Hacker News new | past | comments | ask | show | jobs | submit login

I wrote up a little about our DDoS statistics here: http://blog.cloudflare.com/the-wednesday-witching-hour-cloud...

One important conclusion is that it's very hard to identify the source for most DDoS attacks because the IP address is either forged, or innocent. Identifying the true source would mean getting into the CnC of the botnet being used. Our business isn't about tracking down who, but simply stopping attacks.




thanks for accepting them as customers. i hope that it works out (i imagine a larger test will be when something with less popular support - neo nazis or child porn or whatever - becomes a client). free speech matters. and controlling speech should be - in the end - something that is done through a visible, accountable process.

[edited to change "taking a stand" to something less objectionable(?). but contrast this with the payment service providers.]


It's worth noting that CloudFlare is not 'taking a stand' on this. Wikileaks approached us about becoming a customer and as they are a high traffic site they had to go through manual sign up. Once that was done they are live.


You have made the choice not to enforce your own terms of service. Section 11 is a pretty good read, you should check it out.


"You have made the choice not to enforce your own terms of service."

Not really. They've just made a choice not to enforce Section 11, which they state, in Section 11, that they can do.

In the first sentence of Section 11 it says "in the sole judgment of CloudFlare", doesn't that mean that they get to make the choice of whether or not a site violates anything in Section 11?

Are there any lawsuits from any government or official channel that successfully went after WikiLeaks for violations that CloudFlare needs to comply with?

In this case I think it's for CloudFlare to decide, they state this in Section 11 and they've made their choice.


My point is they are aware of what Wikileaks is, and they are making a conscious decision to not enforce the terms (which is as you point out, at their discretion).

Regardless of your feelings on the matter, Wikileaks does admit they do not have the permission of the rights holders to be releasing documents.


It's interesting to note that Wikileaks hasn't ever been served with a DMCA or anything similar.


I've been behind a large often-targeted service for the last 10 years or so, and most of the large attacks we get are pretty easily filtered as our service is TCP (like CloudFlare), and most of the attacks we get are either ping or UDP floods, which we drop at the boundary.

a little harder is the SYN flood with spoofed addresses, how on earth can you filter those?


Aren't SYN-cookies [0] the traditional defence against SYN floods? The proxy, or a device in front of it, could take care of that. Only connections that complete the 3 way handshake would take up any room in the connection table.

0 - http://tools.ietf.org/html/rfc4987


it's just the sheer amount of packets hitting our network that cause the issue, not what is inside them!


I don't understand. Why is it simple to filter UDP but not simple to filter based on a cookie? Is the validation cpu-expensive in bulk? Do you not have the capability to filter that way at the boundary?





Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: