https://web.archive.org/web/20151115154842/http://krebsonsec...

Thanks for giving a link to this post!

http://webcache.googleusercontent.com/search?q=cache:kaymYsb...

(it's the "strip=1" parameter in the URL)

Plus, threatening to kill Krebs' wife.

But since we're talking about ethics here: Sure, now that the hacker faces 30 years in prison, he's not short of probably sincere apologies. I could really believe that he now has changed his view and accepted his guilt. It makes me ponder the thought of if I were Krebs' to not only feel sorry for the guy but (if it were legally possible) to dismiss the charges against him.

Consider the much more likely outcome of the hackers' plan: That it worked. Would the hacker had the same sense of guilt then? Or the same sense of forgiveness as Krebs or me seems to have? Maybe. We'd never know unless he did. It's more likely, he would have enjoyed Krebs' ruined live. Maybe even continued to threaten his wife and family. Just for the fun of it.

Because doing that in the anonymity of the web makes it easy to misbehave in ways no one ever would in front of the public eye and even less in the eye of his family and friends.

"Fair game" excuses collective punishment, then? I'm not so sure.

Also, a "wife" is a person. How do you justify retaliating against someone by harming someone else? You steal my car, I beat up your wife- hey, "fair game"?

I don't think Krebs was right to dox the hackers wife.

She's her own person. If being married to an asshat is a punishable crime then many people are even worse off than they realise.

But Krebs retaliated in kind.

I do however think that's a punch he should have pulled.

So, should Krebs have flown over to Russia and beat the shit out of her? That would have definitely "scared her into leaving" the guy.

Again: how is it "fair game" to punish one person for the actions of another?

The main point here is: this anti-social behaviour of the Hacker was made possible because of his anonymity.

Anonymous towards the legal system but anonymous towards his private life as well.

It is fair to assume he kept his cyberbullying activities to himself because she wouldn't support that.

The hacker's wife was probably more endangered by continuing to be living next to a criminal.

Yeah, but the question is about right and wrong, not accepted USA norms.

I think thirty years is extreme, but I think the hope is that this will serve as an effective deterrent against this kind of crap.

If you forgive them, they might just do it again.

I don't think he deserves 30 years either, but he should still go to prison.

Unfortunately when you deal with criminals, you can't really justify any behavior on either side since they are both operating outside the bounds of the legal system. Outcomes are mooted in the context of the world they are operating in when it's devoid of rules, honor and morality among the participants.

What someone does while they're being watched isn't a good judgement of their character. What matters more is how they behave when they're not being watched.

It's not difficult to open a bank account in your spouse's name without his/her knowledge, and use that account to do things he/she wouldn't do.

When I was in middle school and the internet was still fairly new (we had just gotten it) a classmate of mine hatched a terrible plan to get rid of a teacher he hated. He waited until the teacher was out sick one day then during the substitute's typical teaching pattern of having us "read these 3 chapters, answer questions then keep your head down until class is over" he jumped on the teacher's computer. After reassuring the substitute that he was allowed to he tried desperately to find child porn. His plan was to save it into semi hidden folders onto the computer then later on turn the teacher in for having child porn.

Fortunately this classmate wasn't able to find any and eventually gave up. But I've always remembered his plan. It's terrifyingly believable that if someone managed to get into your computer and download child porn, there is likely little recourse or way to prove you did not do it.

Because think of the children.

Possession and distribution of child pornography is perfectly legal if you're the FBI though.

Fortunately I know you can integrate with that hashing project (I forget what it's called) where they generate a hash for known images of child porn so those can at least be removed automatically but I don't know how much of a percentage that catches.

Each video frame is a separate charge...

We have sleepwalked into being a police state and barely anyone seems to care.

Police have also started trawling Reddit to look for thought crimes. [1]

[0] http://m.theregister.co.uk/2014/08/05/whatsapp_smut_convicti...

[1] https://m.reddit.com/r/unitedkingdom/comments/53y1wi/a_reddi...

And that's exactly the problem: we have layer upon layer of vague and badly-written legislation, which ends up creating terrifying loopholes like the one described above.

My tinfoil hat paranoia is not quite at the level of thinking they're doing it on purpose (although I wonder sometimes).

But it's easy to see that indiscriminate surveillance combined with these vague laws create a situation where anyone could be victimised by the authorities. It's a totalitarian dictator's dream.

"<...> police stopped them for unrelated matters and discovered the shock images upon inspecting their mobile phones"

What?? So police in UK can now ask to inspect inside your phone without any warrant or even reason?

I know you can be jailed here for refusing to hand over an encryption key. I don't know whether your passcode / fingerprint counts as an encryption key in they eyes of the law.

