And insurances provide monetary compensation until you become a common liability, too high to be covered by any sort of fee.
DDOS protection is just the same. It’s only feasible if it happens rarely, like they usually happen.
However if it’s a common occurrence it will just eat up the profits made by the fees and then some, which just is stupid to do in any case.
I don’t want TP convince anyone they are not like jerks, but rather highlight why a corporation would do something like this to a (most likely) lucrative client.
It’s a completely different thing. DDoS protection is not like insurance. Insurance is putting monetary value on a risk and paying off if that risk materialises. DDoS mitigation is a set of technical measures that are implemented. Most of the DDoS protections are features which are implemented (e.g., when the traffic is more than X, require captcha for all requests). It doesn’t have any marginal cost for the provider.
And you can argue the same for the network infrastructure. Once you have the bandwidth, as long as it’s not saturated it is a waste letting it idle.
So I really don’t see how even being under DDoS every day can “eat up your fees”. Maybe you can elaborate?
You can make this argument for literally every business, though. Which business does not have a single pool of resources and multiple clients to consume them?
To me it seems a really arbitrary argument. Insurance companies estimate a risk, and if their chance to pay is almost certain, then for them there is no point in insuring you, they lose for sure so they refuse you.
DDoS protection services don’t pay if their customers get DDoS. Cloudflare doesn’t need to go and deploy more network appliances every time a customer gets DDoS’d, nor they need to hire additional engineers to implement features. They have done this already and if they do it’s a company-wide investment, not a per-client investment.
You can make this argument for literally every business, though. Which business does not have a single pool of resources and multiple clients to consume them?
The majority of factories. They get an order in and produce the product until that order is fulfilled. They don’t have to be running 24/7, it is just that that is the most profitable.
But if you stick to your “analogy”, a factory also chooses who their customers are. And if some are too demanding, they just drop them. Like the casinos.
Also, once factories have machines etc., they might prioritize one customer over another, but I doubt they decide a customer is not profitable. In fact, digital businesses don’t have by design the problems posed by the physical world, and this is especially true in b2c businesses…
I should have elaborated on it a bit more, my bad.
While it’s true that DDoS is more of an active technology rather than a CYA thing.
It does however also act as insurance when it comes to the “blame game”: if your site goes down it’s not your fault but the provider’s fault, meaning you might be able to recoup lost profits through a lawsuit.
Of course the only way to avoid this for the provider is to provide better and stronger systems, which normally would grow homogenous through more customers and/or growing fees for all customers, which would pay for better capacity and stronger protection by itself.
However here we have a client that is a high value target that others might want to take down at all costs.
Even if they didn’t sue, a strong enough attack might, alongside naturally expected DDoS on other clients, not only take down this customer’s server, but others as well, which really isn’t something you want, for the reasons stated above.
And rapidly increasing security could be not worth it, as it could devolve into an arms race by proxy with a high risk of the customer leaving if you raise their fees to much, leaving you with a system which’s maintenance will now dig into your profits due to a lost big income stream, or make other customers leave if you raise the general fee.
To be honest, I have never even heard of anybody who sued a service provider for failing to mitigate DDoS, or for letting an attack through a WAF, etc.
I am quite positive that the contracts/T&C you sign when you subscribe to the services are rock solid, otherwise cloudflare would be under extreme liability. Also, usually you have the ability to customize the DDoS settings, choose thresholds etc. I really can’t imagine a company having any real chance of getting the provider to reimburse you. The only service that usually has SLA is the uptime of the CDN, which if breached should be compensated. I am quite sure that in the cheap plans the SLA is probably not very high.
Also, what you say about a customer that someone might want to take down is true for all customers that require DDoS protection. If they didn’t, they wouldn’t pay for the service on the first place. Cloudflare serves a bazillion customers who are much bigger targets than a casino, I don’t think they were afraid of the exposure. Also, when cloudflare receives a high DDoS attack, for them is awesome marketing. Imperva, Akamai, Cloudflare are basically identical and the selling point is exactly “how big can they tolerate?”.
Honestly rather than speculating on what we don’t know, I propose a simpler option: cloudflare plans are designed to get customers one foot in the door with a super cheap plan, to them each individual customer has basically no marginal cost. However, once the customers are in they can identify the ones they can squueze and find reasons to push more expensive plans. If they bump 1/30 of them, even if they other 29 will leave, they are in plus (250x29 < 10000 x 1).
To me this seems simply a business strategy. They specifically say “Unlimited & unmetered DDoS attack mitigation” in the cheapest plan, afterall.
It doesn’t matter where you are based (as a company, if this is what you meant), it matters where you operate, and lots of countries are regulated (not only Western - which in many cases are not, incl. many US states). There are basically three types of markets: regulated, gray (not regulated, not forbidden) and black (forbidden).
Different companies operate in different markets, depending on their strategy (and level of shadiness). Payment processing (deposits & payouts) is done using external providers (as many as possible to serve different countries), and there are quite a lot of regulations regarding money laundering, politically exposed people and so on that they have to comply with, both for gambling regulations and international laws (e.g., European laws are quite strict when it comes to AML).
Obviously you may have customers from a regulated country without “operating” there, which means advertising, offering the site in their language, etc. But, when you withdraw money identity verification is necessary, and companies can be fined (or worse) if they willingly retain customers from regulated markets without the local license.
So yeah, there are companies that do shady stuff, but mostly it depends on country regulations. The company I worked for targeted Nordic Europe (mix of gray and regulated markets) and South America (mostly gray markets, on the way to be regulated), for example. Usually gaming authorities are quite keen in collecting their taxes, so they tend to be quite active in pursuing those who violate their regulations (like if you decide to operate where you can’t).
It’s not that they got DDoSed, it’s that unregulated off-shore gambling is illegal in many countries, so their IP addresses were getting blocked in these countries. The way CDNs like CloudFlare work is that many customers share the IP addresses, so they were getting other CloudFlare customers blocked as well.
CF wanted them to move to a “bring your own IP” plan so that their IP blocks wouldn’t affect other customers, and that came with the steep price tag.
That’s not what OC mentioned, which is what I was answering to. They mentioned the logic that getting DDoS made them unprofitable customers, I questioned it.
I perfectly understand the issue. If cloudflare was getting their IP blocked in countries where the casino was dodging regulations, they should have simply written that, and forced the customer to block traffic from those countries. The BYOIP is not the only way to solve it. Imperva forced the website i worked for to block Russia (which was not a market we were operating in) to prevent their IPs being blocked in Russia, for example. They didn’t bring it up as an option somehow, and that gives to this an extortion vibe.
An online casino would mostly benefit from WAF, DDoS protection and caching.
The arguments I was responding to is like saying that if you get too many web attacks they should kick you because the WAF is not anymore profitable. It doesn’t make any sense.
Online casinos are also tech. The devops in the article literally says they set up proxies to continue operating in countries where their main domain is blocked. I know the core domain of casinos are very regulated, but I doubt the entire tech aspect of online casinos are regulated. I imagine there’s plenty of fuckery to do there.
Also casinos will throw out people who benefit too much at the expense of the casino. The casino benefitted too much at the expense of Cloudflare and refused to share the profits, so Cloudflare did what any casino would do and kicked them out.
The entire tech aspect of online casinos is regulated, from procedure to register customers, to bonuses, to segmentation, to popups that you need to show during game, to responsible gaming features, to security controls in the infrastructure, to reporting etc. I worked for one and I took care of the compliance to licenses. Nothing is perfect, of course, but you are under tight scrutiny, especially when you start accumulating licenses.
I don’t think casinos will throw out anybody ATM, they mostly work on quantity of users, they don’t care of few individuals who win (in fact they are good business - they will most likely play again in the future). Actions are taken against specific segments of users that are deemed high risk (e.g. suspected sure-betters, syndicates etc.).
There is no need to throw them out, usually limits are applied.
For cloudflare, still nobody explained to me how using features and bandwidth already available costed anything more for Cloudflare.
Cloudflare as a business provides DDOS protection. If they kick out those who get ddos’s, what’s their value? (Sure, WAF etc. but you get the point).
Also, as much as casinos are ethically questionable, they are also business. Very regulated businesses even (while tech is kind of a Wild West).
And insurances provide monetary compensation until you become a common liability, too high to be covered by any sort of fee. DDOS protection is just the same. It’s only feasible if it happens rarely, like they usually happen. However if it’s a common occurrence it will just eat up the profits made by the fees and then some, which just is stupid to do in any case.
