ISSN (identifier) The Guardian The Spamhaus Project

Cloudflare, Inc.
Traded asNYSENET
ISINUS18915M1071 Edit this on Wikidata
FoundedJuly 2009; 11 years ago (2009-07)
Key people
Matthew Prince (CEO)
ServicesReverse proxy service
RevenueIncrease US$287.02 million[1] (2019)
Decrease US$−107.95 million[1] (2019)
Decrease US$−105.83 million[1] (2019)

Cloudflare, Inc. is an American web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.[2] Cloudflare's services sit between a website's visitor and the Cloudflare user's hosting provider, acting as a reverse proxy for websites. Cloudflare's headquarters are in San Francisco.

Cloudflare has faced several controversies over its unwillingness to monitor content distributed via its network[3][4][5][6]—a stance it has defended based on the principle of free speech.[7] Cloudflare stated that it will "continue to abide by the law" and "serve all customers", further explaining "our proper role is not that of Internet censor".[8] These controversies have involved Cloudflare's policy of content neutrality and subsequent usage of its services by numerous contentious websites,[9] including The Daily Stormer and 8chan,[10] an imageboard which has been linked to multiple mass shootings in the United States and the Christchurch mosque shootings in New Zealand.[11][12] Under public pressure, Cloudflare terminated services to The Daily Stormer in 2017 and to 8chan following the 2019 El Paso shooting.


Cloudflare was created in 2009 by Matthew Prince, Lee Holloway, and Michelle Zatlyn.[13] It received media attention in June 2011 for providing security services to the website of LulzSec, a black hat hacking group.[14] Cloudflare acts as a reverse proxy for web traffic. Cloudflare supports web protocols, including SPDY and HTTP/2. In addition to this, Cloudflare offers support for HTTP/2 Server Push.[15] From 2009, the company was venture-capital funded.[16] On August 15, 2019, Cloudflare submitted its S-1 filing for IPO on the New York Stock Exchange under the stock ticker NET.[17] It opened for public trading on September 13, 2019, priced at $15 per share.[18]

In February 2014, Cloudflare mitigated what was at the time the largest ever recorded DDoS attack, which peaked at 400 Gigabits per second against an undisclosed customer.[19] In November 2014, Cloudflare reported another massive DDoS attack with independent media sites being targeted at 500 Gbit/s.[20] In March 2013, the company defended The Spamhaus Project from a DDoS attack that exceeded 300 Gbit/s. Akamai's chief architect stated that at the time it was "the largest publicly announced DDoS attack in the history of the Internet".[21][22] Cloudflare has also reportedly absorbed attacks that have peaked over 400Gbit/s from an NTP Reflection attack.[23]

In 2014, Cloudflare introduced an effort called Project Galileo in response to cyberattacks against vulnerable online targets, such as artists, activists, journalists, and human rights groups. Project Galileo provides such groups with free services to protect their websites. In 2019, Cloudflare announced that 600 users and organizations were participating in the project.[24] On April 1, 2019, Cloudflare announced a new freemium Virtual Private Network service named WARP. The service would initially be available through the mobile apps with a desktop app available later.[25] On September 25, 2019, Cloudflare released WARP to the public.[26][27] The beta for macOS and Windows was announced on April 1, 2020.[28]


Cloudflare has come under pressure on multiple occasions due to its policies and for refusing to cease technical support (such as DNS routing and DDoS mitigation) of websites such as LulzSec, The Daily Stormer, and 8chan.[3][4][5][7] Some have argued Cloudflare's services allow access to content which spreads hate and has led to harm and deaths.[11][12][29][30][31] However Cloudflare, as an Internet infrastructure provider, has broad legal immunity from the content produced by its users.[32]

