Isn't this the point at which Cloudflare is supposed to gain a handful of PR points for putting him back online, pro bono, and then doing a write up on how effortlessly they handled the bandwidth with eBPF?
I imagine he is still talking with Akamai(they did not comment after all) and expects to be back after attacks die out. Switching would burn that bridge.
Unfortunately, Krebs has (correctly) repeatedly attacked Cloudflare for sheltering most of the most prolific DDOS attackers. I doubt that's going to happen.
Care to fill in the details for me? Do you mean to say the most prolific DDoS attackers work for Cloudflare? Or that their network somehow (?) shelters them? What do you mean exactly? This sounds interesting.
Cloudflare protects everybody who signs up, including control panels for "booter sites", which are web pages where you can allegedly buy a DDoS attack for an hourly rate.
Kind of like the police protects gangsters from getting shot by other gangsters, but you would really like them not to do that, so that the gangsters can just shoot each other.
In this case, Brian Krebs tried to convince Cloudflare to kick off the booter sites, so they are unprotected, and can DDoS each other. Cloudflare didn't put any effort into that idea, and now he's apparently angry that he didn't get through to them.
That's not called being "angry". That's called being principled. Other things that are considered principled include posting your opinions with your name on them instead of cowardly resorting to a throwaway account like you just did.
Cloudflare is not the police. They're a private organization that makes a profit from offering "protection" for people getting DDoS attacked. They enable the people doing the DDoS attacks by protecting their booter sites (https://www.google.com/search?q=ddos+booter). That's called a racketeering operation (https://en.wikipedia.org/wiki/Racket_(crime)), and that's illegal. There are laws against it. Just because our crappy government is too incompetent to file charges doesn't mean it isn't illegal.
If Cloudflare thinks they can foster criminal activity through their network because they're running a juiced up nginx proxy, they're wrong. The "slippery slope" argument is absolute nonsense. As Krebs himself pointed out, they already remove sites that are hosting phishing attacks and malware.
Cloudflare, it's time to do the right thing here and stop protecting DDoS booters. Your policies are helping to damage the internet and censor people, whether they're illegal (they are) or not.
> they already remove sites that are hosting phishing attacks and malware.
If only...
Let me quote [0]:
> CloudFlare will forward all abuse reports that appear to be legitimate to the
> responsible hosting provider and to the website owner. In response to a legitimate
> abuse report CloudFlare will provide the complainant with the contact information for
> the responsible hosting provider so they can be contacted directly.
So, if I report a scammer CloudFlare will forward my information to that criminal, putting me at risk. Gee, thanks!
and
> Since CloudFlare is not a hosting provider we do not have
> the capability to remove content from a website.
Or to put it in the words that they answer every abuse request with:
> Please be aware CloudFlare is a network provider offering a reverse proxy,
> pass-through security service. We are not a hosting provider.
Which basically translates to "We don't care, we want to pretend that we are not responsible for our actions."
They enable the booter's free speech; they aren't enabling their actual attacks. If comparison to police doesn't suit you since they're special, think of doctors.
Free speech? As an example, criminal conspiracy and solicitation of murder are both crimes of speech, and claiming a "free speech" defense will just make a judge laugh at you.
It is totally a decision for a private company to make. The operative word here being "private". Private individuals have freedom of association; they cannot generally be compelled to associate with people they don't want to.
You're seriously comparing DDoS attack markets to doctors?
It takes an intense contortion of the concept of freedom of speech to apply it to this malicious and illegal activity. I guess under that logic it's also okay for a personnel security company to host (or hide behind their nginx server) a hitman-for-hire marketplace too, as long as they're not the ones doing the actual killing?
DDoS attacks (and their store fronts) are not about freedom of speech. They are, always and everywhere, about the suppression and censoring of speech through violence. Protecting them means that you are protecting violence.
But if you're adamant on this being free speech, fine. Where's the free speech criticism for Cloudflare shutting down those phishing and malware distribution sites? Why are DDoS attack sites magically different and deserving of freedom of speech protection?
Cloudflare will obviously respond to law enforcement requests of what the origin server is. Krebs is not law enforcement, and neither are other DDoSers. What is your problem?