Comparing Cloudflare to insurance companies is not how you’ll convince me they’re not acting like jerks lol
I don’t want TP convince anyone they are not like jerks, but rather highlight why a corporation would do something like this to a (most likely) lucrative client.
It’s a completely different thing. DDoS protection is not like insurance. Insurance is putting monetary value on a risk and paying off if that risk materialises. DDoS mitigation is a set of technical measures that are implemented. Most of the DDoS protections are features which are implemented (e.g., when the traffic is more than X, require captcha for all requests). It doesn’t have any marginal cost for the provider.
And you can argue the same for the network infrastructure. Once you have the bandwidth, as long as it’s not saturated it is a waste letting it idle.
So I really don’t see how even being under DDoS every day can “eat up your fees”. Maybe you can elaborate?
It is similar in that there’s a pool of resource shared between all the clients, and the service provider can shift this resource around when in need.
You can make this argument for literally every business, though. Which business does not have a single pool of resources and multiple clients to consume them?
To me it seems a really arbitrary argument. Insurance companies estimate a risk, and if their chance to pay is almost certain, then for them there is no point in insuring you, they lose for sure so they refuse you.
DDoS protection services don’t pay if their customers get DDoS. Cloudflare doesn’t need to go and deploy more network appliances every time a customer gets DDoS’d, nor they need to hire additional engineers to implement features. They have done this already and if they do it’s a company-wide investment, not a per-client investment.
The majority of factories. They get an order in and produce the product until that order is fulfilled. They don’t have to be running 24/7, it is just that that is the most profitable.
But if you stick to your “analogy”, a factory also chooses who their customers are. And if some are too demanding, they just drop them. Like the casinos.
OK, sorry. Digital services businesses.
Also, once factories have machines etc., they might prioritize one customer over another, but I doubt they decide a customer is not profitable. In fact, digital businesses don’t have by design the problems posed by the physical world, and this is especially true in b2c businesses…
I should have elaborated on it a bit more, my bad.
While it’s true that DDoS is more of an active technology rather than a CYA thing. It does however also act as insurance when it comes to the “blame game”: if your site goes down it’s not your fault but the provider’s fault, meaning you might be able to recoup lost profits through a lawsuit.
Of course the only way to avoid this for the provider is to provide better and stronger systems, which normally would grow homogenous through more customers and/or growing fees for all customers, which would pay for better capacity and stronger protection by itself.
However here we have a client that is a high value target that others might want to take down at all costs. Even if they didn’t sue, a strong enough attack might, alongside naturally expected DDoS on other clients, not only take down this customer’s server, but others as well, which really isn’t something you want, for the reasons stated above. And rapidly increasing security could be not worth it, as it could devolve into an arms race by proxy with a high risk of the customer leaving if you raise their fees to much, leaving you with a system which’s maintenance will now dig into your profits due to a lost big income stream, or make other customers leave if you raise the general fee.
To be honest, I have never even heard of anybody who sued a service provider for failing to mitigate DDoS, or for letting an attack through a WAF, etc. I am quite positive that the contracts/T&C you sign when you subscribe to the services are rock solid, otherwise cloudflare would be under extreme liability. Also, usually you have the ability to customize the DDoS settings, choose thresholds etc. I really can’t imagine a company having any real chance of getting the provider to reimburse you. The only service that usually has SLA is the uptime of the CDN, which if breached should be compensated. I am quite sure that in the cheap plans the SLA is probably not very high.
Also, what you say about a customer that someone might want to take down is true for all customers that require DDoS protection. If they didn’t, they wouldn’t pay for the service on the first place. Cloudflare serves a bazillion customers who are much bigger targets than a casino, I don’t think they were afraid of the exposure. Also, when cloudflare receives a high DDoS attack, for them is awesome marketing. Imperva, Akamai, Cloudflare are basically identical and the selling point is exactly “how big can they tolerate?”.
Honestly rather than speculating on what we don’t know, I propose a simpler option: cloudflare plans are designed to get customers one foot in the door with a super cheap plan, to them each individual customer has basically no marginal cost. However, once the customers are in they can identify the ones they can squueze and find reasons to push more expensive plans. If they bump 1/30 of them, even if they other 29 will leave, they are in plus (250x29 < 10000 x 1).
