1157
Cloudflare took down our website after trying to force us to pay $120000 within 24h
(robindev.substack.com)
This is a most excellent place for technology news and articles.
CF doesn't give a fuck about 80tb of traffic. These guys were in severe TOS violation that could affect all CF customers if CF IPs got blocked. Given 48 hours to bring their own IPs and switch to (expensive AF anywhere) enterprise account and finally shut down TWO WEEKS later after trying to weasel their way out of this instead of accepting they need to pay to play this stupid game.
We've been CF customers forever and enshitification is definitely affecting all of their services and mostly customer support, but in this instance I'm 100% on the side of CF.
100%?
...
This is the part that's ridiculous to me. If CloudFlare thinks they're violating TOS that's fine. If they're willing to let them continue with their business as-is as long as they pay more? That's fine. But, scheduling calls with one group and it turns out it's actually CloudFlare's sales team on the phone, that's ridiculous.
Well, the way he describes it does sound messed up, but if the only solution CF is willing to accept is for them to bring their own IPs and that is only available with an enterprise plan, what kind of conversation were they expecting? And like I said in another thread, enshitification at CF affected their customer service the most. We went from being able to to speak directly to devs, to people who actually understood the problem, to first tier support that didn't understand shit to 0 tier support that barely understands English.
It seems that you've misunderstood what the issue is here from cloudflare's perspective. The customer was using cloudflare IP addresses, which is causing a knock-on effect for the rest of cloudflare's customers and putting cloudflare as a business themselves at risk. The alternative was for the customer to use their own IP addresses as cloudflare advised . I'm not sure what you think 'Business development' teams do but I certainly wouldn't be expecting engineering advice from them.
Right, so sales should not be involved in any way.
Again, sales should not have been involved in any way.
They are at least not identical to sales. They work with sales, but there's at least some engineering component of the job. In this case if you were told you were meeting with the business development team, you'd expect that there would be talk about an engineering solution to the problem. Not just paying cloudflare more money.
These articles are always embellished, so I would take it with a grain of salt.
I worked for an online casino in the past. What they do is a standard in the industry. The company I worked for was a small startup and onwed hundreds of domains, mostly just to protect the brand, 98% of which redirected to the main domain, with a few serving slightly different sites for different jurisdictions (e.g. Ontario regulations require that everything happens under a .ca domain). The "blocking evasion" doesn't require CF to do anything, besides forcing the customer to block traffic from certain countries (the ones where you are suspected to evade the block). At this point - if the casino is really operating in the black or gray markets - they can just set ingress to their site outside CF for those countries only if they really wanted. I worked also for a company who was doing this to allow traffic from Russia, changing every day mirrors (and they had an IT department of maybe 20, it was a joke), and Russia was the main market for them.
If what is told in the article is true - I.e. 95% of the traffic was through the main website - then it doesn't look like they were really doing this sort of evading deliberately, considering that in that 5% you have all your alternative TLDs plus the traffic from gray/black markets. Having hundreds of domains and some small percentage of traffic from black markets is something that just happens, it's different from continuously registering new domains for providing access where the previous ones got DNS blocked (this is domain block). It doesn't seem this is what they were doing based on the article, and if they were, then CF emails didn't mention it, which is insane.
Obviously we don't know the full story, so everything has to he taken with a grain of salt.
I did a quick search through Cloudflare's TOS and did not find anything about gambling. What was the TOS violation here?
What I'm seeing is Cloudflare communicating very poorly about what actions the customer would need to take to keep their site operating, why, and what the timeline would be. "We've determined operating your casino website on Cloudflare IP addresses is an unacceptable risk to our other customers and we require that you upgrade to an Enterprise plan within two weeks or your service will be terminated" is clear, concise, and I believe entirely fair. What they did here makes me think they're an unreliable and unpredictable service provider.
Gambling is not TOS violation. Exposing CFs IPs to be blocked would affect ALL customers so CF is naturally aggressively protecting those Running any business that puts CFs IPs at risk is the TOS violation here.
I wish I was the fly on the wall during that meeting, but I have very little doubts casino understood the problem very well and were trying to weasel their way out of paying for an enterprise service (to anyone) and having to use their own IPs which are trivial to block. And if you continue buying more and rotating it will likely quickly get you on the black list with anyone still selling them.
I may be simplifying and maybe casino's CTO and the entire tech team are a bunch of naive newborns, but I really fucking doubt it.
Again, I'm not seeing an unambiguous TOS violation here. They have some catch-all stuff about creating an undue burden and an even broader clause saying, essentially they can drop any customer without cause. I have no doubt Cloudflare is legally in the clear, but when I read about something like this, I think I wouldn't set anything important up with Cloudflare as a critical part of its infrastructure.
Of course, the author could be leaving out a bunch of context to make himself look good.
If the article was about a non profit or a legit small business with a web presence, I would agree with you. We're talking about massively risky business with spectacular profit margins.
I just don't believe that CF suddenly realized these guys are rolling in money and wanted their cut. The risk just wasn't worth it to CF confirmed by the fact that they did not negotiate at all and happily lost the casino as their client.
We're easily making enough to pay $120k/yr to CF, but they are not creating that much value for us and we're not introducing any risk to them so what we pay makes sense for both sides.
Maybe I haven't been clear enough.
I have no objection to Cloudflare or any other service provider dropping a risky or unprofitable customer. That's normal and fair in business.
What I don't like is their apparent poor communication and failure to provide a clear (and reasonably distant) deadline so that the author's company could find a solution that avoided downtime. Were I on that company's board, I'd likely be pretty unhappy with the author for not having a contingency plan prepared in advance, but as a third-party observer my main takeaway is that if I rely on Cloudflare and they suddenly decide they don't like something I'm doing, I'm screwed.
Your conclusion is based on only one side of the story. And this story is coming from an unnamed business that's using social media to shit on a provider that dropped them.
But even assuming that's true, name any other large provider that would behave differently. AWS will terminate your services instantly and their support is even worse than CF. Apple is the same and then will take 2 weeks to reply. Google is a ghosting champion.
Just to be clear I'm talking about B2B relationships. Not end user communication.
It's true I'm assuming the author is being honest about what Cloudflare sent them and not leaving out a message where they made the situation abundantly clear. That's definitely possible, and we probably won't find out because big companies don't usually give public responses to this sort of thing.
I can't, and this makes me inclined to believe it's a mistake to rely on any of them without a failover plan. Of course that's effectively impossible for some situations, like mobile apps requiring app store access. That seems like a situation that calls for antitrust enforcement.