If Cloudflare is knowingly providing cover to the DDOS-for-hire companies after being informed of what they are doing, that's a big bunch of bullshit right there.

Just because a company temporarily relocates behind Cloudflare doesn't mean CF is guilty, though. They can't vet every website before it goes up and each time it updates.

If they aren't kicking these guys off their network for performing the same activities they defend against, though . . . well, "racket" is kind of the term for it.

If Cloudflare kicked accused DDOS-for-hires, the first step in any DDOS campaign would become "accuse target of being DDOS-for-hire". That wouldn't actually be a step forward for DDOS victims who use Cloudflare, because then they would have to provide human input to some sort of appeal process ASAP, rather than Cloudflare just working automatically to thwart an attack.

An accusation should not be sufficient, obviously. Why can't CloudFlare take abuse complaints, verify and take action based on that?

In fact, this is precisely what they've done in the past, though they'd only provide the host details rather than stopping service to a site. (I don't think they'll even go this far anymore, rather they'll give you the abuse email for the host and tell you to have the host contact them, which is ridiculous.) I've filed a few such complaints myself. In one instance, the booter site didn't provide any info about its services without registration, so I linked to the hackforums thread where it was being offered. CloudFlare declined this as sufficient proof. Luckily, I could register an account without payment, and that gave me the options to pay to launch attacks, so I sent the login details to CloudFlare and they accepted that.

Your experience seems to contradict the insinuation that "Cloudflare is knowingly providing cover to the DDOS-for-hire companies after being informed of what they are doing", to which I responded. So I guess there's no problem after all?

I don't think it contradicts that. CloudFlare is indeed knowingly providing cover to them. The fact that they'll give you an abuse email to the actual host doesn't change them continuing to provide service to such sites, even when they acknowledge a site is a booter.

I think we agree, that any defensible policy would lie somewhere between "ignore all accusations of booting" and "credulously believe all accusations of booting". Re-reading your comment, I'm not sure, but are you saying that CF are at the former end of the policy spectrum? That's regrettable.

I wonder, however, if even the latter policy would solve the booter problem. Accessible websites are convenient for commerce, but they aren't required.

Also, any argument you make about CloudFlare could also be made about Google: I see http://quantumbooter.net as the second link and http://top10booters.com/ as the fifth link at https://www.google.com/search?q=booter+services

> I think we agree, that any defensible policy would lie somewhere between "ignore all accusations of booting" and "credulously believe all accusations of booting".

I agree with this.

> Re-reading your comment, I'm not sure, but are you saying that CF are at the former end of the policy spectrum? That's regrettable.

Somewhat. As of my last experience with them (which was like a year ago), they will accept abuse complaints for booters. If you can prove to them the site is a booter, by providing documentation on the site itself (not hackforums or anywhere else where it's being advertised, which is understandable as it's basically hearsay, though a bit difficult) indicating the site offers a DDoS service, they will provide the abuse@ email of the hosting company. They will tell you to have the abuse@ people contact them directly for further details. This is the only action they will take.

But my opinion is they should, upon confirming the site is a booter, terminate their service to the site. It would also be nice if they would continue to provide the host details, in addition, so the reporter can contact the actual host and have the site taken down from there as well.

> Also, any argument you make about CloudFlare could also be made about Google: I see http://quantumbooter.net as the second link and http://top10booters.com/ as the fifth link at https://www.google.com/search?q=booter+services

Very good point, thank you for mentioning.

The difference I see is that CloudFlare actively provides a service to them, while Google is merely maintaining a keyword-based search listing for them. That being said, I can see both sides of this one.

My views on the legitimacy (rather, lack thereof) of booters: they are a service that serves absolutely no legitimate purpose. The sole purpose is to perform an illegal act against another person. I know a bunch of them are sold on hackforums as "stressers," i.e. "stress test your own server," but that also isn't a legitimate purpose - I can see no case where one would want to stress test their own services with some UDP or SYN flood over the Internet. Such a thing would only be done over a private network using your own packet generator.

I may not have been clear where I made that comment, so let me explicitly say that I do not know the history or state of CF's abuse policies. CF may, in fact, be doing everything right. I was merely stating a condition that, if CF is doing what you quoted, then it would be a "big bunch of bullshit."

Allow them to exist, yes.

Help them thrive, how? I don't understand. Because they prevent DDOS-for-hire services from attacking each other? Surely "other DDOS-for-hire operators" are not the people charged with stopping DDOS-for-hire services.

DDOS-for-hire websites are naturally unstable - if not for the protection CloudFlare provides, they would all knock one another offline and there would be no DDOS-for-hire websites (or only a single, expensive winner).

Depending on your point of view, cloudflare providing the protection that makes DDOS-for-hire possible is either (a) them being fair and website-content-neutral, anything else would be censorship or (b) the glazier giving baseballs to the child who carelessly breaks windows with them, to generate demand for his services that would not otherwise exist.

The DDOS-for-hire company doesn't need a significant or even continuous web presence, does it? Seems ineffective to DDOS them.

EDIT Surely many of these DDOS-for-hire companies cross into illegal territory. CF can maintain a content-neutral stance by kicking illegal activity off.

The DDoS-for-hire being discussed here are called booters. Access to them can be bought for a few dollars (~$10), and then one is able to log into the site and click a button to attack someone for a few minutes (the exact time depending on the booter itself and sometimes how much you pay).

Illegal where?

Their position is a reasonable one: they are not the host, they are not responsible for content, don't ask them to censor.

Illegal in the country that CloudFlare does business in, the USA.