Perhaps they weren't entitled to legal aid? I was under the impression that anyone charged with a criminal offence was entitled but perhaps I'm wrong.

Maybe they just wanted to get the whole thing over with quickly and not face further embarrassment? It's a good example of how these types of charges could easily be used by the authorities to intimidate people. The damage is done whether they are convicted or not.

To answer your question, it seems you can appeal regardless of how you pleaded [0]. But you have to do it within 28 days.

[0] https://www.gov.uk/appeal-against-sentence-conviction/crown-...

1. They weren't convicted of any crime.

2. The person was charged because he racially slandered someone. Not because of a thought crime.

"Oh it's not a crime to think, just to let other people know what you're thinking". Do you seriously think that makes any sense?

2. Why should this be illegal? Yes, it's offensive. But I don't think offending someone should be a crime.

What kind of court routinely convicts people who didn't actually do the crime?

The word "routinely" might be contentious, because we have almost no numbers on it and the law has a way of making things "true" despite reality, but the kind of court you're referring to is just called a court.

You might google the Innocence Project, if you're interested in this sort of thing.

This topic always drives hyperbole here on HN and I'm not sure why. Investigators and prosecutors don't waste time trying to entrap innocent web developers. They are kept plenty busy by people who are actually making or distributing child porn. Source for that: I know someone who prosecutes child porn cases. He is kept incredibly busy with obvious scumbag criminals.

Law enforcement's ultimate goal is always to walk the chain of possession back to find the folks who are actually making the imagery--who are actually abusing kids. That is why there is strict liability for possession. It gives investigators a lever to flip distributors to help find the sources.

Possession of narcotics is a crime, isn't it?

In contrast, German law defines possession as "having effective control" (with some more nuance obviously). Possession is also entirely different from ownership in German law. I can not control an object I have no knowledge of. If you place an object in my house, I only gain possession of it once I discover it.

I think this is one of the cases where the civil law approach of rigorous definitions is clearly superior to the common law approach of establishing precedent.

Surely you don't think you should be the one going to prison if someone broke into your house and planted 10 kilograms of cocaine under your mattress?

> Surely you don't think you should be the one going to prison

I don't think you "should" go to prison, but I'm saying that's likely how it would go down. So it's analogous to the files on a computer situation.

A few years ago when I worked in computer forensics there was this big myth that if you went on porn websites and one of the images was underage you'd get done for it. However intent is a big part of law and so there would always have to be something along with "just an image" showing some intent to have obtained and viewed it.

Yes. In such a case, a presumption of innocence would be true in theory but of no value at all in practice. Such an attack could even be carried out remotely -- an attacker could compromise a machine remotely, then plant incriminating evidence on the compromised machine (i.e. child porn, terrorist literature, drug-dealing evidence, etc.), then alert the authorities.

This plausible scenario is another reason to vigorously protect one's computer against external attacks.

You're likely familiar with this concept in the context of speeding tickets. All that needs to be proven is that you were, in fact, speeding. It doesn't matter if you could not have been aware of your violation due to, say, a speed-limit sign that was blown away by a storm. If you were provably doing 55 in a 45 zone, you have no recourse.

The argument for absolute liability with speeding violations is purely practical, I believe. The reasoning is that it's not a crime, per se, so the trade-off of individual protection vs expediency of trials is deemed worthwhile. Clearly, the same is not true of child pornography convictions.

Actually, that's "strict liability".

> All that needs to be proven is that you were, in fact, speeding. It doesn't matter if you could not have been aware of your violation due to, say, a speed-limit sign that was blown away by a storm.

That probably does matter, since exceeding the speed limit properly posted is usually the actus reus of speeding, so even to the extent it is a strict liability offense, the absence of proper signage for any reason (except when the speed limit is either the states maximum highway speed limit or a default limit for some other condition which does not require signage, in which case notice is provided by the law setting the default for the conditions, and the sign is a reminder) makes it so that no offense occurred. [0]

[0] Also, given that states do generally have default speed limits that apply in the absence of signage, one could easily argue that the absence of signage is itself a positive indication that the default speed limit applies, making available a U.S. v. Kantor-style "good faith" defense even under strict-liability principles. [1]

[1] https://en.wikipedia.org/wiki/Strict_liability_(criminal)#Un...

[0] https://en.wikipedia.org/wiki/Absolute_liability

Not a lot, AFAICT; the main differences seem to be:

(1) "strict liability" is the term used in US (and, AFAIK, UK) law (though the latter seems to refer to a criminal offense to which strict liability applies as an "absolute offense"), both criminal and tort, and

(2) "strict liability" can be either an attribute of an offense as a whole or an attribute of an element of (the actus reus of) an offense (that is, there can be a required mens rea for some element of an offense, but if there is an element which does not require any mens rea, the element can be said to have strict liability.) From what I've seen, "absolute liability" is universally a trait of offenses-as-a-whole (though that may be because I've seen less about it, and am less familiar with the systems in which the term applies.)

