Cloudflare

From Wikipedia, the free encyclopedia
Jump to: navigation, search
Cloudflare
Cloudflare logo.svg
Founded July 2009; 8 years ago (2009-07)
Headquarters San Francisco, California, United States
Founder(s)
  • Matthew Prince
  • Lee Holloway
  • Michelle Zatlyn
Key people
  • Matthew Prince (CEO)
  • Lee Holloway
  • Michelle Zatlyn
Industry Internet
Products Cloudflare
Services
Website cloudflare.com
Alexa rank Increase 1261 (June 2017)[1]

Cloudflare, Inc. is a U.S. company that provides a content delivery network, DDoS mitigation, Internet security services and distributed domain name server services, sitting between the visitor and the Cloudflare user's hosting provider, acting as a reverse proxy for websites. Cloudflare's headquarters are in San Francisco, California, with additional offices in London, Singapore, Champaign, Austin, Boston and Washington, D.C..[2][3]

History[edit]

Cloudflare was created in 2009 by Matthew Prince, Lee Holloway, and Michelle Zatlyn,[4][5] who had previously worked on Project Honey Pot.[5][6] Cloudflare was launched at the September 2010 TechCrunch Disrupt conference.[4][5] It received media attention in June 2011, after providing security to LulzSec's website.[4][7]

In June 2012, Cloudflare partnered with various web hosts, including HostPapa, to implement its Railgun technology.[8][9]

In February 2014, Cloudflare mitigated the largest-ever recorded DDoS attack at that time, which peaked at 400 Gbit/s against an undisclosed customer.[10] In November 2014, Cloudflare reported another massive DDoS attack with independent media sites being targeted at 500 Gbit/s.[11]

Funding rounds[edit]

In November 2009, Cloudflare raised $2.1 million in a Series A round from Pelion Venture Partners and Venrock.[12]

In July 2011, Cloudflare raised $20 million in a Series B round from New Enterprise Associates, Pelion Venture Partners, Venrock.[12][13][14]

In December 2012, Cloudflare raised $50 million in a Series C round from New Enterprise Associates, Pelion Venture Partners, Venrock, Union Square Ventures, and Greenspring Associates.[15][16][17]

In December 2014, Cloudflare raised $110 million in a Series D round led by Fidelity Investments, with participation from Google Capital, Microsoft, Qualcomm, and Baidu.[18]

Acquisitions[edit]

In February 2014, it acquired StopTheHacker, which offers malware detection, automatic malware removal, and reputation and blacklist monitoring.[19][20] In December 2016, Cloudflare acquired Eager, with the view of upgrading Cloudflare's Apps platform to allow for drag-and-drop of installation of third-party apps onto Cloudflare-enabled sites.[21]

Services[edit]

DDoS protection[edit]

For all customers Cloudflare offers an "I'm Under Attack Mode" setting. Cloudflare claims this can mitigate advanced Layer 7 attacks by presenting a JavaScript computational challenge which must be completed by a user's browser before the user can access a website.[22]

Cloudflare defended SpamHaus from a DDoS attack that exceeded 300Gbit/s. Akamai's chief architect stated that at the time it was "the largest publicly announced DDoS attack in the history of the Internet".[23][24] Cloudflare have also reportedly absorbed attacks that have peaked over 400Gbit/s from an NTP Reflection attack.[25]

Web application firewall[edit]

Cloudflare allows customers on paid plans to utilize a web application firewall service, by default; the firewall has the OWASP ModSecurity Core Rule Set alongside Cloudflare's own ruleset and rulesets for popular web applications.[26]

Domain name server[edit]

Cloudflare offers free domain name server (DNS) for all clients which are powered by an anycast network.[27] According to W3Cook Cloudflare's DNS service currently powers over 35% of managed DNS domains.[28] SolveDNS have found Cloudflare to consistently have one of the fastest DNS lookup speeds worldwide, with a reported lookup speed of 8.66ms in April 2016.[29]

Reverse proxy[edit]

A key functionality of Cloudflare is that they act as a reverse proxy for web traffic.

