I've always seen cloudflare as a panacea for horribly written websites that need to handle high traffic. A good framework can crank out like 200k requests per second on normal hardware. If you're using something like PHP for a high load site you're asking for trouble and cloudflare might save you from a rewrite.
Their core service is DDoS protection, but the reality is that these attacks are rare and usually small. Most people using cloudflare could save money by just running their own Nginx/varnish reverse proxy. Cloudflare for the most part is just an http reverse proxy, and I've heard they just use nginx internally to do it.
I worked at a software/IT consultancy and some of our clients ran controversial political sites. Lots of them. They were surprising never "attacked" with more than a few hundred requests per second. In fact, none of the few hundred sites we ran was ever attacked while I was there. The only ones that went down a lot were wordpress based sites that could only handle like 7 requests per second past the cache. We ran cloudflare on some of these, but only so it wasn't our fault when they inevitable crashed from xmlrpc bots and other primitive garbage.
Hi; I work for Cloudflare so I just wanted to address some of these points.
We have sites of all platforms and types which are in need of caching services for a variety of reasons. We have e-commerce sites wanting to cache anonymous page views to improve conversion rates through improved speeds, through to services wanting to accelerate dynamic content using our Railgun optimiser.
As a reverse proxy, we do offer an incredibly powerful DDOS mitigation service. Over the past few months we have seen a dramatic increase in DDOS attacks - including multiple DDOS attacks which are greater than 400Gbps. Whilst not all sites will face such attacks, we do offer a service for those who are in need of protection (either as a precaution or to mitigate an active attack).
Our WAF can help protect against other such attacks from SQL Injection to XSS and beyond, for example; we have a rule to protect against XML-RPC attacks. We're constantly improving our feature set and adding more; one such product we're particularly excited to reveal is our Traffic Control solution which can help add extra layers of security to APIs and websites.
Their core service is DDoS protection, but the reality is that these attacks are rare and usually small. Most people using cloudflare could save money by just running their own Nginx/varnish reverse proxy. Cloudflare for the most part is just an http reverse proxy, and I've heard they just use nginx internally to do it.
I worked at a software/IT consultancy and some of our clients ran controversial political sites. Lots of them. They were surprising never "attacked" with more than a few hundred requests per second. In fact, none of the few hundred sites we ran was ever attacked while I was there. The only ones that went down a lot were wordpress based sites that could only handle like 7 requests per second past the cache. We ran cloudflare on some of these, but only so it wasn't our fault when they inevitable crashed from xmlrpc bots and other primitive garbage.