Cloudflare provided DNS routing and DoS protection for the white supremacist and neo-Nazi website, The Daily Stormer. In 2017 Cloudflare stopped providing their services to The Daily Stormer after an announcement on the controversial website asserted that the "upper-echelons" of Cloudflare were "secretly supporters of their ideology".[33] Previously Cloudflare had refused to take any action regarding The Daily Stormer, despite widespread public pressure.[32] As a self-described "free speech absolutist", Cloudflare's CEO Matthew Prince, in a blog post, vowed never to succumb to external pressure again and sought to create a "political umbrella" for the future.[32] Prince further addressed the dangers of large companies deciding what is allowed to stay online, a concern that is shared by a number of civil liberties groups and privacy experts.[34][35][36] The Electronic Frontier Foundation, a US digital rights group, said that services such as Cloudflare "should not be adjudicating what speech is acceptable", adding that "when illegal activity, like inciting violence or defamation, occurs, the proper channel to deal with it is the legal system."[33]

According to The Huffington Post, Cloudflare provides services to "at least 7 terrorist groups", as designated by the United States Department of State.[4][6] According to the article, Cloudflare provides services to the Taliban, Hamas, the al-Quds Brigades, and other terrorist groups, have been aware since at least 2012, and have taken no action. According to Cloudflare's CEO, no law enforcement agency has asked the company to discontinue these services.[37]

In 2019, Cloudflare was criticized for providing services to the discussion and imageboard 8chan, which allows users to post and discuss any content with minimal interference from site administrators. The message board has been linked to mass shootings in the United States and the Christchurch mosque shootings in New Zealand.[11][12][29] In addition, a number of news organizations including The Washington Post and The Daily Dot have reported the existence of child pornography and child sexual abuse discussion boards.[30][31][38] A Cloudflare representative has been quoted by the BBC saying that the platform "does not host the referenced websites, cannot block websites, and is not in the business of hiding companies that host illegal content".[39] In an August 3 interview with The Guardian, immediately following the 2019 El Paso shooting, CEO Matthew Prince defended Cloudflare's support of 8chan, stating that he had a "moral obligation" to keep the site online.[40] In August 2019, Cloudflare terminated services to 8chan, an American imageboard, after the perpetrator of the 2019 El Paso shooting allegedly used the website to upload his manifesto.[41]

Cloudflare services have been used by Rescator, a carding website that sells stolen payment card data.[42][43][44] Two of the top three online chat forums belonging to the Islamic State of Iraq and the Levant (ISIL) are guarded by Cloudflare. According to Prince, U.S. law enforcement has not asked Cloudflare to discontinue the service, and they have not chosen to do so themselves.[37] In November 2015, hacktivist group Anonymous discouraged the use of Cloudflare's services following the ISIL attacks in Paris and the renewed accusation that Cloudflare aids terrorists.[45] Cloudflare responded by calling the group "15-year-old kids in Guy Fawkes masks", and saying that whenever such concerns are raised they consult anti-terrorism experts and abide by the law.[46]

In late 2019, Cloudflare was criticized for providing services to the anti-black website Chimpmania. Hundreds of thousands signed a petition on urging Prince to terminate services to Chimpmania. The petition was created by the parents of a biracial baby who was born with gastroschisis and who was mocked as a “mulatto monkey baby” by site users, and whose pictures were posted on the site. Over the ten years the site has been active, numerous other petitions have also been leveled against it, none of which were successful.[47]

Security and privacy

The hacker group UGNazi attacked Cloudflare partially by exploiting flaws in Google's authentication systems in June 2012, gaining administrative access to Cloudflare and using it to deface 4chan.[48][49] From September 2016 until February 2017, a major Cloudflare bug (nicknamed Cloudbleed) leaked sensitive data, including passwords and authentication tokens, from customer websites by sending extra data in response to web requests.[50] The leaks resulted from a buffer overflow which occurred, according to analysis by Cloudflare, on approximately 1 in every 3,300,000 HTTP requests.[51][52]

In May 2017, ProPublica reported that Cloudflare as a matter of policy relays the names and email addresses of persons complaining about hate sites to the sites in question, which has led to the complainants being harassed. Cloudflare's general counsel defended the company's policies by saying it is "base constitutional law that people can face their accusers".[53] In response to the report, Cloudflare updated their abuse reporting process to provide greater control over who is notified of the complaining party.[54]

