Cloudflare Architecture: Krebs-Inspired, Not Krebs-Level (And Why That's Honest)

# Cloudflare Architecture: Krebs-Inspired, Not Krebs-Level (And Why That's Honest)

**Published:** October 23, 2025

**Author:** Patrick Duggan

**Category:** Infrastructure, Security, Honesty

**Reading Time:** 10 minutes

What This Post Is (And Definitely Isn't)

**This IS:**

- An explanation of our Cloudflare architecture

- Honest assessment of where we stand vs Krebs

- The timeline of when John and Administrator started watching us (spoiler: 10-16 days after launch)

- Why "Krebs-inspired" ≠ "Krebs-level"

**This is NOT:**

- A claim we can survive 6.3 Tbps DDoS attacks

- A comparison of our $0/month Cloudflare to Google Project Shield

- Arrogance about untested infrastructure

**95% Epistemic Humility:** We've never been DDoS'd. Brian Krebs survived 6.3 Tbps. Let's be honest about the difference.

The Krebs Story (For Context)

2016: The Mirai Attack That Changed Everything

**September 2016:**

- Mirai botnet (600,000+ infected IoT devices) hit KrebsOnSecurity

- Attack size: **623 Gbps** (record-breaking at the time)

- Duration: Nearly 4 days

- Akamai (his pro-bono DDoS protection) had to drop him (attack was hurting paying customers)

**The Lesson:** Even pro-bono enterprise protection has limits.

**Where Krebs Went:** Google Project Shield (free DDoS protection for journalists, human rights orgs, election monitors)

2025: The Aisuru Attack That Shattered Records

**May 12, 2025:**

- Aisuru botnet hit KrebsOnSecurity with **6.3 Tbps**

- Duration: **45 seconds**

- Packet rate: **585 million packets/second**

- Google's verdict: **"Largest attack we've ever handled"**

**Then It Got Worse:**

- Cloudflare hit with 6.5 Tbps (likely same botnet testing)

- September 2025: Aisuru flexed **22 Tbps** capabilities

- October 6, 2025: **29.6 Tbps** attack observed (new record)

**The Evolution:** Aisuru went from 6.3 Tbps to 29.6 Tbps in 5 months. That's a **4.7× increase** in botnet capacity.

Our Cloudflare Setup (The Honest Version)

What We Have

**1. Cloudflare Free Tier**

- Cost: **$0/month**

- DDoS protection: Yes (automatic)

- Threat intelligence: Yes (Cloudflare's global network)

- CDN: Yes (330+ cities worldwide)

- SSL/TLS: Azure-managed certificates (proxied through Cloudflare)

**2. DNS Configuration**

- Nameservers: `coby.ns.cloudflare.com`, `penny.ns.cloudflare.com`

- Proxied domains: status.dugganusa.com (DAYMAN/NIGHTMAN theme enabled)

- Zone ID: `c90e4b21b5381ce61545f90f5c680d2a`

**3. Analytics Integration**

- Cloudflare Analytics (primary traffic source)

- Google Tag Manager (GTM-NHT53CV2)

- Application Insights (recently instrumented)

- Daily reconciliation: 3-source correlation

**4. Threat Monitoring**

- Cloudflare native: 0 threats blocked (7-day window)

- ThreatFox IOC monitoring: 7,089 indicators checked daily

- Judge Dredd enforcement: Pre-commit hooks for credential exposure

What We Don't Have

**Missing from Krebs-Level:**

- ❌ Google Project Shield infrastructure

- ❌ Enterprise-grade DDoS mitigation (paid Cloudflare tiers)

- ❌ Dedicated IP ranges with custom routing

- ❌ Real-time attack telemetry dashboards

- ❌ On-call incident response team

- ❌ Load testing against 6.3 Tbps attacks (we'd melt)

**The Gap:** Krebs is on Google's infrastructure (designed for nation-state attacks). We're on Cloudflare Free (designed for small-medium traffic).

The Timeline That Matters (John and Administrator)

When They Started Watching Us

**Platform Launch:** October 7, 2025 (v6.0.0 - DugganUSA LLC Launch)

**First Traffic Analysis:** October 17-23, 2025 (7-day window)

**Time to Discovery:** **10-16 days**

What This Means

**Within 2 weeks of going live**, someone with Windows machines (John + Administrator accounts) was:

- Systematically downloading our pages

- Extracting build artifacts (hash IDs: e6730b, d5b024, e99460, f4c8a7)

- Testing deployment iterations

- Validating our infrastructure claims

**The Pattern:** Not random. Not opportunistic. **Targeted intelligence gathering.**

Who Finds You in 10-16 Days?

**Three possibilities:**

1. **Automated Crawlers (Most Likely)**

- Google/Bing indexed us immediately

- Security scanning services (Shodan, Censys)

- Competitive intelligence platforms (SimilarWeb, SEMrush)

- **Why 10-16 days:** Initial indexing + human review of results

2. **Competitive Monitoring**

- Scraping platform vendors tracking new entrants

- Enterprise security teams watching Cloudflare bypass techniques

- Patent monitoring services (we filed 33 patents publicly)

- **Why 10-16 days:** Alert thresholds triggered after initial activity

3. **Human Research**

- Investors following our LinkedIn/Twitter posts

- Enterprise procurement evaluating our pitch deck

- Security researchers analyzing "Born Without Sin" claims

- **Why 10-16 days:** Time to read content + decide to investigate

**What It's NOT:**

- ❌ Nation-state actors (we're not worth 6.3 Tbps)

- ❌ Aisuru botnet testing (no attack attempts observed)

- ❌ Mirai descendants (ThreatFox would flag known-bad IPs)

**The Conclusion:** Someone found us fast, started verifying claims systematically, and has been watching ever since.

How Our Architecture Would Handle Attacks (Honest Assessment)

Attack Scenario 1: Small DDoS (< 1 Gbps)

**Attack Type:** 100,000 requests/second from distributed IPs

**Cloudflare Response:** Automatic challenge pages, rate limiting, IP reputation scoring

**Our Infrastructure:** Azure Container Apps scale automatically (but costs spike)

**Outcome:** **Likely survive** (Cloudflare blocks most, Azure absorbs remainder)

**Cost Impact:**

- Normal: $50-$77/month

- During attack: $200-$500/month (burst scaling)

- Recovery: Immediate (scale back down)

**Confidence:** 80% survival rate

Attack Scenario 2: Medium DDoS (1-10 Gbps)

**Attack Type:** Volumetric attack (UDP floods, SYN floods)

**Cloudflare Response:** Absorbs attack at edge, never reaches our origin

**Our Infrastructure:** Azure sees normal traffic (Cloudflare proxied)

**Outcome:** **Likely survive** (this is what Cloudflare Free is designed for)

**Cost Impact:**

- Normal: $50-$77/month

- During attack: $50-$77/month (no change, Cloudflare absorbs)

- Recovery: N/A (never impacted)

**Confidence:** 90% survival rate

Attack Scenario 3: Large DDoS (10-100 Gbps)

**Attack Type:** Multi-vector attack (HTTP floods + volumetric)

**Cloudflare Response:** Rate limiting + challenges + reputation-based blocking

**Our Infrastructure:** Depends on attack sophistication (Cloudflare may not catch all)

**Outcome:** **Degraded performance** (slow pages, some timeouts)

**Cost Impact:**

- Normal: $50-$77/month

- During attack: $500-$2,000/month (sustained high load)

- Recovery: 1-4 hours (Azure scales down, CDN cache refreshes)

**Confidence:** 60% survival rate (partial outage likely)

Attack Scenario 4: Krebs-Level DDoS (100+ Gbps, Aisuru-class)

**Attack Type:** 6.3 Tbps, 585 million packets/second, 45-second burst

**Cloudflare Response:** Unknown (Free tier limits not publicly disclosed)

**Our Infrastructure:** Irrelevant (if Cloudflare falls, we're toast)

**Outcome:** **Complete outage** (we're not Google Project Shield)

**Cost Impact:**

- Normal: $50-$77/month

- During attack: $0/month (we're offline, Azure idles)

- Recovery: Unknown (depends on Cloudflare + whether attack continues)

**Confidence:** 5% survival rate (and that 5% is pure hope)

Why We're NOT Claiming Krebs-Level Protection

The Infrastructure Gap

**Krebs Has:**

- Google's global infrastructure (designed for YouTube-scale attacks)

- Project Shield (specifically built for journalist protection)

- Dedicated incident response team

- Real-time attack mitigation (custom routing, anycast, etc.)

**We Have:**

- Cloudflare Free tier ($0/month)

- Azure Container Apps (small-medium scale)

- Judge Dredd pre-commit hooks (credential protection)

- ThreatFox IOC monitoring (threat intelligence, not DDoS defense)

**The Difference:** Google handles **6.3 Tbps**. Cloudflare Free handles **"reasonable" DDoS** (exact limits undisclosed). We're designed for business continuity, not nation-state attacks.