Let's say I'm running a site. It gets DDoSed. Almost all of the booters are behind Cloudflare. How do I proceed here? Call the local police? Email abuse@fbi.gov?
Most people just panic and start paying Cloudflare for protection. Pretty much for the same reason that most people pay into protection rackets instead of reporting them to law enforcement, because they're afraid and their livelihood is at risk.
Cloudflare also has this wonderful policy of forwarding abuse reports (with information on who reported) to the booter site in question. You can imagine the consequences of that from what just happened to Krebs for doing reporting on them.
I'm not saying that Cloudflare or DDoS mitigation shouldn't exist. I'm saying that should not protect sites that are doing the attacks that they profit to defend against.
My point is the traffic isn't coming FROM CloudFlare. When you're attacked, there's no way of knowing who is attacking you. Your recourses are the same even if CloudFlare wasn't protecting the brochure/control panel websites of the services.
If you are being DDoSed. What do you do? Call the local police? Email abuse@fbi.gov?
It's not a "brochure", it's how they meet their customers and take payment from them for their attacks. It's how they make it so anyone in the world can launch a 100Gbps+ attack in 5 minutes for $20.
If you get DDoS attacked, you panic and look for expensive DDoS mitigation, or you go out of business. Legally, enforcement for the specific attacker is almost impossible. Cloudflare both knows this and benefits from protecting it. They realize that customer connection is critical to the system functioning and yet continue to defend it.
> Let's say I'm running a site. It gets DDoSed. Almost all of the booters are behind Cloudflare. How do I proceed here? Call the local police? Email abuse@fbi.gov?
With or without Cloudflare in the mix, how the heck would you go about making the connection between a flood of traffic from a large number of IPs, and any particular booter site? I don't understand how taking Cloudflare out of the mix helps you stop the DDoS.
As an aside, the FBI is indeed interested in investigating large DDoS attacks. Contact your local field office to see if yours qualifies! :-)
Cloudflare realizes that the status quo makes it hard to prove standing to sue, and that's a large part of what allows them to get away with it. But if you go to Google right now and search (https://www.google.com/#q=ddos+booter), you will find that basically all of them are behind Cloudflare. They have spent an enormous amount of time brainwashing Silicon Valley into thinking that this is a free speech argument (as evidenced by some of the absolutely ridiculous comments in here comparing DDoS attackers to unpopular speech protection or making absolutely shameless comparisons to whistleblowers like Aaron Swartz).
DDoS-for-sale sites are not "free speech sites", they are for-profit criminal organizations engaging in the violent censorship of people that are too poor to afford proper DDoS mitigation or that want to control the privacy of their users by managing the SSL certs.
The booters aren't usually as powerful as these 600Gbps+ monsters, but they're quite adequate to wreck almost any network for a long time (most IP transit hookups for racks are 10Gbps or less, these attacks can be well in excess of 100Gbps), requiring you to spend exorbitant amounts of money to protect your site against what are essentially bored high schoolers with a spare $20, your competitors, or whomever. That money is then dumped back into the system, allowing the attackers to build even more sophisticated and powerful infrastructure, leading to worse attacks like the ones we're now starting to see. Krebs was one of the people to document this trend, and now his site has been censored off the net by the same people he was writing about. Why is it so surprising to everyone that he's avoiding Cloudflare?
< . But if you go to Google right now and search (https://www.google.com/#q=ddos+booter), you will find that basically all of them are behind Cloudflare.
Search Google? So should Google be delisting these sites?
If you're getting DDoS'd right now, and you want to sue the booter that is doing it, how would you know which one to sue? Cloudflare obscures the origin IP because it's a reverse proxy. But even if you know the origin IP, that's not the IP the DDoS is going to be coming from. So how does one match up an attack with a specific booter website?
As I just mentioned, Cloudflare realizes that the status quo makes it hard to prove standing to sue them or to go after the attackers, and that's a large part of what allows them to get away with it. How is the FBI supposed to conduct an investigation here? They're not going to be able to get subpoenas for every single DDoS booter behind Cloudflare (one group has documented over 200 of them).
