76 Comments

This happened to us at BMW. Legal threatened to sue for millions in business and strangely everything was restored with NO FEEDBACK.

Expand full comment

Hi, we've had the exact same thing happen to us, the BYOIP, the trust and safety team but it was sales, we can talk and discuss about how to NOT use cloudflare?

Expand full comment

You could talk about how to sue Cloudflare TBH.

Expand full comment

I had the exact same experience with my company, except it didn’t lead to a complete block.

We operate in the same industry and faced the same approach from the sales managers. Initially, they bombarded us with emails suggesting we discuss the Enterprise plan. A few weeks later, they demanded an urgent call due to a serious issue flagged by Trust & Safety (T&S), despite us not receiving any prior complaints.

During the call, we were told that we were putting Cloudflare’s network at risk. We were baffled—how could this be caused by the mirrors we had, which didn’t even have traffic? It felt like extortion to us.

I spent many sleepless nights preparing to migrate to Fastly, but after we began removing our domains from Cloudflare and transferring them, the managers suddenly commented that they saw we had resolved the issue and wished us well, advising us to reach out if we needed anything else. Nice!

This was my first encounter with such sales tactics, and to say the least, I despise it. Cloudflare’s product is excellent, but the actions of their sales team are like a drop of tar in a barrel of honey —they ruin everything.

Expand full comment

Cloudflare Employee Deleted His/Her Post, Reposting for Context:

==========================================

 This is a classic case of someone demonstrating themselves as being victimized in an effort to get others to sympathize with them. All the while, creating artificial ill will towards a vendor.

Imagine the horror of a company trying to run a sustainable business model where they return a profit???!!!

I read this and I see someone that's portraying their role in the situation as "we've done nothing wrong and they want to make us pay $120K to continue doing business." This requires peeling back the layers of the onion to see where the fault truly lies.

Since you’re openly sharing domains/emails of who you spoke with at the vendor, surely you could share the domains you using for your business.

If it’s a casino, it should be something we could go look at and become a customer of, right?

I mean...who doesn’t love a little online gambling in the middle of the night, right?

Why not come clean with the details of what they observed you doing to level the playing field?

This following statement is utter BS and IMHO, discredits anything else you've shared:

“When we told them we were also in talks with Fastly, they suddenly "purged" all our domains, causing huge downtime in our core business, sleepless nights migrating away from CF, irreparable loss in customer trust and weeks of ongoing downtime in our internal systems.”

Clearly your talking to Fastly had nothing to with your domains being purged.

Your domains were purged because you were in violation of terms of service. Not because you were talking to a competitor.

"Your account and domains were brought to our attention following intelligence of your account being involved in domain rotation activities, namely, activities to evade or otherwise circumvent blocks being placed on you by a third party."

In other words, you allegedly knew there were attempts by third parties to place the Cloudflare owned IPs associated with your account on block lists. Cloudflare detected said alleged activities carried out by your organization to circumvent them from being added to block lists.

And of course, this is all being done with IP addresses that belong to Cloudflare - not to you.

Anyone that understands how Cloudflare works knows their IP address space is shared across all of their customers. I would hope they would care a lot about the reputation of their IP address space.

Any actions that put their IP addresses at risk subsequently puts their other customers at risk.

Had you been using BYOIP all along, this probably would not have even been an issue and you probably would still be on their platform.

But BYOIP is only available to customers on an Enterprise plan so it isn't cheap.

I guess it's a calculated risk on your part. What is the cost to your organization if it was blocked vs. the cost to your organization for services that provide you with the ability to do what you need with your own addresses?

The email from support on 05/03/2024 informed you that you had 48 hours to provide them with what they requested or discontinue the activities:

"Usage of Cloudflare services for this purpose is strictly prohibited, and we would request you provide information as to what your account and domains are being used for within the next 48 hours. Note that your account may be terminated should you fail to respond, or otherwise react to this notice."

Based on what support said, they would have purged your domains on May 5th, had they followed what they said they were going to do.

The log you shared show your domains were purged on 05/16/2024 - 13 days after the day they reached out to you.