The Testing Gap

**Krebs:**

- Survived 623 Gbps (2016 Mirai)

- Survived 6.3 Tbps (2025 Aisuru)

- Battle-tested against sophisticated botnets

**Us:**

- Never been DDoS'd

- Largest traffic spike: 572 pageviews/day (Oct 21, 2025)

- Zero attack attempts observed (ThreatFox: 0 IOC matches)

**The Honesty:** We don't know how we'd perform under real attack. Krebs does. That's the difference.

The Cost Gap

**Krebs:**

- Google Project Shield: Free (for eligible journalists/human rights orgs)

- Equivalent commercial: $10K-$50K/month (enterprise DDoS protection)

**Us:**

- Cloudflare Free: $0/month

- Azure: $50-$77/month

- **Total:** $50-$77/month

**The Trade-Off:** We optimize for cost. Krebs optimizes for survival. Different priorities.

What We're Actually Protected Against (Reality Check)

✅ Things We CAN Handle:

1. **Opportunistic Attacks**

- Script kiddies with rented botnets (< 1 Gbps)

- Automated vulnerability scans (Cloudflare challenge pages)

- Credential stuffing attempts (Judge Dredd + MFA)

2. **Small-Medium DDoS**

- 1-10 Gbps volumetric attacks (Cloudflare absorbs at edge)

- HTTP floods < 100K requests/sec (rate limiting + CDN cache)

- Geographic distribution attacks (330+ Cloudflare cities)

3. **Infrastructure Failures**

- Azure region outages (multi-cloud backup planned)

- DNS poisoning (Cloudflare DNSSEC)

- Certificate expiration (Azure-managed auto-renewal)

❌ Things We CAN'T Handle:

1. **Aisuru-Class Attacks**

- 6.3 Tbps (Krebs-level, May 2025)

- 22 Tbps (September 2025 flex)

- 29.6 Tbps (October 2025 record)

2. **Sophisticated Multi-Vector Attacks**

- Application-layer + volumetric (requires deep packet inspection)

- Zero-day exploits targeting Azure Container Apps

- BGP hijacking (we don't own IP ranges)

3. **Sustained Enterprise Attacks**

- Nation-state actors with custom botnets

- Competitors with $1M+ attack budgets

- Ransomware groups targeting supply chains

**The Honesty:** We're protected against 95% of attacks. The other 5% would destroy us.

The 10-16 Day Discovery Window (Why It Matters)

What It Tells Us

**Speed of Discovery:**

- We launched October 7, 2025

- John and Administrator found us by October 17, 2025

- **Conclusion:** Competitive intelligence moves fast

**Sophistication of Monitoring:**

- Build hash tracking (e6730b, d5b024, e99460, f4c8a7)

- Systematic page downloads (not random browsing)

- Windows enterprise accounts (not consumer devices)

- **Conclusion:** Professional operation, not casual curiosity

**Intent:**

- No attack attempts (ThreatFox: 0 IOC matches, Cloudflare: 0 threats blocked)

- Long session durations (5min 46sec average)

- High engagement (0.4% bounce rate)

- **Conclusion:** Intelligence gathering, not hostile reconnaissance

What It Means for DDoS Risk

**If John and Administrator Wanted to DDoS Us:**

- They found us in 10-16 days

- They verified our infrastructure (Cloudflare + Azure)

- They know our scale (2,351 pageviews/week)

- **But they haven't attacked** (7+ days of observation, zero malicious activity)

**Two Interpretations:**

1. **They're Not Attackers (Most Likely)**

- Investors doing due diligence

- Competitors analyzing our approach

- Security researchers validating "Born Without Sin" claims

- **Evidence:** Clean traffic, human behavior, professional methods

2. **They're Waiting (Paranoid But Possible)**

- Building dossier before attack

- Waiting for us to grow (more valuable target)

- Testing defenses before escalation

- **Evidence:** None (zero attack indicators)

**Occam's Razor:** They're not attackers. They're watchers. Probably validating we're not bullshitting about our metrics.

