All posts
·7 min read

Cloudflare vs Self-Hosted DDoS Protection

When DDoS protection lands on your roadmap, the first fork is build vs buy. Both are viable; the right answer depends on your scale, team, and risk tolerance.

The case for self-hosting

Self-hosting (iptables, nftables, eBPF/XDP filters, an HAProxy or nginx tier) gives you total control and no per-request bill. For predictable, smaller-scale threats it can be enough.

  • Capacity ceiling: you can only absorb what your own pipes and PoPs can take. A real volumetric attack saturates a single-region setup instantly.
  • On-call burden: tuning filters mid-attack at 3am is your team's problem.
  • No global anycast: latency and absorption are limited to where you run.

The case for managed

A managed reverse proxy (Cloudflare, Karbon, and others) puts a global edge between attackers and your origin. You trade some control and a usage bill for capacity and 24/7 mitigation you don't have to staff.

A middle path

Many teams run both: cheap self-hosted L3/4 filtering at the host (XDP drops obvious junk for free) behind a managed L7 proxy that handles the sophisticated application-layer attacks. Karbon is designed to be that L7 layer, a Cloudflare alternative with transparent pricing and Layer 7 mitigation on every plan.