I recognize that it's impossible to eradicate the problem 100%, but by driving it underground, you can dramatically reduce the amount of it by making it harder for them to conduct their business. Cloudflare could do this in a day if they wanted to, instead they sit behind a "free speech" argument waiting for someone to force them to cut it out. Don't say I didn't warn you if the government comes in to change the liability laws to prevent this sort of behavior in the future. Nobody's going to defend DDoS spam packets from criminal botnets as "free speech" when they're preventing all speech from occurring.
At least in the US, "advocacy of the use of force" is not protected by the constitution if it is "directed to inciting or producing imminent lawless action" and is "likely to incite or produce such action". https://en.wikipedia.org/wiki/Brandenburg_v._Ohio
So if someone hosts a site for selling drugs but doesn't sell it himself that is free speech too? It didn't help someone who called himself a Pirate and made a Silk Road.
Not even remotely. If the government steps in with a subpoena for the origin host IP or an injunction to stop protecting the site they'd stop. Someone on the internet asking them has no legal power to do so.
Why send cloudflare the abuse report rather than the police who are paid by the government to investigate crimes. I have little understanding for this current trend of letting suspected criminals go un-investigated while all focus is on private third-parties that is held up to act police, judge and jury.
Because one would think that it would be in CloudFlare's interest not to harbour criminals on their network. This logic seems to work almost everywhere else on the internet, including privacy friendly hosters in iceland. It's mostly just CloudFlare who replies to every abuse report with the same "WE R A REVERSE PROXY", no matter what the actual issue that was raised with them was.
If they were any smaller, their IP ranges would just go into the rogue-isp-blocklist, and that would be the end of that. But because they're mixing in the criminals with their normal customers, that's not really possible.
And since I am unlikely to be in any jurisdiction that CloudFlare is in, nor do I have any chance of finding out who these criminals are because CloudFlare is protecting them, going to the police here wouldn't really achieve much.
Cloudflare has a pretty simple policy. They only censor content when they legally have to, or when it's child porn. That actually opens them up to a lot of heat from people who aren't big fans of the KKK, the Westboro Baptist Church, or botnets. BUT they don't specifically allow botnets as a weird method of promoting them, it's a widely applied policy.
I would bet things would be a fair bit easier for them if they agreed to take things down which most people don't like, but from my position they are taking a very principaled stand for free speech. Are people on hn actually arguing we want more censorship on more places on the web?
Nobody in here is proposing that Cloudflare censor unpopular speech. We are asking that they stop protecting for-profit DDoS attack sites that are destroying the internet and using violence to censor people's ability to speak. That isn't a freedom of speech debate, it's a debate on the ethics and legality of defending and protecting criminal activity that financially benefits them, a timely topic now that this activity is actively threatening the ability of the internet to function for any kind of speech http://www.webhostingtalk.com/showthread.php?t=1599694http://webcache.googleusercontent.com/search?q=cache:0uf9RIu...
I agree that it's an ethics problem, and a non-trivial one at that.
It seems like another problem caused by the fact that code can be data and data can be code. By which I mean, both are information. 'Free speech' implies the intent to be communicated to people, and can be considered 'data'. However a DDoS is a bunch of information with the intent of affecting the behaviour of computer systems, and can be considered 'code'.
The problem lies in discriminating between the two, given that "bits don't have colour", as explained here: http://ansuz.sooke.bc.ca/entry/23
I'm not at all sure what the right answer is, here. I'm also not 100% convinced that Cloudflare has the right approach, but I'm leaning to "yes", considering the alternative.
(by the way, you'd probably be interested in watching the youtube clip jgrahamc posted elsewhere ITT, with someone from Cloudflare saying some words about their perspective on this dilemma: https://news.ycombinator.com/item?id=12564876)
I mostly agree with you but let's not take it too far.
> We are asking that they stop protecting for-profit DDoS attack sites that are destroying the internet and using violence to censor people's ability to speak.
A DoS is not a violent act. I am mostly ignorant of these things but I think attacks if this kind are a service that test our capabilities. My fear is that there might be calls for legislative actions against "DoS attacks" which would then apply to people sitting at home pressing F5.
>would then apply to people sitting at home pressing F5.
How would such a law be different from the current laws? If you sit at home pressing f5 with malicious intent and succeed at bringing a site down, you're committing a crime.
