I was just thinking the same thing. I have a website that I run and I was DDoSed one week and got over 1 million page requests but Cloudflare deflected most of the traffic. My New Relic logs were crazy because it showed that traffic was WAY up; I immediately knew what happened though.
I don't know anything about Cloudflare, but isn't using a CDN with dynamic web-apps difficult? Sure you can host static content like javascript, CSS, images, etc. but caching stuff like what feeds, articles, etc. you've read can't be easy or efficient for a CDN.
Not sure what plan they're on or what kind of revenue they generate, but even the $200/month business plan is a life saver considering some of the features:
Cloud flare is a protection racket. Some people don't use them on principle. They are the vendor selling chastity belts to stop rape. It is in their best economic interest that these attacks continue.
It's sad that to run a service now the expectation is to shovel money to another service to absorb UDP packets.
That's like saying bodyguards are a protection racket because muggers and assassins exist. Yes, it sucks to have to pay for defense, but that doesn't mean the problem is your defense vendor's fault, or that said vendor has done anything wrong at all.
I don't think anyone has a problem with offering defense services. The problem lies in that CloudFlare is helping to create the problem. It would be analogous to your bodyguard constantly hiring hitmen to make attempts at your life.
Perhaps a poor metaphor in your opinion. I don't believe, nor did I claim, CloudFlare themselves is carrying out DDoS attacks. What they _are_ doing is making it way easier for others to do it.
So, perhaps more to your liking would be selling armed guard services to guard against a gang robbery, while simultaneously funding and supporting (but not actually participating in, i.e. not actually providing people for) said gang.
If you're looking for an actual metaphor, it would be selling armed guard services to you and also to gangs. Its not even clear, in this metaphor, that said armed guard vendor can even tell the difference between law-abiding citizens and gangs - and they can't just shut down services to anyone accused of being a gang, because then the gangs get you by telling ARMED GUARDS, INC that you're a gang and then robbing you while you're not protected.
This metaphor got long and stupid, but at least its accurate. Stop fear-mongering just because you don't like CloudFlare.
You aren't getting it. The issue isn't that CloudFlare doesn't proactively seek out such sites. The issue is that when they are advised a site using their service is a DDoS service, and provided proof of that, _they don't care_ and continue providing service to it. The proper action would be to investigate the abuse complaint, try to conclusively determine if it is true and if so, terminate service to the site.
They don't do that, but continue to sell their DDoS protection service (beyond the free tier), so they are indeed a racketeering operation.
- These DDoS-for-hire services being referred to are called "booters," "stressers," or similarly retarded names. For a low fee (I think the average is probably around $10, but you can check yourself), one can buy access to one, where they're able to launch an attack for a period of time (the exact period depends on the booter, and some even charge more for longer attacks; 5-10 minutes at a time is probably around average now) by logging into a website, entering the IP/host, and clicking the "attack" button. That is, no skill. Check places like hackforums yourself and you'll find tons of these. Usually the booters are using Ecatel boxes (generally paid for by the booter owner) because they allow spoofing (which is another topic entirely), some use rooted boxes as well.
- These are very common in gaming, because any 12-year-old with access to mommy's credit card can get their hands on one. That's where the "booter" name comes from; the original meaning was to "boot" someone off Xbox Live (residential connections are obviously really easy to knock out).
- The vast majority of these booters are behind CloudFlare to mask their true host. This serves two purposes: it discourages abuse complaints against the host and also provides the sites with DDoS protection.
- Now, this is like drugs - booter owners don't tend to be friendly with each other. As with rival drug dealers, they'll attack each other and generally try to knock out their competition.
- The only reason these booters are able to operate is because of CloudFlare eliminating the DDoS aspect. If CloudFlare stopped providing service to these illegal sites, they'd be forced to fend for themselves, and it would basically be a "gang war" - everyone attacking each other. Which is fine with me, as if the booter kids are attacking each other, their booters aren't able to mess with anyone else. (Let dumb kids be dumb kids.) Eventually perhaps there will be a small number of booters that come out "on the top," able to withstand attacks, but this then has the effect of eliminating most of the competition, which means the prices will rise. This is also a desired effect, because it's harder to get mommy to agree to pay $100 for something (I'm sure they lie about it) than $10.
- So why not just put your own stuff behind CloudFlare and get rid of the problem? Well, besides the whole issue of not wanting to support this racketeering scam (yes, there is a free level of CloudFlare, but certainly they want to sell you the paid ones and the higher levels can withstand different attacks), this option is only open for websites.
FYI, my position in all this is as a game server owner who has dealt with this BS enough, and I'll admit I'm certainly biased towards that side.
CloudFlare stopping support here would go a long ways towards eliminating the booter problem. It won't eliminate DDoS attacks entirely, of course, but it will eliminate a whole class of them and probably the largest class (because actual botnet owners are rarer). I agree entirely with the assessment that CloudFlare is engaging in racketeering.
It is a protection racket ONLY if they are aiding or doing the attacks. I don't see how protecting a company from DDoS attacks is a protection racket by itself, care to elaborate?
From what I have read, Cloudflare takes considerable flack because they willingly provide services to the websites that let you buy and sell ddos-for-hire services.
Also, I believe their defense is "we are a proxy, not the host, go elsewhere to complain". So, yes- They appear to allow these booters to exist and thrive in a world where they were unable to (at this level) before.
If Cloudflare is knowingly providing cover to the DDOS-for-hire companies after being informed of what they are doing, that's a big bunch of bullshit right there.
Just because a company temporarily relocates behind Cloudflare doesn't mean CF is guilty, though. They can't vet every website before it goes up and each time it updates.
If they aren't kicking these guys off their network for performing the same activities they defend against, though . . . well, "racket" is kind of the term for it.
If Cloudflare kicked accused DDOS-for-hires, the first step in any DDOS campaign would become "accuse target of being DDOS-for-hire". That wouldn't actually be a step forward for DDOS victims who use Cloudflare, because then they would have to provide human input to some sort of appeal process ASAP, rather than Cloudflare just working automatically to thwart an attack.
An accusation should not be sufficient, obviously. Why can't CloudFlare take abuse complaints, verify and take action based on that?
In fact, this is precisely what they've done in the past, though they'd only provide the host details rather than stopping service to a site. (I don't think they'll even go this far anymore, rather they'll give you the abuse email for the host and tell you to have the host contact them, which is ridiculous.) I've filed a few such complaints myself. In one instance, the booter site didn't provide any info about its services without registration, so I linked to the hackforums thread where it was being offered. CloudFlare declined this as sufficient proof. Luckily, I could register an account without payment, and that gave me the options to pay to launch attacks, so I sent the login details to CloudFlare and they accepted that.
Your experience seems to contradict the insinuation that "Cloudflare is knowingly providing cover to the DDOS-for-hire companies after being informed of what they are doing", to which I responded. So I guess there's no problem after all?
I don't think it contradicts that. CloudFlare is indeed knowingly providing cover to them. The fact that they'll give you an abuse email to the actual host doesn't change them continuing to provide service to such sites, even when they acknowledge a site is a booter.
I think we agree, that any defensible policy would lie somewhere between "ignore all accusations of booting" and "credulously believe all accusations of booting". Re-reading your comment, I'm not sure, but are you saying that CF are at the former end of the policy spectrum? That's regrettable.
I wonder, however, if even the latter policy would solve the booter problem. Accessible websites are convenient for commerce, but they aren't required.
> I think we agree, that any defensible policy would lie somewhere between "ignore all accusations of booting" and "credulously believe all accusations of booting".
I agree with this.
> Re-reading your comment, I'm not sure, but are you saying that CF are at the former end of the policy spectrum? That's regrettable.
Somewhat. As of my last experience with them (which was like a year ago), they will accept abuse complaints for booters. If you can prove to them the site is a booter, by providing documentation on the site itself (not hackforums or anywhere else where it's being advertised, which is understandable as it's basically hearsay, though a bit difficult) indicating the site offers a DDoS service, they will provide the abuse@ email of the hosting company. They will tell you to have the abuse@ people contact them directly for further details. This is the only action they will take.
But my opinion is they should, upon confirming the site is a booter, terminate their service to the site. It would also be nice if they would continue to provide the host details, in addition, so the reporter can contact the actual host and have the site taken down from there as well.
The difference I see is that CloudFlare actively provides a service to them, while Google is merely maintaining a keyword-based search listing for them. That being said, I can see both sides of this one.
My views on the legitimacy (rather, lack thereof) of booters: they are a service that serves absolutely no legitimate purpose. The sole purpose is to perform an illegal act against another person. I know a bunch of them are sold on hackforums as "stressers," i.e. "stress test your own server," but that also isn't a legitimate purpose - I can see no case where one would want to stress test their own services with some UDP or SYN flood over the Internet. Such a thing would only be done over a private network using your own packet generator.
I may not have been clear where I made that comment, so let me explicitly say that I do not know the history or state of CF's abuse policies. CF may, in fact, be doing everything right. I was merely stating a condition that, if CF is doing what you quoted, then it would be a "big bunch of bullshit."
Help them thrive, how? I don't understand. Because they prevent DDOS-for-hire services from attacking each other? Surely "other DDOS-for-hire operators" are not the people charged with stopping DDOS-for-hire services.
DDOS-for-hire websites are naturally unstable - if not for the protection CloudFlare provides, they would all knock one another offline and there would be no DDOS-for-hire websites (or only a single, expensive winner).
Depending on your point of view, cloudflare providing the protection that makes DDOS-for-hire possible is either (a) them being fair and website-content-neutral, anything else would be censorship or (b) the glazier giving baseballs to the child who carelessly breaks windows with them, to generate demand for his services that would not otherwise exist.
The DDOS-for-hire company doesn't need a significant or even continuous web presence, does it? Seems ineffective to DDOS them.
EDIT Surely many of these DDOS-for-hire companies cross into illegal territory. CF can maintain a content-neutral stance by kicking illegal activity off.
The DDoS-for-hire being discussed here are called booters. Access to them can be bought for a few dollars (~$10), and then one is able to log into the site and click a button to attack someone for a few minutes (the exact time depending on the booter itself and sometimes how much you pay).
Unless you are intending to accuse Cloudflare of aiding illegal activity in order to sell services, you may want to change your statement, as this could be considered libel.
I have upvoted the comment to protest HN people downvoting comments that they disagree. The comment is by no means spam, off-topic, etc.; the only problem is that it lacks one-or-two links to some backing information.
In the security industry I've seen people watch exploits and DDoS attacks and all sorts of chaos with unfettered glee. It's good for business, it's good for my consulting, and (IMHO the key thing) it's good for increasing the social status of security people. "This is why you listen to me!" Plus we or our friends get to be interviewed by NPR. Hi, Mom!
Still, saying they are a racket is a step too far. There were lots of accusations of the antivirus vendors purposefully releasing viruses in the 80s and 90s[1], which would certainly be a racket if it were true.
[1] Not counting the products themselves as viruses.
IMO, CloudFlare meets this definition. For many DDoS victims, the problem would not exist without CloudFlare's help. Many cases like this are not some big bad guy with their own sizable botnet, they're just some kid using a booter bought with mommy's credit card. Without those booters being easily available, there would be no problem.
DDoS wouldn't go away without booters, but many small cases like this would be significantly reduced.