Dropbox (and all other "cloud storage" providers) actively scan for CP material and will turn you in to the police automatically.

[0] http://www.microsoft.com/en-us/photodna

The thing about this stuff that's really alarming is that any random script kiddie could also do this by coaxing your machine into downloading something. That greatly increases the surface area of people who can screw you. Given the abysmally awful security profile of a lot of consumer software and devices this is very plausible.

Real-life sexual offences, as in actually attacking a child, is strict liability.

http://www.legislation.gov.uk/ukpga/1978/37

> 1 Indecent photographs of children.

> (1)[F1Subject to sections 1A and 1B,] it is an offence for a person—

> (a)to take, or permit to be taken [F2or to make], any indecent photograph [F2or pseudo-photograph] of a child F3. . .; or

> (b)to distribute or show such indecent photographs [F4or pseudo-photographs]; or

> (c)to have in his possession such indecent photographs [F4or pseudo-photographs], with a view to their being distributed or shown by himself or others; or

> (d)to publish or cause to be published any advertisement likely to be understood as conveying that the advertiser distributes or shows such indecent photographs [F4or pseudo-photographs], or intends to do so.

[...]

> 4)Where a person is charged with an offence under subsection (1)(b) or (c), it shall be a defence for him to prove—

> (a)that he had a legitimate reason for distributing or showing the photographs [F6or pseudo-photographs] or (as the case may be) having them in his possession; or

> (b)that he had not himself seen the photographs [F6or pseudo-photographs] and did not know, nor had any cause to suspect, them to be indecent.

There are some amendments in the Sexual Offences Act 2003, but I don't think they turn it into a strict liability offence.

And what if the teacher was not on leave or sick, but just in the school's cafeteria, or briefly in another class, etc?

Good luck proving anything with the dates, especially after several months, where nobody remembers who was where at that random day in the past.

Are there any cameras in the school that might have captured his visit to the cafeteria? Review the footage.

How did he pay for his food? Did that create a record that can establish a time and location?

Are there any witnesses who saw the kid sit down at the computer? Like the substitute teacher, for instance?

None of this is unique to child porn cases. Establishing or disputing time and location is basic trial strategy. All a defendant has to do is create reasonable doubt, not conclusively prove innocence.

And they'd remember they saw him after 6 months, and even more so that they saw him leave in 15:20 instead of 15:10, because?

>None of this is unique to child porn cases.

No, but all this make "I didn't change them because filestamps in file are in an hour I wasn't there" difficult.

Heck, the teacher himself will probably not remember where he was at the time the timestamps show...

Once an accusation of child pornography (creation or possession) is put out there if any of it gets exposed to the public by the way of the media (and it will) that person's life is seriously ruined even without prison time.

The problem seems to get worse, too and I certainly don't have any good ideas regarding it. Except maybe re-tooling a new search engine that somehow can take context / validity into account but that's exceptionally difficult to do. And even then if someone gets their news or information from any other source you're still screwed.

But file creation dates are easily changed by a skilled hacker.

here is him talking about it: https://www.youtube.com/watch?v=CzdFOpRTvyU

Even if declared innocent, being charged on suspicion of possession of such porn is a life-long stigma that never wears off. For example, it will be impossible for a foreign citizen to obtain a US 'ESTA' visa waiver after such suspicions.

I get him speaking out for them about the hosting having been free, but Akamai is now the CDN that got bullied into kicking someone of their service against their own will.

Terrible PR, and that mud will stick in tech circles. Akamai folds under pressure.

I know it's a crude comparison, but we don't negotiate with terrorists for a reason.

DDoS mitigation is fundamentally a problem of "who has more bandwidth?" - if the attacker has more bandwidth than you (and how much bandwidth you have depends on "to where" ) - it's over.

The problem is that the economics, right now, are heavily tipped in favor of the attacker.

  I would bet money that the attack was truly epic

Sounds pretty epic.

I would love to see some sources that ANYONE can get close to that number. Short of the NSA bringing its full power to target a specific pipe, I don't think we're there yet.

I think its pretty obvious you don't understand how internet traffic really flows, when you think "all I have to do is compromise 600 pc's with a Gb connection and I can launch a 600Gbps DDoS."