Cloudflare supports new web protocols, including SPDY and HTTP/2. In addition to this, Cloudflare offers support for HTTP/2 Server Push.[30] Cloudflare also supports proxying Websockets.

Content delivery network[edit]

Cloudflare's network has the highest number of connections to Internet exchange points of any network worldwide.[31] Cloudflare caches content to its edge locations to act as a content delivery network (CDN), all requests are then reverse proxied through Cloudflare with cached content served directly from Cloudflare.

Values[edit]

Cloudflare has been vocal of their values, with CEO Matthew Prince stating:

"One of the greatest strengths of the United States is a belief that speech, particularly political speech, is sacred. A website, of course, is nothing but speech...A website is speech. It is not a bomb. There is no imminent danger it creates and no provider has an affirmative obligation to monitor and make determinations about the theoretically harmful nature of speech a site may contain."[32]

Cloudflare publishes a Transparency Report on a semiannual basis to show how often law enforcement agencies request data about its clients.[33]

Breaking with its long-standing policy of total content neutrality, Cloudflare withdrew access to its services by white supremacist web site The Daily Stormer on 16 August 2017, in the aftermath of the fatal vehicular attack at the Charlottesville rally four days earlier. This withdrew the website's protection against distributed denial of service attack, and soon thereafter attackers took down the website.[34] CEO Matthew Prince stated: "I woke up this morning in a bad mood and decided to kick them off the internet"[35], the tipping point in the decision being “that the team behind Daily Stormer made the claim that we were secretly supporters of their ideology.”[36][37] Andrew Anglin, editor for The Daily Stormer, denied that his team made such a claim,[38] and the move was criticised as 'dangerous' by Prince himself,[39] Anglin,[38] and the Electronic Frontier Foundation.[40]. Simultaneously, Cloudflare cancelled Archive.is for its mirror archives of Daily Stormer content.[citation needed].

Customers[edit]

Cloudflare provides DNS services to 6 million websites,[41] including Uber, OKCupid, and Fitbit,[42] adding approximately 20,000 new customers every day.[43] 

Awards and recognition[edit]

Criticism and controversies[edit]

In September 2017, free-speech advocates criticized Cloudflare for dropping the American neo-Nazi website The Daily Stormer as a customer, which made it difficult for The Daily Stormer to stay online. "Denying security service to one Nazi website seems fine now, but what if Cloudflare started suspending service for a political candidate that its chief executive didn’t like?" wrote Yale Law School doctoral candidate Kate Klonick in the New York Times. This is particularly troublesome, she wrote, because Cloudflare has so few competitors.[49].

The hacker group UGNazi attacked Cloudflare partially via flaws in Google's authentication systems in June 2012, gaining administrative access to Cloudflare and using it to deface 4chan.[50][51] Cloudflare published in full the details of the hack. Following this, Google publicly announced they had patched the flaw in the Google Enterprise App account recovery process which allowed the hackers to bypass two-step verification.[52] Later the leader of the hacking group, Cosmo, was arrested and sentenced in California.[53]

In May 2017 ProPublica reported that Cloudflare as a matter of policy relays the names and email addresses of persons complaining about hate sites to the sites in question, which has led to the complainants being harassed. Cloudflare’s general counsel defended the company's policies by saying it is “base constitutional law that people can face their accusers.”[54] In response Cloudflare updated their abuse reporting process to provider greater control of who to notify for the complaining party.[55]

From September 2016 until February 2017, a major CloudFlare bug (nicknamed Cloudbleed) leaked sensitive data—including passwords and authentication tokens from customer websites, by sending extra data in response to web requests.[56] The leaks resulted from a buffer overflow, which occurred, according to analysis by CloudFlare, on approximately 1 in every 3,300,000 HTTP requests.[57][58]