To me this seems simply a business strategy. They specifically say “Unlimited & unmetered DDoS attack mitigation” in the cheapest plan, afterall.
I think they are only “very regulated” if they are based in certain western countries?
I used to hear a bunch of stories about issues getting payouts.
It doesn’t matter where you are based (as a company, if this is what you meant), it matters where you operate, and lots of countries are regulated (not only Western - which in many cases are not, incl. many US states). There are basically three types of markets: regulated, gray (not regulated, not forbidden) and black (forbidden). Different companies operate in different markets, depending on their strategy (and level of shadiness). Payment processing (deposits & payouts) is done using external providers (as many as possible to serve different countries), and there are quite a lot of regulations regarding money laundering, politically exposed people and so on that they have to comply with, both for gambling regulations and international laws (e.g., European laws are quite strict when it comes to AML).
Obviously you may have customers from a regulated country without “operating” there, which means advertising, offering the site in their language, etc. But, when you withdraw money identity verification is necessary, and companies can be fined (or worse) if they willingly retain customers from regulated markets without the local license.
So yeah, there are companies that do shady stuff, but mostly it depends on country regulations. The company I worked for targeted Nordic Europe (mix of gray and regulated markets) and South America (mostly gray markets, on the way to be regulated), for example. Usually gaming authorities are quite keen in collecting their taxes, so they tend to be quite active in pursuing those who violate their regulations (like if you decide to operate where you can’t).
It’s not that they got DDoSed, it’s that unregulated off-shore gambling is illegal in many countries, so their IP addresses were getting blocked in these countries. The way CDNs like CloudFlare work is that many customers share the IP addresses, so they were getting other CloudFlare customers blocked as well.
CF wanted them to move to a “bring your own IP” plan so that their IP blocks wouldn’t affect other customers, and that came with the steep price tag.
That’s not what OC mentioned, which is what I was answering to. They mentioned the logic that getting DDoS made them unprofitable customers, I questioned it.
I perfectly understand the issue. If cloudflare was getting their IP blocked in countries where the casino was dodging regulations, they should have simply written that, and forced the customer to block traffic from those countries. The BYOIP is not the only way to solve it. Imperva forced the website i worked for to block Russia (which was not a market we were operating in) to prevent their IPs being blocked in Russia, for example. They didn’t bring it up as an option somehow, and that gives to this an extortion vibe.
They provide a whole lot more to begin with.
Sure, which is why I said:
An online casino would mostly benefit from WAF, DDoS protection and caching.
The arguments I was responding to is like saying that if you get too many web attacks they should kick you because the WAF is not anymore profitable. It doesn’t make any sense.
They didn’t get kicked out. Just moved to a more expensive solution / pricing structure
I am arguing with the logic that claims this is reasonable, not discussing what they did.
I don’t have a problem saying that they should charge more, but it’s them who made an unlimited plan to become a monopoly charging 250/month.
Online casinos are also tech. The devops in the article literally says they set up proxies to continue operating in countries where their main domain is blocked. I know the core domain of casinos are very regulated, but I doubt the entire tech aspect of online casinos are regulated. I imagine there’s plenty of fuckery to do there.
Also casinos will throw out people who benefit too much at the expense of the casino. The casino benefitted too much at the expense of Cloudflare and refused to share the profits, so Cloudflare did what any casino would do and kicked them out.
The entire tech aspect of online casinos is regulated, from procedure to register customers, to bonuses, to segmentation, to popups that you need to show during game, to responsible gaming features, to security controls in the infrastructure, to reporting etc. I worked for one and I took care of the compliance to licenses. Nothing is perfect, of course, but you are under tight scrutiny, especially when you start accumulating licenses.
I don’t think casinos will throw out anybody ATM, they mostly work on quantity of users, they don’t care of few individuals who win (in fact they are good business - they will most likely play again in the future). Actions are taken against specific segments of users that are deemed high risk (e.g. suspected sure-betters, syndicates etc.). There is no need to throw them out, usually limits are applied.
For cloudflare, still nobody explained to me how using features and bandwidth already available costed anything more for Cloudflare.