Hacker News new | past | comments | ask | show | jobs | submit login
CloudFlare helps save Wikileaks' bacon (techcrunch.com)
101 points by jgrahamc on Aug 14, 2012 | hide | past | favorite | 41 comments



I think this move will help establish cloudflare as a strong brand. Great marketing!


Cloudflare's stand on free speech is really impressive. I just wish more companies would have such a strong position on that issue. They deserver all the marketing/pr they can get, but first signs are already showing that they not just making friends with their position: http://www.cloudflare-watch.org/


FWIW "www.cloudflare-watch.org" currently resolves to an IP address used with a DSL connection (adsl----.dsl.snantx.swbell.net).


I think their stand will only be impressive when it results in a situation where they have to decide between money and "free speech".


If the FBI comes knocking down your door and ask your to stop helping Wikileaks, I think we'll have confirmation of who's been doing this to Wikileaks.


Even the FBI wouldn't be that obvious about it.

Now that I think of it, this is a great job creation program. Pay people to attack wikileaks and wikileaks pays people to defend them. Sort of like breaking windows and then someone has to fix them.


Ok, Zorg.


He really thinks the government push back is going to be via legal channels?

Who does he think is doing the ddos in the first place?

The ddos is happening at over 40GB/sec (2TB every minute). You need massive resources for that.


Where does the 40GBps number come from? Wikileaks appears to have tweeted about 10Gbps. That's nothing unusual for CloudFlare to handle.


I didn't realize who you were at first.

You best set up a page that just says, "as long as this page is up, we have NOT been served a National Security Letter from the FBI".

Because it's going to contain a gag-order that prevents you from even talking to your lawyer. So probably want to ask them ahead of time what to do when you get the letter.


> The Patriot Reauthorization Act of 2005 modified some of the gag order provisions. An NSL recipient may now disclose the fact that they received an NSL in connection with seeking legal advice or complying with the NSL. NSL recipients were also given the ability to challenge, in federal court, compliance with the NSL and the gag order provisions.

http://epic.org/privacy/nsl/


That's a good idea. But seriously, you can't even tell your lawyer to defend yourself against something like that? How is that even remotely constitutional? Does the US Congress pass laws that violate the Constitution on purpose these days?


ACLU challenged it in two cases and that aspect was ruled unconstitutional in both. The law was changed in 2005 to explicitly state that the gag order does not stop you from talking to lawyers about the NSL.


Internet time passes much slower than real time. It's still 2004 here.


rsync.net's warrant canary seems to be a good implementation of this type of idea: http://www.rsync.net/resources/notices/canary.txt


Oh I guess cnet only mentioned the 40gb upper end, I didn't see the tweet.

https://www.google.com/search?q=wikileaks+40gb+%22per+second...


Does that number include all the mirrors that are also down?


Does CloudFlare have experience identifying the source of attacks like this? Because that could be quite interesting.


I wrote up a little about our DDoS statistics here: http://blog.cloudflare.com/the-wednesday-witching-hour-cloud...

One important conclusion is that it's very hard to identify the source for most DDoS attacks because the IP address is either forged, or innocent. Identifying the true source would mean getting into the CnC of the botnet being used. Our business isn't about tracking down who, but simply stopping attacks.


thanks for accepting them as customers. i hope that it works out (i imagine a larger test will be when something with less popular support - neo nazis or child porn or whatever - becomes a client). free speech matters. and controlling speech should be - in the end - something that is done through a visible, accountable process.

[edited to change "taking a stand" to something less objectionable(?). but contrast this with the payment service providers.]


It's worth noting that CloudFlare is not 'taking a stand' on this. Wikileaks approached us about becoming a customer and as they are a high traffic site they had to go through manual sign up. Once that was done they are live.


You have made the choice not to enforce your own terms of service. Section 11 is a pretty good read, you should check it out.


"You have made the choice not to enforce your own terms of service."

Not really. They've just made a choice not to enforce Section 11, which they state, in Section 11, that they can do.

In the first sentence of Section 11 it says "in the sole judgment of CloudFlare", doesn't that mean that they get to make the choice of whether or not a site violates anything in Section 11?

Are there any lawsuits from any government or official channel that successfully went after WikiLeaks for violations that CloudFlare needs to comply with?

In this case I think it's for CloudFlare to decide, they state this in Section 11 and they've made their choice.


My point is they are aware of what Wikileaks is, and they are making a conscious decision to not enforce the terms (which is as you point out, at their discretion).

Regardless of your feelings on the matter, Wikileaks does admit they do not have the permission of the rights holders to be releasing documents.


It's interesting to note that Wikileaks hasn't ever been served with a DMCA or anything similar.


I've been behind a large often-targeted service for the last 10 years or so, and most of the large attacks we get are pretty easily filtered as our service is TCP (like CloudFlare), and most of the attacks we get are either ping or UDP floods, which we drop at the boundary.

a little harder is the SYN flood with spoofed addresses, how on earth can you filter those?


Aren't SYN-cookies [0] the traditional defence against SYN floods? The proxy, or a device in front of it, could take care of that. Only connections that complete the 3 way handshake would take up any room in the connection table.

0 - http://tools.ietf.org/html/rfc4987


it's just the sheer amount of packets hitting our network that cause the issue, not what is inside them!


I don't understand. Why is it simple to filter UDP but not simple to filter based on a cookie? Is the validation cpu-expensive in bulk? Do you not have the capability to filter that way at the boundary?



Will the massive DDos on wikileaks affect other cloudflare users? increased latiency/server load?


Unlikely. This stuff is our bread and butter. We are under DDoS attack 40% of the time 24/7 (see: http://blog.cloudflare.com/the-wednesday-witching-hour-cloud...). A 10Gbps attack is not unusual for us and we've seen much higher. We have a lot of experience dealing with DDoS attacks.


You guys are the best!!! :) now if only you supported wildcard dns so I can protect my Wordpress site as well


What does wildcard dns have to do with wordpress sites, I have 5 wordpress sites with subdomains all pointing to one single server but protected behind cloudflare. All sites have their own domain with their own subdomins, like mobile.domain.com or whatever, but has nothing to do with wordpress or cloudflare support, just create new records.


> On Friday Wikileaks complained on Twitter that CloudFlare had preemptively blocked the organization from signing up.

I wonder what the actual error message is. Wikileaks actually had to complain on Twitter before finding out they weren't actually blocked, just that there was a special signup process for high-volume accounts.

If there are high-volume site operators who didn't want to tweet CloudFlare for whatever reason, I wonder who else they could list as customers by now.


I'm not clear on how this works... Doesn't cloudflare just replace the domain's DNS record to point to their own servers? So an attack on the original wikileaks IPs would still be fairly effective. Maybe less effective because CF delivers cached content to normal users, but it would keep WL from delivering large files to the CF servers to begin with.


Well, it's easier to block packets coming from every IP except CloudFlare's IPs, so I guess that would be one way of doing it.


It wouldn't be too terribly hard to switch IP addresses once you're behind CF.


And the initial product offering is free fellas.


That network provider legal protection, does it apply if you're caching? Are you caching wikileaks or just proxy/filtering?


Headline in a few days: CloudFlare servers impounded on suspicion of "piracy" or some such, CloudFlare executives arrested.

/sigh




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: