How? Isn’t it more like the difference between carrying an umbrella every day and ducking into the corner shop to buy one when you notice it’s raining?
That's a good analogy since the corner shop is going to be sold out of their small stock of umbrellas during the rain storm so you won't be able to buy one until the rainstorm is over but at least you'll have protection for the next storm. If staying dry is important to you, you should buy the umbrella before the rain.
That continues the analogy -- it doesn't rain often in the desert, but almost all deserts receive rain. And since it rains so rarely, you're certainly not going to find an umbrella during the rainstorm.
So again, if staying dry in the rain is important to you, buy an umbrella before the rain, if you don't care about getting wet from time to time, then no need for the umbrella.
While the personal blog owner may not care about DDoS related downtime, he may face extra usage charges due to higher bandwidth, CPU usage, etc that he'd like to avoid.
1 person using an umbrella, 4 are not. I'm starting to doubt if you're even human given that normal people don't go throughout their entire lives always carrying an umbrella wherever they go, even when it might rain.
Depends on the distribution of accidents and the distribution of costs. If P(ddos) * Cost(ddos) < P(no ddos) * P(cloudflare outage) * Cost(cloudflare outage) then you would be better off not using Cloudflare.
This is not considering other issues with Cloudflare, like them MITM the entire internet and effectively being an unregulated internet gatekeeper.
My site being down for a couple days is not an unacceptably large loss, unlike an uninsured car being wrecked.
It also isn't a good analogy because insurance doesn't apply retroactively to wrecks that happened before start of term, and is event-based rather than providing continuous value.
I thought that's why it's a good analogy - DDoS protection doesn't apply retroactively to prior attacks (or even current attacks, it's hard to apply DDoS protection while your site is down due to DDoS). If you want protection from DDoS, you need it before the DDoS. If you want to insure your car in case of accident, you need to insure it before the accident.
Sounds reasonable if the car insurance could magically and near instantly fix your car, undo all the property damage and no one could get injured.
Insurance for physical things is different for services, they don't map as an analogy. A better one would be, Because you buy a new car every hour, it's like buying insurance for every car after someone steals your 700th car. That prevents your car from getting stolen.
That's like saying my personal blog going down is as impactful to my health and finances as getting into an automobile accident.
Assume a "personal" blog or site is not making money for the owner, and they have backups of the site to restore if the VM gets wiped or defaced. Why spend money on DDoS protection if it is unlikely to ever occur, much less affect someone monetarily?
Depending on the host, you may get charged a big bill for traffic. If you're hosting at home, your ISP may blackhole all traffic to your residence (affecting your day job and being a nightmare). When it comes to DDoS, most providers are quick to blackhole, and slow to unfreeze, without getting the run around.
No its like saying you should buy a new battery after your battery dies. Yeah, its nice to have a spare battery around i guess but its not like your battery dying will significantly ruin your finances
It's more like buying the plug-in version after the battery dies...
You already experienced the downtime, so if not having downtime was a goal you already failed. If avoiding downtime is not important then there's no reason to add anti-downtime capability to your system. The most charitable modeling of this approach is that the downtime incident may prompt one to realize that avoiding downtime actually is an important property for their system to possess.
The actual charitable model is that you expect close to zero attacks, but if you actually get hit your expected rate of future attacks goes up by an order of magnitude or two. And it's that change in expectations that gets you to buy protection.
You don't care about going down once, you do care about frequent outages. And you know this from the start, you don't realize it later.
Yes, the original assessment was wrong. Such things happen all the time to reasonable people.
The person you were describing in your "most charitable" version above was not being reasonable. They didn't just underestimate the petty anger of the internet, they were being fundamentally foolish about their own desires. That's why I replied, to show you a different way someone could end up in this position.