Criticism of total content neutrality[edit]

Cloudflare was ranked in the 7th rank among the top 50 Bad Hosts by HostExploit.[59] The service has been used by Rescator, a website that sells payment card data.[60][61][62]

Two of Islamic State of Iraq and the Levant's top three online chat forums are guarded by Cloudflare but U.S. law enforcement has not asked them to discontinue the service, and they have not chosen to do so themselves.[63]

An October 2015 report found that Cloudflare provisioned 40% of SSL certificates used by phishing sites with deceptive domain names resembling those of banks and payment processors.[64]

In November 2015, Anonymous discouraged the use of Cloudflare's services, following the ISIL attacks in Paris and the renewed accusation that it provides help to terrorists.[65] Cloudflare responded by calling their accusers "15-year-old kids in Guy Fawkes masks" and saying that whenever such concerns are raised they consult actual anti-terrorism experts and abide by the law.[66]

Cloudflare is listed on Spamhaus for providing spam support services (pink contract). The current list of Spamhaus listings changes on a near daily basis as reported issues are addressed with the responsible website owner.[67]

References[edit]

  1. ^ "cloudflare.com". Alexa Rank History. Retrieved 2017-06-11. 
  2. ^ "CloudFlare Reveals $50 Million "Secret" Funding -- From One Year Ago - Kara Swisher - Security - AllThingsD". AllThingsD. 
  3. ^ "Cloudflare beefs up app platform plans with startup acquisition". Bizjournals.com. Retrieved 2017-02-28. 
  4. ^ a b c Henderson, Nicole (2011-06-17). "Cloudflare Gets an Unusual Endorsement from Hacker Group LulzSec". Webhost Industry Review. Retrieved 2014-05-09. 
  5. ^ a b c "Our story". Cloudflare. Retrieved 2016-02-25. 
  6. ^ "Cloudflare Beta". Project Honey Pot. Retrieved 2011-08-15. 
  7. ^ Hesseldahl, Arik (2011-06-10). "Web Security Start-Up Cloudflare Gets Buzz, Courtesy of LulzSec Hackers". All Things Digital. Retrieved 2011-08-15. 
  8. ^ Clark, Jack (1 March 2013). "CloudFlare's Railgun protocol gets buy-in from web giants". The Register. Retrieved 8 October 2015. 
  9. ^ Lardinois, Frederic (26 February 2013). "Cloudflare Partners With World's Leading Web Hosts To Implement Its Railgun Protocol, Speeds Up Load Times By Up To 143%". Tech Crunch. Retrieved 12 February 2016. 
  10. ^ "DDoS Attack Hits 400 Gbit/s, Breaks Record". Dark Reading. 
  11. ^ Olson, Parmy. "The Largest Cyber Attack In History Has Been Hitting Hong Kong Sites". Forbes. 
  12. ^ a b [1]
  13. ^ Hesseldahl, Arik (2011-07-12). "Web Security Start-Up Cloudflare Lands $20 Million Funding Round". AllThingsD. Retrieved 2012-07-12. 
  14. ^ Milian, Mark (December 18, 2012). "Why a Fast-Growing Startup Tries to Keep Its Venture Funding Secret". Tech Deals. Bloomberg. Retrieved January 1, 2013. 
  15. ^ "Cloudflare Reveals $50M Round From Union Square Ventures". TechCrunch. AOL. 
  16. ^ Michael Hickins. "CloudFlare Raised $50M, Ready to Spend". WSJ. 
  17. ^ "CloudFlare Reveals $50M Round From Union Square Ventures". TechCrunch. AOL. 17 December 2013. 
  18. ^ Miller, Ron. "CloudFlare Hints IPO Could Be Coming, But Not This Year". www.techcrunch.com. Retrieved 30 September 2015. 
  19. ^ "CryptoSeal". crunchbase.com. Retrieved 10 March 2015. 
  20. ^ "Cloudflare Acquires Anti-Malware Firm StopTheHacker". TechCrunch. AOL. 
  21. ^ Yeung, Ken. "Cloudflare acquires app platform Eager, will sunset service in Q1 2017". VentureBeat. Retrieved 28 December 2016. 
  22. ^ Holloway, Lee Hahn; Rao, Srikanth N.; Prince, Matthew Browning; Tourne, Matthieu Philippe François; Pye, Ian Gerald; Bejjani, Ray Raymond; Rodery Jr, Terry Paul (2013). "Identifying a denial-of-service attack in a cloud-based proxy service". 
  23. ^ Storm, Darlene. "Biggest DDoS attack in history slows Internet, breaks record at 300 Gbps". Computerworld. 
  24. ^ Markoff, John; Perlroth, Nicole (26 March 2013). "Online Dispute Becomes Internet-Snarling Attack". The New York Times. 
  25. ^ Gallagher, Sean. "Biggest DDoS ever aimed at Cloudflare's content delivery network". Ars Technica. Retrieved 17 May 2016. 
  26. ^ Kaushik, Mehul. "Cloudflare Web Application Firewall Review". Fanatic Entrepreneur. 
  27. ^ Jackson, Brian (17 September 2015). "10 Best Free DNS Hosting Providers". KeyCDN Blog. Retrieved 17 May 2016. 
  28. ^ "Cloudflare Usage Statistics and Market Share". www.w3cook.com. 
  29. ^ "April 2016 DNS Speed Comparison Report". www.solvedns.com. 
  30. ^ Osborne, Charlie. "CloudFlare figured out how to make the Web one second faster | ZDNet". ZDNet. Retrieved 17 May 2016. 
  31. ^ "Internet Exchange Report - bgp.he.net". bgp.he.net. Hurricane Electric. Retrieved June 1, 2016. 
  32. ^ Dredge, Stuart (12 August 2013). "CloudFlare on censorship: 'A website is speech. It is not a bomb'". the Guardian. 
  33. ^ Kovacs, Eduard (2015-07-15). "CloudFlare Releases Transparency Report for First Half of 2015 | SecurityWeek.Com". www.securityweek.com. Wired Business Media. 
  34. ^ Becky Peterson (17 August 2017). "Cloudflare CEO: Hackers pushed The Daily Stormer offline as soon as Cloudflare stopped protecting it". Business Insider. Retrieved 17 August 2017. 
  35. ^ David Ingram and Joseph Menn (17 August 2017). "Internet firms shift stance, move to exile white supremacists". Reuters. Retrieved 17 August 2017. 
  36. ^ Dave Lee (17 August 2017). "Why Cloudflare kicked out the neo-Nazis". BBC News. Retrieved 17 August 2017. 
  37. ^ Matthew Prince (17 August 2017). "Why We Terminated Daily Stormer". Cloudflare blog. Retrieved 17 August 2017. 
  38. ^ a b Andrew Anglin (17 August 2017). "Matthew Prince of Cloudflare Admits He Killed the Internet Because He Thinks Andrew Anglin is an Asshole". The Daily Stormer. Archived from the original on 18 August 2017. Retrieved 17 August 2017. 
  39. ^ https://www.theverge.com/2017/8/16/16157710/cloudflare-daily-stormer-drop-russia-hate-white-nationalism
  40. ^ https://www.eff.org/deeplinks/2017/08/fighting-neo-nazis-future-free-expression
  41. ^ "How we made our DNS stack 3x faster". blog.cloudflare.com. Retrieved 2017-04-11. 
  42. ^ Thomson, Iain (February 24, 2017). "Cloudbleed: Big web brands leaked crypto keys, personal secrets thanks to Cloudflare bug". The Register. Retrieved May 12, 2017. 