They were actually very generous seeing as how they provided an additional 11 days to get things under control and to move you to a plan that was more in line with your actual utilization and requirements.

They kept up with their commitment until they determined you were in violation of the terms of service.

Once you violate terms of service, it doesn’t matter who the provider is, the provider has every right to shut you down.

This is all too typical. Most people do not realize how much bandwidth, infrastructure, colocation facilities, R&D, support, etc. cost. Even on a Business plan for $250/month I would have to think they were losing money on your account.

Anyone can spend time going through the Cloudflare subreddit and read of the horrors of how they treated someone on a Free ($0)/Pro ($25)/Business ($250) plan.

Pricing is not based sheerly on the amount of bandwidth consumed or data transferred. There is a wide range of factors that influence the price.

It would be interesting to see what services Fastly required you to sign up for. Or how long you last on Fastly should you end up violating their TOS.

Hopefully your risk management team has a contingency plan in place in the event that you get booted from Fastly as well.

I don't think any of us want to see you go additional sleepless nights!

Expand full comment

My take on the post appears very different to yours (or deleted CF employee). It didn't appear he was disputing the price or need to pay, but disputing how the situation was handled - with lack of professionalism, transparency and heavy-handed sales tactics which were simply not necessary or appropriate.

$120k may not be a substantial amount for a casino but a request to pay monthly is a reasonable one which could have been accommodated and likely prevented this whole issue. There appeared to be no desire for CF to work with the customer or answer any questions beyond the demand for money, most businesses would try harder to upsell a customer to $120k not cut them off.

Expand full comment

My biggest problem with it is that this was clearly a sales tactic _from the start_. The initial e-mail came from a Sales Development Rep (SDR), a job that is focused on generating leads for the sales team. It didn't come from somebody in a technical role.

CF has a process that generates leads from existing, low-spend customers and funnels them into SDRs to push them towards high-spend programs. That's totally acceptable IF the limits are clear -- "Hey, your business plan only covers X amount of traffic and you're at 2X, we need to address this" -- but, if everything played out as shown here, this is a highly unethical sales process.

Expand full comment

I don't think we should take issue with a member of biz dev leading the process. I don't particularly like some sales teams, but others are perfectly fine to discuss the scope of an account.

I do think there's an issue with not engaging in a dialogue over the billing and sticking to a script. If you want someone to pay $120k, your biz dev team better be prepared to put some effort in.

Overall, I think both sides have some culpability for the outage. It was a business risk that management either didn't understand or didn't take seriously. And it was a massively missed opportunity for Cloudflare.

Expand full comment

I have also encountered aggressive and unprofessional behavior from Cloudflare, and I agree with the author. I highly recommend avoiding their product. Even their emails demonstrate their lack of professionalism and aggression. I disagree with the user "Zorro The Anti Victimizer." While it's beneficial for users to share their opinions, it's problematic when comments come from Cloudflare's sales team and are passive-aggressive.

In short, do not use Cloudflare. It's a poor-quality service with unprofessional sales tactics. Shame on them.

Expand full comment

Healthy paranoia seems to be appropriate for any critical vendor.

I previously thought that Cloudflare had a record of resisting censorship on their platform. This makes me rethink using any vendor in a way which cannot be dismissed in a moment.

Expand full comment

Cloudflare has a history of caving to censorship demands, eg Kiwifarms

Expand full comment

Thank you for the lead. Whether I like the sites they block or not, it's troubling to see vendors try to claim both sides of the section 230 legislation. Either be a content provider _OR_ a platform, not both.

Expand full comment

Awe your poor doxing and harrassment website got shut down?

Expand full comment

Who should decide what you're allowed to read?

Expand full comment

Redefining "who should decide who gets to harass and dox people for fun" as "who should decide what you're allowed to read" is an interesting USA brainworm.

Expand full comment

I vaguely remember there was some sort of system in place to investigate, evaluate and sanction criminal offenses such as harassment. Might have been the Cloudflare Trust and Safety team, I don't quite remember.

Expand full comment

Well, if you knew the answer, why ask.