Cloudflare is cited in reports by The Spamhaus Project, an international spam tracking organization, due to high numbers of cybercriminal botnet operations 'hosted' on Cloudflare services.[55] [56] [57] An October 2015 report found that Cloudflare provisioned 40% of SSL certificates used by phishing sites with deceptive domain names resembling those of banks and payment processors.[58]

Cloudflare suffered a major outage on July 2, 2019,[59] which rendered more than 12 million websites (80% of all customers) unreachable for 27 minutes.[60] A similar outage occurred on July 17, 2020, causing a similar effect and impacting the same amount of sites.[61][62]


  1. ^ a b c "Cloudflare, Inc. (NET) Income Statement".
  2. ^ Anicas, Mitchell (July 30, 2015). "How To Mitigate DDoS Attacks Against Your Website with CloudFlare". DigitalOcean. Retrieved August 22, 2019.
  3. ^ a b Wong, Julia Carrie (August 28, 2017). "The far right is losing its ability to speak freely online. Should the left defend it?". The Guardian. ISSN 0261-3077. Retrieved August 22, 2019.
  4. ^ a b c Jones, Rhett (December 14, 2018). "Cloudflare Under Fire for Allegedly Providing DDoS Protection for Terrorist Websites". Gizmodo. Retrieved August 5, 2019.
  5. ^ a b Sankin, Aaron (July 11, 2019). "The Dirty Business of Hosting Hate Online". Gizmodo. Retrieved August 5, 2019.
  6. ^ a b Cook, Jesselyn (December 14, 2018). "U.S. Tech Giant Cloudflare Provides Cybersecurity For At Least 7 Terror Groups". HuffPost. Retrieved August 5, 2019.
  7. ^ a b Captain, Sean (February 27, 2019). "Is Cloudflare a privacy champion or hate speech enabler? Depends who you ask". Fast Company. Retrieved August 5, 2019.
  8. ^ Lee, Timothy B. (August 31, 2017). "Tech companies declare war on hate speech—and conservatives are worried". Ars Technica. Retrieved August 6, 2019.
  9. ^ Peterson, Becky (August 17, 2017). "Cloudflare CEO explains his emotional decision to punt The Daily Stormer and subject it to hackers: I woke up 'in a bad mood and decided to kick them off the Internet'". Business Insider. Retrieved August 17, 2017.
  10. ^ Kelly, Makena (August 4, 2019). "Cloudflare to revoke 8chan's service, opening the fringe website up for DDoS attacks". The Verge. Archived from the original on August 5, 2019. Retrieved August 5, 2019.
  11. ^ a b c Wong, Julia Carrie (August 4, 2019). "8chan: the far-right website linked to the rise in hate crimes". The Guardian. ISSN 0261-3077. Retrieved August 5, 2019.
  12. ^ a b c Mezzofiore, Gianluca; O'Sullivan, Donie (August 5, 2019). "El Paso shooting is at least the third atrocity linked to 8chan this year". CNN. Retrieved August 5, 2019.
  13. ^ "Our Story". Cloudflare. Retrieved August 22, 2019.
  14. ^ Hesseldahl, Arik (June 10, 2011). "Web Security Start-Up Cloudflare Gets Buzz, Courtesy of LulzSec Hackers". All Things Digital. Retrieved August 15, 2011.
  15. ^ Osborne, Charlie (April 28, 2016). "Cloudflare figured out how to make the Web one second faster". ZDNet. Retrieved May 17, 2016.
  16. ^ Kawamoto, Dawn (March 12, 2019). "Cloudflare's $150 million funding round puts its IPO plans in question". San Francisco Business Times. Retrieved March 12, 2019. (Subscription required.)
  17. ^ Shieber, Jonathan (August 15, 2019). "Cloudflare files for initial public offering". TechCrunch. Retrieved August 22, 2019.
  18. ^ Loizos, Connie (September 13, 2019). "Cloudflare co-founder Michelle Zatlyn on the company's IPO today, its unique dual class structure, and what's next". TechCrunch. Retrieved September 16, 2019.