  43. ^ "Cloudflare – Making Your Website Fast, Safe, and Accessible Everywhere in the World | HostAdvice". HostAdvice. Retrieved 2017-07-19. 
  44. ^ "8th Annual Crunchies Awards". TechCrunch. AOL. Retrieved 10 March 2015. 
  45. ^ Michael Totty and Shirley S. Wang (17 October 2011). "Winners of the 2011 Wall Street Journal Innovation Awards - WSJ". WSJ. Retrieved 10 March 2015. 
  46. ^ "Technology Pioneer 2012 - Matthew Prince, Michelle Zatlyn & Lee Holloway (Cloudflare)". Technology Pioneer 2012 - Matthew Prince, Michelle Zatlyn & Lee Holloway (Cloudflare) - World Economic Forum. Retrieved 10 March 2015. 
  47. ^ "Most Innovative Companies 2012 - Industries Top 10 - Web/Internet". Fast Company. Retrieved 10 March 2015. 
  48. ^ "Forbes Cloud 100". Forbes. Retrieved 29 October 2016. 
  49. ^ The Terrifying Power of Internet Censors, By Kate Klonick, New York Times, September 13, 2017
  50. ^ Simcoe, Luke (2012-06-14). "The 4chan breach: How hackers got a password through voicemail". Maclean's. Retrieved 2012-07-12. 
  51. ^ Ms. Smith (2012-06-03). "Hacktivists UGNazi attack 4chan, Cloudflare and Wounded Warrior Project". Privacy and Security Fanatic. NetworkWorld. Retrieved 2012-07-12. 
  52. ^ Prince, Matthew (4 June 2012). "The Four Critical Security Flaws that Resulted in Last Friday's Hack". CloudFlare. 
  53. ^ Honan, Mat. "Teenage Hacker 'Cosmo the God' Sentenced by California Court". WIRED. 
  54. ^ Schwencke, Ken (May 4, 2017). "How One Major Internet Company Helps Serve Up Hate on the Web". ProPublica.org. Retrieved 6 May 2017. 
  55. ^ Anonymity and Abuse Reports
  56. ^ "Major Cloudflare bug leaked sensitive data from customers' websites". TechCrunch. 2017-02-23. Retrieved 2017-02-28. 
  57. ^ Joseph Steinberg (February 24, 2017). "Why You Can Ignore Calls To Change Your Passwords After Today's Massive Password Leak Announcement". Inc. Retrieved February 24, 2017. 
  58. ^ Molina, Brett (February 28, 2017). "Cloudfare bug: Yes, you should change your passwords". USA Today. Retrieved 1 March 2017. 
  59. ^ "Host Exploit - World Host Report March 2014" (PDF). hostexploit.com. Retrieved 2015-06-20. 
  60. ^ Yadron, Danny (29 September 2014). "CloudFlare Pushes More Encrypted Web". Retrieved 10 August 2015. 
  61. ^ Kovacs, Eduard (17 March 2014). "Underground Payment Card Store Rescator Hacked and Defaced". Retrieved 10 August 2015. 
  62. ^ Krebs, Brian (15 January 2015). "Spreading the Disease and Selling the Cure". Retrieved 14 August 2015. 
  63. ^ "Testimony of Evan F. Kohlmann" (PDF). docs.house.gov. 27 January 2015. 
  64. ^ Edgecombe, Graham (12 October 2015). "Certificate authorities issue SSL certificates to fraudsters". Retrieved 14 October 2015. 
  65. ^ Hern, Alex (19 November 2015). "Web services firm CloudFlare accused by Anonymous of helping Isis". Retrieved 19 November 2015. 
  66. ^ "CloudFlare CEO: Anonymous Hacker Gripes About ISIS Support 'Absurd'". Fortune.com. Retrieved 2017-02-28. 
  67. ^ "Cloudflare and Spamhaus". Word to the Wise. 2012-07-16. Retrieved 2017-02-28. 

External links[edit]