Expand full comment

everybody who uses kiwifarms should kill themselves, of course their website should be censored.

Expand full comment

Me

Expand full comment

That's actually the point. Censorship means someone else (not you) is deciding what you are allowed to read.

Expand full comment

Sorry, no. Censorship is when the government decides what you are allowed to read. A private company that isn't legally discriminating can choose who to associate with.

Expand full comment

Back in the day you could just send emails pretending to work at company XYZ and they would give you direct IP addresses.

Expand full comment

good old days

Expand full comment
Jun 9·edited Jun 9

I think it depends on size of player. Smaller piracy/nsfw sites easily use cloudflare to evade blocks from small ISPs because of IP rotation and sharing. Bigger players are folllowed up and cloud providers like cloudflare are alerted and are told their IP will be put in some blacklist. Then it is followed up seriously.

OP mentioned his main domain was blocked in a country and he was using a backup domain. It does sound shady and I guess CF wanted to cash in the opportunity.

Expand full comment
May 31·edited May 31

Guys you are misreading this. CloudFlare wanted out of the relationship at all costs, period. OP openly admits to using CF to rotate IP's in case one of theirs gets banned by a gambling regulatory body. Think about it, if they wanted to keep the relationship they would have found a way, but obviously they weren't trying to negotiate.

Obviously this is terrible PR and bad corporate communication, but the truth is probably that CF's legal/risk department didn't want to create a bunch of discovery on an email server somewhere that could be subpoenaed. So they made a high-ball offer in bad faith to find an excuse to kill the relationship. Maybe they would have accepted the extra money if the offer had been accepted (because it is a business), but probably they figured they needed that because the risk/reward profile was out of whack.

The risk managers made them do it. CF was making very little money from this and they were running very high risks by enabling the customer to break the law by violating ToS (which they openly admit to doing). You guys are trashing CF for being a bad actor but read between the lines, if they wanted to keep the account they wouldn't have summarily deleted the entire thing at the slightest provocation.

I have no sympathy for the OP. Gambling destroys people's lives. Some people have no ability to control themselves, and it's a tax on the stupid. If you want to use someone else's services to violate ToS then you should expect to be rugpulled. If you've ever dealt with litigation holds or subpoenas from a prosecutor's office before you will realize that it gets insanely expensive VERY FAST, so the price tag CF demanded was probably commensurate with the risk profile of the customer.

The real scandal here is that CF may have indeed been willing to just take the $120k and look the other way to continue to facilitate the customer's [probably] illegal activities. To me that's what's shady. The ethical thing to do would have been to just inform them they were in violation of ToS and shut them down. Clearly there are no shortage of ethical issues on all sides here.

Expand full comment

Yup. CF CEO's mind right before the first email interaction:

"We can either do axe $250/m or profit from poor gambling addicts and improve our bottom line... lol... it's time for our gamble"

Thanks to this drama I learned that I can safely strike Cloudflare from my list of hosting options for future projects. The "gambling is bad" was obvious already.

Expand full comment

> There's a reason why they have no public information anywhere on traffic limits or Enterprise pricing.

This should have been a red flag from the very beginning. The best rule is, never *ever* engage in business with a person or company whose products or services don't have an up-front price tag. It means they're going to try to find a way to milk you for every dollar they can.

Expand full comment

Cloudflair seems suspiciously close to being a protection racket

Expand full comment

You have to be brain dead to believe these clowns from online casino that they have been served with a 120k bill to pay in 24h. What a rediciolous lie. I know a person familiar with an issue from Clouflare, soon you will hear their part of the story too. They even have posted personal data of employees on reddit, what a disgusting people. Anyway I’m happy that this scam casino got shut down, absolutely no empathy to these offended individuals, they got what they deserved.

Expand full comment

Cloudflare likes to present itself as this neutral party here to help everyone on the internet. While cloudflare is the complete opposite, it is a very hostile, hateful, vindictive, and hypocritical company. We've seen this many times before. It sounds like Cloudflare just didn't want to do business with your company because it is a casino. Cloudlfare could have easily offered a contract requiring your company to pay 10k monthly for 12 months with penalties on cancellation.