I've been doing networking for 26 years. One of my largest jobs was mitigating Slashdot effect for two high-profile sites. I know very well how a DISTRIBUTED denial of service attack works, can work, and have done many of my own in checking security measures for those whom I consult. Compromising backbone routers is actually fairly simple. Too much reliance upon software stacks and not enough reliance upon sound hardware logic design that's proofed against attack in the first place.

Yes, the state of security on routers, even some rather large routers is embarrassing, but when routers have business-critical amounts of bandwidth? they are attached to pagers.

Regardless of what you think of us, the folks attached to the pager, when you start messing with big important routers, at least if you mess with them to the point where it interferes with the business needs of the people who are paying money for said routers? you are going to wake us up. You are going to have a really hard time using these routers for much more than an hour before there is someone on-site trying to fix it.

Sure, the state of security for monitoring is also abysmal. if you wanted to put in per-router effort, I'm sure you could take my pager offline when you take my router offline. but customers will notice, customers will complain, and at almost every place where I've been on pager, there have been alternate routes to get to me. Hell, I once woke up to a very excited office manager shouting and pounding on my door because the whole office was down, I was sleeping in, and my pager wasn't charged. It freaked the hell out of my roommates; the office manager had a thick accent, and was built like someone out of a HK action film. They thought for sure I was gonna get messed up because I owed someone money.

But yeah, I mean, sure, with sufficient subtlety, you could use a small amount of the available bandwidth on a poorly-monitored backbone router. And a lot of them are poorly monitored. But my point is just that once you start using them hard enough that it interferes with the business needs of the people paying for them? Regardless of how terrible the monitoring system is, people will notice. Security isn't the only thing that is embarrassing on those routers; businesses are used to this shit failing, and even if most people don't know what to do beyond turning it off and back on, when there are dollars involved, there are procedures for getting someone who does know how to fix it on-site.

Of course we will get there sooner than any of us in infosec want, but he is almost an order of magnitude off of what realistic threats look like.

Orders of Magnitude, n; a class in a system of classification determined by size, each class being a number of times (usually ten) greater or smaller than the one before."

There are very few disciplines where OOM is done by exponential form (astronomy/star magnitude being one of them.) It's almost always base-ten. When you use electrical conductivity in mineral identification, you're always multiplying a number by ten multiple times over. The effect of that? You either add or remove an equal amount of zeros to the original number being multiplied.

Is there no way to stop such attacks by coordinating with your upstream ISP, or with the sources of the traffic? Why do backbones allow it to be carried? Is the problem that these attacks are too many different individual streams to identify and filter?

It seems like there ought to be some way to hierarchically punt the problem to network operators. "Your network is contributing 10 gigabytes per second to this DDOS attack. Identify the sources and shut them down." - times each identifiable traffic stream.

Is there no way to capture a list of all IPs involved in the traffic and quickly distribute a "shut off this device" request to the origin network? Maybe a good-faith collaboration of different ISPs could result in quick shut-downs. Or if networks don't cooperate, then the next-nearest border does it for them (and if they don't like the policies under which their neighbor suspends the traffic, they can sign up to do it themselves). Imagine something like a mini automated DMCA type request. "This IP is DDOSing me", signed by the operator of a reputable network, having the effect of suppressing origin traffic from the IP when received by a reputable network. (Any abuse of the mechanism causes the network to lose its privilege to participate, and DMCA requests related to that network fall upon its neighbors.) Perhaps the suppression would be destination-limited so as not to be vulnerable to too much abuse of the mechanism.

5575 is a BGP extension that says "for packets from x to y, do z". Assuming a router knows on which if its input ports such packets arrive (and during a DDoS it doesn't have to wait long for the next packet), it can disseminate the flow specification towards the actual source(s) quickly, so the packets can be dropped quite far from the DDoS target, in the ideal case as soon as it reaches an honest ISP.

Egress filtering should kill much of the spoofed-origin traffic and this much of the rest — if deployed.

I'd love to know why 5575 isn't deployed. Memory concerns maybe?

> Is there no way to capture a list of all IPs involved in the traffic and quickly distribute a "shut off this device" request to the origin network?

Now hackers have a new attack vector.

Couldn't an ISP just throttle traffic to a particular network block on receipt of an authorised request.

And that seemingly provides a general solution. Record output to particular network blocks and throttle traffic when it peaks beyond statistically normal bounds? Basically, applying damping.

So distribute the DOS traffic enough and it will be very risky for providers to throttle it without appearing to be overall slow for a lot of legitimate traffic.

The other problem is determining what an "authorised request" involves. As it stands it is already a problem that people can - and now and again do - manage to mess up routing tables by sending broken route announcement, re-routing large address ranges to the wrong location.

Too much of internet routing still relies on a large amount of trust. We unfortunately need less of that, not more.

Eventually that might lead us to a situation where we could properly authenticate and authorise requests like what you suggest, but today it is high risk.

Oppressive governments can do even worse things to human rights activists, like banning a person from international travel (like Mr. Snowden or Wikileaks founder) and getting them extradicted from other countries.

Plus you get the problem that you are usually seeing DDOS traffic from innocent bystanders, if the ISP is shutting of a compromised home router, then their customer will not have internet for some length of time.

Which do you think costs Comcast more? Temporarily disabling 20,000 customers' internet connections, or forcing Akamai to drop Brian Krebs as a customer?

> Why do backbones allow it to be carried?

Because they get paid for any traffic passing through. The more traffic they have the more profit they earn.

Seems like it not only was one of the most expensive attacks so far (and by far the biggest one to have ever hit Prolexic, according to them), it also made little use of reflection of amplification making it much harder to mitigate.

> to the point where it was impacting (or was about to impact) other Akamai customers.

That's exactly the scale it had reached, and Akamai provided free service to Krebs, which was nice of them but only to the extent that it wasn't significantly impacting customers.

I... wonder if anything different would have been done for a paying customer. I mean, if the attack was big enough to take down other customers, and if Akamai had the choice between kicking one customer and all customers being down?

Krebs was not a "low-revenue person" he was a "no-revenue person" they provided the service pro-bono. With customers they'd have a contract, and while I don't know Akamai's contracts I assume they either have specific service clauses and/or "use clauses" where protection costs get charged to the customer.

8.1.3 Akamai shall meet or exceed the network availability, capacity and operations levels as set forth in Section 2 above; provided that Customer's sole remedy for the breach of this provision by Akamai shall be the termination rights set forth in Section 10.2 below.

10.2 TERMINATION UPON DEFAULT. Either party may terminate this Agreement in the event that the other party materially defaults in performing any obligation under this Agreement and such default continues unremedied for a period of thirty (30) days following, written notice of default; provided, however, that in the event this Agreement is terminated by Customer due to Akamai's breach of its representations under Section 8.1.3 above and failure to cure, Customer's sole remedy shall be its election to terminate the Agreement without further liability to either party (except for Customer's obligation to pay all accrued and unpaid fees outstanding at the date of termination).

Asking for a friend. /s

http://webcache.googleusercontent.com/search?q=cache:http://...

I guess if you have a few 0-days for common stuff that is often hosted you can easily!? collect a few thousand servers that blast out traffic.

Additionally more machines have faster access to the internet as fiber gets more popular, if you have a decent sized botnet that can pump out traffic on average with 50mbit or so you can also get some serious traffic, not sure about getting 620GBps, through. I guess if you mix all of these and put some amplification attacks on top it's possible.

I am genuinely grateful you pointed out my error, it's these little things that people judge us on when we write emails and technical documents.

Please excuse me now though, the Englishman in me demands that I hide under the bed out of shame for the next 26 hours.

Definitely. The lesson I'd take from this is that Akamai isn't serious about DDOS protection.

For me, buying DDOS protection is something like buying insurance. I don't expect to need it, but if the worst happens, I expect them to stick with me. The way I measure insurance providers is by asking friends how it was when they had a claim.

It strikes me as especially bad that they're doing it in the moment. It'd be bad enough if they said, "Sorry, Brian, this is too big a distraction; you've got 90 days to find a new home." But that they're dropping him in the middle of an attack? That means I can't trust Akamai.

>For me, buying DDOS protection is something like buying insurance. I don't expect to need it, but if the worst happens, I expect them to stick with me. The way I measure insurance providers is by asking friends how it was when they had a claim.

DDoS protection isn't insurance, Krebs gets attacked 24/7. Only an utter moron would be willing to sell Krebs DDoS insurance.

>That means I can't trust Akamai.

Which means nothing at all in a world without alternatives, hosts capable of tanking attacks like that number at two or less. But I get the impression you're not looking to spend hundreds of thousands of dollars a year on DDoS protection anyway.

They were hosting it pro bono. He never paid them enough to do anything. And yet...

> Only an utter moron would be willing to sell Krebs DDoS insurance.

But a smart person would cover him for free as a way of proving that they could handle the worst the DDoSsers gave out. To prove that they stick by their customers.

Most people who buy insurance never really use it. So what are they buying? A feeling of safety. Just think about the various insurance company slogans that come to mind.

That being said, I definitely agree with your thoughts on insurance.

So, if he had paid one cent (thus being a paying customer), you could extrapolate?

I don't see how the price is in any way relevant here. They promised to protect him, and they failed to do so. Claiming afterwards that the premium was too low isn't the way this works.

