If you're looking for an actual metaphor, it would be selling armed guard services to you and also to gangs. Its not even clear, in this metaphor, that said armed guard vendor can even tell the difference between law-abiding citizens and gangs - and they can't just shut down services to anyone accused of being a gang, because then the gangs get you by telling ARMED GUARDS, INC that you're a gang and then robbing you while you're not protected.

This metaphor got long and stupid, but at least its accurate. Stop fear-mongering just because you don't like CloudFlare.

You aren't getting it. The issue isn't that CloudFlare doesn't proactively seek out such sites. The issue is that when they are advised a site using their service is a DDoS service, and provided proof of that, _they don't care_ and continue providing service to it. The proper action would be to investigate the abuse complaint, try to conclusively determine if it is true and if so, terminate service to the site.

They don't do that, but continue to sell their DDoS protection service (beyond the free tier), so they are indeed a racketeering operation.

I confess I'm not very familiar with CloudFlare -- in what way are they making it easier to carry out a DDoS?

This comment by michaelt provides some background: https://news.ycombinator.com/item?id=7878053.

In more detail:

- These DDoS-for-hire services being referred to are called "booters," "stressers," or similarly retarded names. For a low fee (I think the average is probably around $10, but you can check yourself), one can buy access to one, where they're able to launch an attack for a period of time (the exact period depends on the booter, and some even charge more for longer attacks; 5-10 minutes at a time is probably around average now) by logging into a website, entering the IP/host, and clicking the "attack" button. That is, no skill. Check places like hackforums yourself and you'll find tons of these. Usually the booters are using Ecatel boxes (generally paid for by the booter owner) because they allow spoofing (which is another topic entirely), some use rooted boxes as well.

- These are very common in gaming, because any 12-year-old with access to mommy's credit card can get their hands on one. That's where the "booter" name comes from; the original meaning was to "boot" someone off Xbox Live (residential connections are obviously really easy to knock out).

- The vast majority of these booters are behind CloudFlare to mask their true host. This serves two purposes: it discourages abuse complaints against the host and also provides the sites with DDoS protection.

- Now, this is like drugs - booter owners don't tend to be friendly with each other. As with rival drug dealers, they'll attack each other and generally try to knock out their competition.

- The only reason these booters are able to operate is because of CloudFlare eliminating the DDoS aspect. If CloudFlare stopped providing service to these illegal sites, they'd be forced to fend for themselves, and it would basically be a "gang war" - everyone attacking each other. Which is fine with me, as if the booter kids are attacking each other, their booters aren't able to mess with anyone else. (Let dumb kids be dumb kids.) Eventually perhaps there will be a small number of booters that come out "on the top," able to withstand attacks, but this then has the effect of eliminating most of the competition, which means the prices will rise. This is also a desired effect, because it's harder to get mommy to agree to pay $100 for something (I'm sure they lie about it) than $10.

- So why not just put your own stuff behind CloudFlare and get rid of the problem? Well, besides the whole issue of not wanting to support this racketeering scam (yes, there is a free level of CloudFlare, but certainly they want to sell you the paid ones and the higher levels can withstand different attacks), this option is only open for websites.

FYI, my position in all this is as a game server owner who has dealt with this BS enough, and I'll admit I'm certainly biased towards that side.

CloudFlare stopping support here would go a long ways towards eliminating the booter problem. It won't eliminate DDoS attacks entirely, of course, but it will eliminate a whole class of them and probably the largest class (because actual botnet owners are rarer). I agree entirely with the assessment that CloudFlare is engaging in racketeering.