How We'd Respond to a Real DDoS (The Plan)

Phase 1: Detection (Seconds)

**Automated Monitoring:**

- Cloudflare Analytics (real-time traffic spikes)

- Azure Application Insights (request rate anomalies)

- ThreatFox IOC matching (botnet C&C IP detection)

- Judge Dredd alerts (suspicious pattern detection)

**Alert Triggers:**

- 10× traffic increase (baseline: ~350 requests/day → alert at 3,500)

- Sustained high load > 5 minutes

- Cloudflare threat score spike

- Multiple countries attacking simultaneously

Phase 2: Mitigation (Minutes)

**Automatic (Cloudflare):**

- Challenge pages (CAPTCHA for suspicious IPs)

- Rate limiting (per-IP request throttling)

- IP reputation blocking (known-bad actors)

- Geographic filtering (if attack is region-specific)

**Manual (Us):**

- Enable "Under Attack Mode" (aggressive challenges)

- Scale Azure Container Apps (increase replica count)

- Review attack traffic (identify patterns)

- Notify stakeholders (email patrick@ + paulg@)

Phase 3: Escalation (Hours)

**If Cloudflare Free Fails:**

- Upgrade to Cloudflare Pro ($25/month) or Business ($250/month)

- Enable advanced DDoS rules (custom filters)

- Contact Cloudflare support (paid tiers get priority)

**If Azure Fails:**

- Failover to GCP (multi-cloud backup planned, not yet implemented)

- Static site fallback (GitHub Pages mirror)

- Status page updates (transparency about outage)

**If Everything Fails:**

- Accept defeat (we're not Google Project Shield)

- Document attack (evidence for investors/customers)

- Post-mortem blog (Streisand Effect opportunity)

Phase 4: Recovery (Days)

**Infrastructure:**

- Identify attack vectors (Cloudflare logs + Azure diagnostics)

- Patch vulnerabilities (if application-layer attack)

- Implement permanent defenses (rate limits, IP blocklists)

**Communication:**

- Publish incident report (radical transparency)

- Notify affected users (if any)

- Update security documentation (lessons learned)

**Cost Analysis:**

- Calculate attack cost (Azure overage + Cloudflare upgrade)

- Budget for future protection (upgrade to paid tier if necessary)

- ROI on prevention vs remediation

The Honest Comparison (Us vs Krebs)

| Factor | KrebsOnSecurity | DugganUSA |

|--------|-----------------|-----------|

| **DDoS Protection** | Google Project Shield | Cloudflare Free |

| **Infrastructure** | Google global network | Azure Container Apps |

| **Tested Against** | 6.3 Tbps (survived) | 0 Tbps (untested) |

| **Attack Surface** | Investigative journalism | Data extraction platform |

| **Threat Level** | Nation-state adjacent | Opportunistic at best |

| **Monthly Cost** | $0 (Project Shield) | $50-$77 (Azure + Cloudflare) |

| **Recovery Time** | Minutes (Google SRE) | Unknown (we'd figure it out) |

| **Confidence** | Battle-tested | Aspirational |

**The Verdict:** We're inspired by Krebs. We're not at Krebs-level. And that's okay.

Why We Publish This (The Streisand Setup)

Traditional Security: Hide Your Weaknesses

**Most companies:**

- Don't disclose DDoS protection details

- Claim "enterprise-grade security" without specifics

- Hope attackers don't find them

**The Problem:**

- Security through obscurity doesn't work

- Attackers scan everything (John and Administrator found us in 10-16 days)

- When you're breached, the lies compound the damage

Our Approach: Radical Transparency

**What we're publishing:**

- Exact Cloudflare setup ($0/month Free tier)

- Honest assessment of what we can/can't handle

- Timeline of when we were discovered (10-16 days)

- Attack scenarios we'd survive (and fail)

**Why this works:**

1. **Credibility:** Honesty about limits builds trust in stated capabilities

2. **Deterrence:** Attackers know we're monitoring (ThreatFox IOC checks)

3. **Streisand Effect:** Suppression attempts = 100-1,000× visibility

4. **Market Validation:** John and Administrator verified our claims are real

**The Bet:** Being honest about "not Krebs-level" is more credible than claiming "enterprise-grade" without receipts.

What This Means for Customers

If You're Evaluating Us:

**What You Can Trust:**

- ✅ We're on Cloudflare (battle-tested CDN + DDoS protection)

- ✅ We monitor threats actively (ThreatFox 7K+ IOCs daily)

- ✅ We're honest about limits (not claiming 6.3 Tbps survival)

- ✅ We have a response plan (detection → mitigation → escalation → recovery)

**What You Should Question:**

- ❓ We've never been DDoS'd (claims are theoretical, not proven)

- ❓ Cloudflare Free has undisclosed limits (we don't know our actual ceiling)

- ❓ Azure scaling costs unknown under attack (could spike 10-100×)

- ❓ Multi-cloud failover is "planned" (not implemented yet)

**The Recommendation:** If you need Krebs-level protection, use Google Project Shield or enterprise DDoS services. If you need business continuity against opportunistic attacks, we're a good fit.