  19. ^ Schwartz, Mathew J. (February 11, 2014). "DDoS Attack Hits 400 Gbit/s, Breaks Record". Dark Reading. Retrieved August 22, 2019.
  20. ^ Olson, Parmy (November 20, 2014). "The Largest Cyber Attack In History Has Been Hitting Hong Kong Sites". Forbes. Retrieved August 22, 2019.
  21. ^ Storm, Darlene (March 27, 2013). "Biggest DDoS attack in history slows Internet, breaks record at 300 Gbps". Computerworld. Retrieved August 22, 2019.
  22. ^ Markoff, John; Perlroth, Nicole (March 26, 2013). "Online Dispute Becomes Internet-Snarling Attack". The New York Times. Retrieved August 22, 2019.
  23. ^ Gallagher, Sean (February 11, 2014). "Biggest DDoS ever aimed at Cloudflare's content delivery network". Ars Technica. Retrieved May 17, 2016.
  24. ^ Newman, Lily Hay (June 12, 2019). "Cloudflare's Five-Year Project to Protect Nonprofits Online". Wired. ISSN 1059-1028. Retrieved August 5, 2019.
  25. ^ Rambo, Guilherme (April 1, 2019). "Cloudflare announces WARP: a new free VPN service for iOS". 9to5Mac. Archived from the original on April 2, 2019. Retrieved April 2, 2019.
  26. ^ Humphries, By Matthew; September 26, 2019 10:18AM EST; September 26, 2019. "Cloudflare Finally Launches WARP, But It's Not a Mobile VPN". PCMAG. Retrieved September 27, 2019.CS1 maint: numeric names: authors list (link)
  27. ^ Security, Paul Wagenseil 2019-09-26T20:13:55Z. "WARP Promises Faster Speeds on Your Phone Without 5G, but Doesn't Quite Deliver Yet". Tom's Guide. Retrieved September 27, 2019.
  28. ^ Bijan Stephen (April 1, 2020). "Cloudflare's WARP VPN is launching in beta for macOS and Windows". The Verge. Retrieved September 17, 2020.
  29. ^ a b Roose, Kevin (August 4, 2019). "8chan Is a Megaphone for Gunmen. 'Shut the Site Down,' Says Its Creator". The New York Times. ISSN 0362-4331. Retrieved August 5, 2019.
  30. ^ a b O'Neill, Patrick Howell (November 17, 2014). "8chan is home to a hive of pedophiles". The Daily Dot. Retrieved August 5, 2019.
  31. ^ a b Machkovech, Sam (August 17, 2015). "8chan-hosted content disappears from Google searches [Updated]". Ars Technica. Retrieved August 5, 2019.
  32. ^ a b c Lee, Timothy B. (December 4, 2017). "Cloudflare's CEO has a plan to never censor hate speech again". Ars Technica. Retrieved August 5, 2019.
  33. ^ a b Johnson, Steven (January 16, 2018). "Inside Cloudflare's Decision to Let an Extremist Stronghold Burn". Wired. ISSN 1059-1028. Retrieved August 5, 2019.
  34. ^ Citron, Danielle Keats (November 28, 2017). "What to Do about the Emerging Threat of Censorship Creep on the Internet" (PDF). Cato Institute. No. 282: 3–4 – via
  35. ^ Keller, Daphne (August 15, 2017). "The Daily Stormer, Online Speech, and Internet Registrars". The Center for Internet and Society. Stanford Law School. Retrieved August 6, 2019.
  36. ^ Shaban, Hamza (August 18, 2017). "Banning neo-Nazis online may be slippery slope, tech group warns Silicon Valley". The Washington Post. Retrieved August 6, 2019.
  37. ^ a b Kohlmann, Evan F. (January 27, 2015). "Charlie Hebdo and the Jihadi Online Network: Assessing the Role of American Commercial Social Media Platforms" (DOC). United States House of Representatives. Retrieved August 22, 2019.
  38. ^ Dewey, Caitlin (January 13, 2015). "This is what happens when you create an online community without any rules". The Washington Post. Retrieved August 22, 2019.
  39. ^ "Web defender Cloudflare snarled in child abuse row". October 22, 2019. Retrieved November 15, 2019.