Also, I doubt that it actually was "for free". He may not have paid in money, but likely in the form of (at the time positive) PR, for example.

Since we have no idea what was in the contract this guy signed and it's all speculation, this discussion is totally vacuous and pointless.

> They promised to protect him, and they failed to do so.

How do you know what they promised? They could have promised protection, or they could just as well told the guy "hey, here is some free caching for you, m'kay? No strings attached". Hell, it's possible he didn't even sign anything, and there wasn't a contract at all!

If he were a regular paying customer, I would make the assumption that the contract he signed is likely the same, or similar to the contract I would potentially sign, and this would put Akamai in a very bad light to me.

Since the contract this guy signed is not the contract I would sign, I cannot rationally infer any information from this incident, good or bad.

If Akamai emails me and offers me some free service, then yes, this information would be valuable and relevant. Until that day, I can't make any use of this information.

Do potential customers care if Krebs is a paying customer or not? He went with them as they offer this service which apparently doesn't work as well as advertised.

As a potential paying customer, what they can and can't do is covered by their SLA, and that's all that matters. If they break their SLA they own the customer compensation. This incident is irrelevant.

Of course I don't actually know what kind of SLA and indemnification Akamai provides. Maybe it's bad. Then after analysing the contracts I would make an informed decision. These things are what I use to make decision, not random stories with no technical or business details on random blogs.

- Akamai mitigates attack just fine

- After the attack is over, Akamai does the cost/benefit analysis and decides to stop providing the free service.

The attack showed no signs of waning as the day wore on. Some indications suggest it may have grown stronger. At 4 pm, Akamai gave Krebs two hours' notice that it would no longer assume the considerable cost of defending KrebsOnSecurity.

http://arstechnica.com/security/2016/09/why-the-silencing-of...

If Akamai can't provide their service for free, then they shouldn't provide their service for free.

A CDN's whole business is resilience, which in this case makes them the bodyguard, not a bystander.

Whatever your opinion of Cloudflare, it seems clear to me that Matthew Prince keenly understands this, hence him reaching out and offering to step in and get Krebs back online.

tldr; If Akamai can't do the one job they exist to do in the face of an (albeit well armed) assailant, then they're the problem, not Krebs.

The attack continued and began to affect the performance of other CloudFlare customers, at which point we routed traffic to the site away from our network."

https://news.ycombinator.com/item?id=5214480

On a side note, they really don't appear to be making a concerted effort to get out in front of this which tells me that they either aren't aware of the reaction or don't think it's a big deal.

Either way, it just makes them look bad.

The biggest DDOS ever, and Akamai dumps the client rather than defend it.

However they spin it, doesn't look good.

Frank Leighton needs to make a statement about this, immediately, and he better pull the Rabbit of Caerbannog out of his hat.

The site must be constantly under attack, and it must cost Akamai a fortune in real $$ all year long. And, when their service is performing well, nobody is talking about it, so there must be very little positive PR.

If someone is ready to foot a 620 Gbps bandwith bill all year long, I am pretty sure Akamai will be more than happy and able to scale up further.

Too bad there is no always a cleaner/smarter solution than pure bandwidth and $$ to fight those attacks.

I already know that Akamai is expensive and not particularly good at it. They are a CDN who is trying to make some money on the side with unused bandwidth, and will protect their CDN business if it comes down to it.

They don't invest in active defense. In fact, I know folks who actually had to block malware being served from Akamai-owned IPs!

I suspect that is why they gave service to Krebs for free in the first place--they need the marketing.

https://twitter.com/eastdakota/status/779063982984355840

https://twitter.com/eastdakota/status/779129927543033856

Kind of like the police protects gangsters from getting shot by other gangsters, but you would really like them not to do that, so that the gangsters can just shoot each other.

In this case, Brian Krebs tried to convince Cloudflare to kick off the booter sites, so they are unprotected, and can DDoS each other. Cloudflare didn't put any effort into that idea, and now he's apparently angry that he didn't get through to them.

Cloudflare is not the police. They're a private organization that makes a profit from offering "protection" for people getting DDoS attacked. They enable the people doing the DDoS attacks by protecting their booter sites (https://www.google.com/search?q=ddos+booter). That's called a racketeering operation (https://en.wikipedia.org/wiki/Racket_(crime)), and that's illegal. There are laws against it. Just because our crappy government is too incompetent to file charges doesn't mean it isn't illegal.

If Cloudflare thinks they can foster criminal activity through their network because they're running a juiced up nginx proxy, they're wrong. The "slippery slope" argument is absolute nonsense. As Krebs himself pointed out, they already remove sites that are hosting phishing attacks and malware.

