back up your Cloudflare configuration and consider whether you truly need their services. Keep in mind that Cloudflare may not effectively manage smaller, more vulnerable attack surfaces.