  40. ^ Wong, Julia Carrie (August 3, 2019). "8chan: the far-right website linked to the rise in hate crimes". The Guardian. Retrieved August 3, 2019. Three attackers in six months allegedly posted their plans on the site in advance. In an exclusive interview, Silicon Valley CEO [Matthew Prince] explains his ‘moral obligation’ to keep 8chan online
  41. ^ Wong, Julia Carrie (August 4, 2019). "Investigators 'reasonably confident' Texas suspect left anti-immigrant screed". NBC News. Retrieved August 22, 2019.
  42. ^ Yadron, Danny (September 29, 2014). "Cloudflare Pushes More Encrypted Web". The Wall Street Journal. Retrieved August 10, 2015.
  43. ^ Kovacs, Eduard (March 17, 2014). "Underground Payment Card Store Rescator Hacked and Defaced". Softpedia News. Retrieved August 10, 2015.
  44. ^ Krebs, Brian (January 15, 2015). "Spreading the Disease and Selling the Cure". Krebs on Security. Retrieved August 14, 2015.
  45. ^ Hern, Alex (November 19, 2015). "Web services firm Cloudflare accused by Anonymous of helping Isis". The Guardian. Retrieved November 19, 2015.
  46. ^ Hackett, Robert (November 18, 2015). "Anonymous' Gripes About ISIS Are 'Absurd,' CEO says". Fortune. Retrieved August 22, 2019.
  47. ^ Cooper, Joel (November 11, 2019). "Thousands call for vile racist website 'Chimpmania' to be shut down". devonlive. Retrieved January 25, 2020.
  48. ^ Simcoe, Luke (June 14, 2012). "The 4chan breach: How hackers got a password through voicemail". Maclean's. Archived from the original on January 15, 2014. Retrieved August 22, 2019.
  49. ^ Ms. Smith (June 3, 2012). "Hacktivists UGNazi attack 4chan, Cloudflare and Wounded Warrior Project". Privacy and Security Fanatic. NetworkWorld. Archived from the original on November 12, 2013. Retrieved August 22, 2019.
  50. ^ Conger, Kate (February 23, 2017). "Major Cloudflare bug leaked sensitive data from customers' websites". TechCrunch. Retrieved August 22, 2019.
  51. ^ Steinberg, Joseph (February 24, 2017). "Why You Can Ignore Calls To Change Your Passwords After Today's Massive Password Leak Announcement". Inc. Retrieved February 24, 2017.
  52. ^ Molina, Brett (February 28, 2017). "Cloudfare bug: Yes, you should change your passwords". USA Today. Retrieved March 1, 2017.
  53. ^ Schwencke, Ken (May 4, 2017). "How One Major Internet Company Helps Serve Up Hate on the Web". ProPublica. Retrieved May 6, 2017.
  54. ^ Prince, Matthew (May 7, 2017). "Anonymity and Abuse Reports". The Cloudflare Blog. Retrieved August 22, 2019.
  55. ^ "Spamhaus Botnet Threat Report Q1-2020, ISPs hosting botnet C&Cs". The Spamhaus Project. Retrieved May 1, 2020.
  56. ^ "Cloudflare and Spamhaus". Word to the Wise. July 16, 2017. Retrieved February 28, 2017.
  57. ^ "The Spamhaus Project". The Spamhaus Project. Retrieved September 30, 2019.
  58. ^ Edgecombe, Graham (October 12, 2015). "Certificate authorities issue SSL certificates to fraudsters". Netcraft. Retrieved October 14, 2015.
  59. ^ Cheng, Michelle (July 15, 2019). "Cloudflare shows how transparent tech companies should be". Quartz. Retrieved July 17, 2020.
  60. ^ Graham-Cumming, John (July 12, 2019). "Details of the Cloudflare outage on July 2, 2019". The Cloudflare Blog. Retrieved July 12, 2019.
  61. ^ Dassanayake, Dion (July 17, 2020). "Discord DOWN: Server status latest, connection and chat problems confirmed". Daily Express. Retrieved July 17, 2020.
  62. ^ Carpenter, Nicole (July 17, 2020). "Discord, Riot Games down with reported Cloudflare outage". Polygon. Retrieved July 17, 2020.