Cloudflare, it's time to do the right thing here and stop protecting DDoS booters. Your policies are helping to damage the internet and censor people, whether they're illegal (they are) or not.

If only...

Let me quote [0]:

> CloudFlare will forward all abuse reports that appear to be legitimate to the > responsible hosting provider and to the website owner. In response to a legitimate > abuse report CloudFlare will provide the complainant with the contact information for > the responsible hosting provider so they can be contacted directly.

So, if I report a scammer CloudFlare will forward my information to that criminal, putting me at risk. Gee, thanks!

and

> Since CloudFlare is not a hosting provider we do not have > the capability to remove content from a website.

Or to put it in the words that they answer every abuse request with:

> Please be aware CloudFlare is a network provider offering a reverse proxy, > pass-through security service. We are not a hosting provider.

Which basically translates to "We don't care, we want to pretend that we are not responsible for our actions."

[0] https://www.cloudflare.com/abuse/

They remove them all, except the one whose threat they benefit from (cloudflare has a direct interest in the ddos threat being as big as possible).

Claiming they are protecting their free speech is a load of bollocks.

What happens over CloudFlare's networks in the case of DDoS providers would essentially be the agreement of a business contract.

The attacks are paid for and managed by the customers through the web portals that run behind CloudFlare. How is that not enabling the attacks?

It takes an intense contortion of the concept of freedom of speech to apply it to this malicious and illegal activity. I guess under that logic it's also okay for a personnel security company to host (or hide behind their nginx server) a hitman-for-hire marketplace too, as long as they're not the ones doing the actual killing?

DDoS attacks (and their store fronts) are not about freedom of speech. They are, always and everywhere, about the suppression and censoring of speech through violence. Protecting them means that you are protecting violence.

But if you're adamant on this being free speech, fine. Where's the free speech criticism for Cloudflare shutting down those phishing and malware distribution sites? Why are DDoS attack sites magically different and deserving of freedom of speech protection?

Most people just panic and start paying Cloudflare for protection. Pretty much for the same reason that most people pay into protection rackets instead of reporting them to law enforcement, because they're afraid and their livelihood is at risk.

Cloudflare also has this wonderful policy of forwarding abuse reports (with information on who reported) to the booter site in question. You can imagine the consequences of that from what just happened to Krebs for doing reporting on them.

If you are being DDoSed. What do you do? Call the local police? Email abuse@fbi.gov?

If you get DDoS attacked, you panic and look for expensive DDoS mitigation, or you go out of business. Legally, enforcement for the specific attacker is almost impossible. Cloudflare both knows this and benefits from protecting it. They realize that customer connection is critical to the system functioning and yet continue to defend it.

With or without Cloudflare in the mix, how the heck would you go about making the connection between a flood of traffic from a large number of IPs, and any particular booter site? I don't understand how taking Cloudflare out of the mix helps you stop the DDoS.

As an aside, the FBI is indeed interested in investigating large DDoS attacks. Contact your local field office to see if yours qualifies! :-)

DDoS-for-sale sites are not "free speech sites", they are for-profit criminal organizations engaging in the violent censorship of people that are too poor to afford proper DDoS mitigation or that want to control the privacy of their users by managing the SSL certs.

The booters aren't usually as powerful as these 600Gbps+ monsters, but they're quite adequate to wreck almost any network for a long time (most IP transit hookups for racks are 10Gbps or less, these attacks can be well in excess of 100Gbps), requiring you to spend exorbitant amounts of money to protect your site against what are essentially bored high schoolers with a spare $20, your competitors, or whomever. That money is then dumped back into the system, allowing the attackers to build even more sophisticated and powerful infrastructure, leading to worse attacks like the ones we're now starting to see. Krebs was one of the people to document this trend, and now his site has been censored off the net by the same people he was writing about. Why is it so surprising to everyone that he's avoiding Cloudflare?

Search Google? So should Google be delisting these sites?

I recognize that it's impossible to eradicate the problem 100%, but by driving it underground, you can dramatically reduce the amount of it by making it harder for them to conduct their business. Cloudflare could do this in a day if they wanted to, instead they sit behind a "free speech" argument waiting for someone to force them to cut it out. Don't say I didn't warn you if the government comes in to change the liability laws to prevent this sort of behavior in the future. Nobody's going to defend DDoS spam packets from criminal botnets as "free speech" when they're preventing all speech from occurring.

As an example, incitement to riot is a crime: https://www.law.cornell.edu/uscode/text/18/2102

https://webcache.googleusercontent.com/search?q=cache:kaymYs...

Not even remotely. If the government steps in with a subpoena for the origin host IP or an injunction to stop protecting the site they'd stop. Someone on the internet asking them has no legal power to do so.

