In a move that's bound to rock the DDoS mitigation industry, Cloudflare announced yesterday its intention to offer DDoS protection at no extra costs during a DDoS attack's peak.

This is a very bold move as most DDoS mitigation firms make a large chunk of their profits via what's known as surge protection.

Not many customers can afford DDoS attack surge protection

Surge protection kicks in when a DDoS attack reaches its peak and the customer's protection plan cannot handle all the incoming traffic.

DDoS mitigation firms usually ask customers to pay extra fees for surge protection, or even kick customers off their network in rare cases when the company's network can't handle the full attack without affecting other customers.

If a company cannot afford the surge protection costs, the DDoS attack usually reaches its goal and takes down the targeted website.

Even in cases where the company mitigates the attack, the bill at the end of the month is enough to make many victims reconsider and think about giving in to ransom or censorship demands the next time they face a similar attack.

Cloudflare promises surge protection at no extra costs

"The reality is that our network today is at such a scale that we are able to mitigate even the largest DDoS attacks without it impacting other customers," says Matthew Prince, Cloudflare CEO, who claims Cloudflare can handle DDoS attacks of up to 15 Tbps.

"So today, on the first day of our Birthday Week celebration, we make it official for all our customers: Cloudflare will no longer terminate customers, regardless of the size of the DDoS attacks they receive, regardless of the plan level they use," Prince adds. "And, unlike the prevailing practice in the industry, we will never jack up your bill after the attack."

"We call this Unmetered Mitigation. It stems from a basic idea: you shouldn't have to pay more to be protected from bullies who try and silence you online," Prince says.

Cloudflare's technical team published two blog posts explaining how No Scrubs and Gatebot — two of their in-house developed technologies — allow the company to now provide unmetered DDoS protection.