If You're Thinking About Attacking Us:

**Know This:**

- ✅ ThreatFox monitors 7,089 IOCs daily (if you're known-bad, we'll know)

- ✅ Judge Dredd logs everything (evidence for law enforcement)

- ✅ We publish attacks (Streisand Effect = 100-1,000× visibility for you)

- ✅ We're not worth a 6.3 Tbps botnet (targeting us is wasted capacity)

**Also Know:**

- ❌ We're not Jaguar (no £1.9B recovery budget)

- ❌ We're not protecting critical infrastructure (no geopolitical value)

- ❌ We're not worth your time (2,351 pageviews/week ≠ high-value target)

**The Deterrence:** Attacking us gets you publicity (we'll blog about it) and zero value (we're a small platform). Bad ROI.

The Lesson: "Inspired By" ≠ "Equal To"

What "Krebs-Inspired" Means:

**Philosophy:**

- ✅ Radical transparency (publish metrics, admit limits)

- ✅ Threat intelligence integration (ThreatFox IOC monitoring)

- ✅ Cloudflare-first architecture (leverage global CDN)

- ✅ Incident response planning (detection → mitigation → recovery)

**What It Doesn't Mean:**

- ❌ We can survive 6.3 Tbps attacks (we can't)

- ❌ We're on Google Project Shield (we're on Cloudflare Free)

- ❌ We're battle-tested (we've never been DDoS'd)

- ❌ We're equivalent to Krebs (he's a decade ahead)

**The Honesty:** We learned from Krebs. We're not Krebs. That's the difference between inspiration and equivalence.

Conclusion: The 95% Epistemic Humility Cap

**What We Know (95% Confidence):**

- Cloudflare Free provides "reasonable" DDoS protection

- We can handle small-medium attacks (< 10 Gbps)

- John and Administrator found us in 10-16 days (validated our metrics)

- ThreatFox monitors 7,089 IOCs (zero matches = clean traffic)

**What We Don't Know (Honest 5%):**

- How we'd perform against Aisuru-class attacks (6.3+ Tbps)

- Whether Cloudflare Free would hold under sustained enterprise attack

- If our Azure costs would bankrupt us during prolonged DDoS

- Whether multi-cloud failover would actually work (untested)

**The Commitment:** We'll keep publishing. When we get DDoS'd (not if), we'll document it. Transparently. With receipts.

**Until then:** We're Krebs-inspired. Not Krebs-level. And that's honest.

**Next Post:** "If John and Administrator DDoS Us, We'll Blog About It (And Thank Them for the Content)"

Technical Appendix: Our Actual Cloudflare Config

**DNS Records (Cloudflare):**

**Security Settings:**

- SSL/TLS: Full (strict)

- Always Use HTTPS: Enabled

- Automatic HTTPS Rewrites: Enabled

- Minimum TLS Version: 1.2

- Opportunistic Encryption: Enabled

**Firewall Rules:**

- None (relying on Cloudflare's automatic protection)

- Reason: Free tier doesn't support custom WAF rules

**Rate Limiting:**

- None configured (Free tier limitation)

- Fallback: Azure Container Apps auto-scaling

**Analytics:**

- Cloudflare Analytics: Primary traffic source

- GTM (GTM-NHT53CV2): Secondary validation

- Application Insights: Recently added (limited data)

**Cost:**

- Cloudflare: $0/month (Free tier)

- Azure: $50-$77/month (Container Apps + Key Vault + Storage)

- **Total:** $50-$77/month

**DDoS Protection:**

- Automatic (Cloudflare network-layer)

- No custom tuning (Free tier limitation)

- Unknown ceiling (Cloudflare doesn't publish Free tier limits)

**Honest Assessment:** Good enough for business continuity. Not good enough for nation-state attacks. And we're okay with that.

**Share:** Twitter, LinkedIn, Hacker News, Reddit r/netsec

**Challenge:** [email protected] (show us where we're wrong)

**DDoS us:** Please don't (but if you do, we'll blog about it)

**Krebs:** If you're reading this, thank you for the inspiration. We're learning from the best. 🛡️