Keep in mind that most reverse proxies will do the same thing. The only difference with Cloudflare is that you don't know the destination IP.

If they were any smaller, their IP ranges would just go into the rogue-isp-blocklist, and that would be the end of that. But because they're mixing in the criminals with their normal customers, that's not really possible.

And since I am unlikely to be in any jurisdiction that CloudFlare is in, nor do I have any chance of finding out who these criminals are because CloudFlare is protecting them, going to the police here wouldn't really achieve much.

It's also not in their best interest to take on the burden of deciding who the criminals are.

I would bet things would be a fair bit easier for them if they agreed to take things down which most people don't like, but from my position they are taking a very principaled stand for free speech. Are people on hn actually arguing we want more censorship on more places on the web?

It seems like another problem caused by the fact that code can be data and data can be code. By which I mean, both are information. 'Free speech' implies the intent to be communicated to people, and can be considered 'data'. However a DDoS is a bunch of information with the intent of affecting the behaviour of computer systems, and can be considered 'code'.

The problem lies in discriminating between the two, given that "bits don't have colour", as explained here: http://ansuz.sooke.bc.ca/entry/23

I'm not at all sure what the right answer is, here. I'm also not 100% convinced that Cloudflare has the right approach, but I'm leaning to "yes", considering the alternative.

(by the way, you'd probably be interested in watching the youtube clip jgrahamc posted elsewhere ITT, with someone from Cloudflare saying some words about their perspective on this dilemma: https://news.ycombinator.com/item?id=12564876)

> We are asking that they stop protecting for-profit DDoS attack sites that are destroying the internet and using violence to censor people's ability to speak.

A DoS is not a violent act. I am mostly ignorant of these things but I think attacks if this kind are a service that test our capabilities. My fear is that there might be calls for legislative actions against "DoS attacks" which would then apply to people sitting at home pressing F5.

How would such a law be different from the current laws? If you sit at home pressing f5 with malicious intent and succeed at bringing a site down, you're committing a crime.

What if you are just fed up of waiting for a site to reload and press F5 a number of times? And what about the (probably majority of) instances where the "attacker" is simply a person who unknowingly downloaded malware onto their computer to get free smileys or whatever?

What? Why is F5 a special case here and what on earth does any of this have to do with Aaron Swartz.

>What if you are just fed up of waiting for a site to reload and press F5 a number of times?

Did you intend to bring it down? Was it obvious that your activity would bring the site down? If answer to both is "No" then you're fine, this is how most laws work.

>And what about the (probably majority of) instances where the "attacker" is simply a person who unknowingly downloaded malware onto their computer to get free smileys or whatever?

Why are you even asking? If someone else commits a crime you're obviously not at fault...

Also, what was even supposedly wrong with the Swartz case? It was on solid ground both legally and morally, shame he never gave the courts a chance.[1]

[1]: Might as well expand on this a little so I don't get hidden by downvotes. I don't think Swartz deserved to go to prison, but given that he intentionally violated the law it's hard to argue that he shouldn't have been charged.

Now if someone is using tools specially built for DoS I don't have a a problem with them being prosecuted.

That is also a problematic definition. I recall similar arguments being made against "nmap"; should we ban nmap, or criminalize its use? I also remember when Dan Farmer was fired for simply writing a security scanner (https://en.wikipedia.org/wiki/Security_Administrator_Tool_fo...), using the same reasoning.

But we aren't talking about protest with a reload macro here, these are for-profit criminal botnets. And one if them just took down the largest DDoS mitigation network in the world. Which means there aren't many sites on earth left they can't take down. Much smaller attacks have nuked Github for days. Who's next to get "freedom of speeched"?

But if two billion people decide to stay at home and continuously press F5, you should get freedom of speeched. I think that's the equivalent of a picket line. Not talking about automated tools other than "refresh page every second".

That's the the extremely unpopular speech that you're proposing to censor. The instant you say "oh but that's different" because of the contents of the speech, you're interjecting your own opinion about that speech.

Which, actually, is fine, but don't play that off as not being speech.

At the level where Cloudflare's network isn't actually being used to send the DDOS attack itself, it's also still speech.

Cloudflare will close accounts when asked, backed by court order. The problem is on today's Internet, that's nigh impossible, which realistically means it falls to Cloudflare to interject an opinion on what's good and bad, but so far they've avoided that as effectively as an ostrich burying it's head in the sand, and so are effectively supporting many bad actors.

"We don't take it down unless it's illegal" is a simple policy, but to be a good policy it needs judgment as well.

Otherwise your post is merely an unsubstantiated personal attack against akamai.

Your comment may have the best of intentions, but that's how you take net neutrality out the window.