I suspect this is not money motivated and actually more political.

Expand full comment

Seems to me that the better approach would have been to have a higher monthly payment option or a lower up-front cost. Perhaps you go $10k per month for monthly, and reduce to $9k per month if paid up front. This is not difficult. Or maybe they go the other way. You're going to get $10k for front. If you want to pay monthly, the price goes to $11k. One way or the other, this whole story smacked of a heavy handed approach to sales that legitimately harmed both companies in the end.

Expand full comment

I dont even know where to start with this, I have personal and direct experience with every line that has been put in here....you should have known the risk of a single point of failure from the very beginning. If the business has been ongoing for many years, you need to be prepared for this. Specifically if you have explored other options (akamai, fastly etc) you know that many of them demand licenses for the markets you are aiming for, which obviously you dont have , as if you had such papers you would not be facing the DNS blocks that you are being imposed on by the regulators of the countries that go on the offense here (A specific land mass in the southern hemisphere that has kangaroos roaming comes to mind....). Its the reason I was very loud against using all the other wonderful features CF has.....workers......etc. In the end, I have sympathy as I know exactly what happened here (before and after the nuclear option exercised by CF) . The pay-for a year in advance, this is new to me but possibly an evolution on what happens with our specific industry. As far as uncached authenticated api requests....CF is a tool, just like a 747 is a tool. Dont expect it to fly by itself, this is the part where you EARN your wage (either that or submit your CV to the engineering team of CF and work for them developing these features that ofc are not free) . One more note, CF is used to deal with a lot of fire aimed at them from lawyers , demanding to take down all sorts of stuff. Before they came to you, no doubt they evaluated the issues they were getting (letters/demands) versus your volume , history and most of all the capacity the business has , to pay versus the value you get (being able to play the endless creation of mirrors ) , so this, like everytihng else, is a balance (for both) .

Expand full comment

Thank you for your very well-informed, insightful, and intelligent comment. You have added a lot of value, in stark contrast to all the blithering, reactionary nonsense that I am seeing on this forum. None of these people has dealt with legal before, Dunning-Kruger is running very strong throughout, and the hype-cycle that the original post generated is (mostly) unwarranted.

The only sad thing here is that CF seemed to be willing to just take $120k and look the other way to continue to facilitate the [likely] illegal activities that the OP admits to doing (i.e. trying to circumvent IP blocks by regulatory authorities).

Your comment about the client company's failure to do proper regulatory due diligence is extremely well taken. If I were an investor in this site I would never hire a single one of these people again. This is their own incompetence for having designed a business around something that they didn't understand without sufficient input from the legal/compliance department. They built a business on a shoddy foundation, and it was kneecapped by a single point of failure.

Expand full comment

This whole article is bullshit. I used to work at Cloudflare and now work at a competitor. Sorry, but you were violating their terms of service, likely in multiple ways. Gambling sites using Cloudflare need to use BYOIP in certain situations, especially when they are rotating domains often as you describe. That is clear that you were doing things to harm Cloudflare's IP reputation - skirting local laws, spamming, etc. Whatever you are doing with your domains, you would need your own block of IPs and the SSL for SaaS/Cloudflare for SaaS product so that you are not harming other Cloudflare customers.

Also, whining about $120k/yr? You are literally running a casino and taking advantage of gambling addicts. That amount of money is nothing compared to what you are likely making so I have no clue why you are playing the victim here.

Expand full comment

You should really hide the real name and email in your screenshot to protect the representative at CF, there just doing there job.

Expand full comment

" We host a gambling system, gambling is illegal in half the world, we move a lot of money, we exploit peoples addiction, and some could even be loosing their house, but listen to my story about how they put my website offline and I had to work for a couple of hours"

Funny.

Expand full comment

One of my friends shared a quite interesting memory with Cloudflare just a few weeks ago. He thinks they started to create fraudulent or fake invoices. Here is the his tweet.

https://x.com/alper_akalin/status/1778500048256401741

Expand full comment