I don't know about you, but criminalizing the act of pressing F5 with any intent seems firmly on the way to Aaron Swartz-like cases to me.
What if you are just fed up of waiting for a site to reload and press F5 a number of times? And what about the (probably majority of) instances where the "attacker" is simply a person who unknowingly downloaded malware onto their computer to get free smileys or whatever?
>I don't know about you, but criminalizing the act of pressing F5 with any intent seems firmly on the way to Aaron Swartz-like cases to me.
What? Why is F5 a special case here and what on earth does any of this have to do with Aaron Swartz.
>What if you are just fed up of waiting for a site to reload and press F5 a number of times?
Did you intend to bring it down? Was it obvious that your activity would bring the site down? If answer to both is "No" then you're fine, this is how most laws work.
>And what about the (probably majority of) instances where the "attacker" is simply a person who unknowingly downloaded malware onto their computer to get free smileys or whatever?
Why are you even asking? If someone else commits a crime you're obviously not at fault...
Also, what was even supposedly wrong with the Swartz case? It was on solid ground both legally and morally, shame he never gave the courts a chance.[1]
[1]: Might as well expand on this a little so I don't get hidden by downvotes. I don't think Swartz deserved to go to prison, but given that he intentionally violated the law it's hard to argue that he shouldn't have been charged.
F5 is a special case here because it is the exact same action that a law-abiding person does. The reason I'm stressing the F5 case is because saying "Hey you pressed F5 with this motive, so you go to jail" is equivalent to thoughtcrime – you're being punished for your thoughts rather than your actions.
Now if someone is using tools specially built for DoS I don't have a a problem with them being prosecuted.
That is also a problematic definition. I recall similar arguments being made against "nmap"; should we ban nmap, or criminalize its use? I also remember when Dan Farmer was fired for simply writing a security scanner (https://en.wikipedia.org/wiki/Security_Administrator_Tool_fo...), using the same reasoning.
If you figure out how to build a 600Gbps DDoS attack with Firefox, you are correct, that still qualifies as a DDoS and you can go to jail for it already. People have been tried in court for using Low Orbit Ion Cannon before, in a few extremely isolated instances. A DDoS is a DDoS, but intent is obviously important, and you do need to actually cause a problem for there to be a crime. I think clicking reload a couple times would be a stretch here for enforcement, perhaps it's possible but AFAICT it's not yet happened.
But we aren't talking about protest with a reload macro here, these are for-profit criminal botnets. And one if them just took down the largest DDoS mitigation network in the world. Which means there aren't many sites on earth left they can't take down. Much smaller attacks have nuked Github for days. Who's next to get "freedom of speeched"?
I think a better solution is to have ISP s work together to warn and cut off access to botnet infected computers. They have the technical ability because they have strikes for copyright. Perhaps it could be a soft ban like an hour long ban or something.
But if two billion people decide to stay at home and continuously press F5, you should get freedom of speeched. I think that's the equivalent of a picket line. Not talking about automated tools other than "refresh page every second".
"I will send DDOS for $xxx, send paypal to ###@example.com"
That's the the extremely unpopular speech that you're proposing to censor. The instant you say "oh but that's different" because of the contents of the speech, you're interjecting your own opinion about that speech.
Which, actually, is fine, but don't play that off as not being speech.
At the level where Cloudflare's network isn't actually being used to send the DDOS attack itself, it's also still speech.
Cloudflare will close accounts when asked, backed by court order. The problem is on today's Internet, that's nigh impossible, which realistically means it falls to Cloudflare to interject an opinion on what's good and bad, but so far they've avoided that as effectively as an ostrich burying it's head in the sand, and so are effectively supporting many bad actors.
While I understand your position, the particular line you quote is not protected as 'free speech' because it's advertising to sell a criminal act for money ... I could be wrong.
Protecting unpopular organizations is taking a principled stand for free speech. Protecting people who profit from breaking people's web services is not.
"We don't take it down unless it's illegal" is a simple policy, but to be a good policy it needs judgment as well.
I have personally witnessed Akamai use strongarm tactics to "prove" you need their, "protection" in such a ridiculously high profile instance I am sure they have no shame.
If this is a CloudFlare Vs Akamai attack Krebs isn't saying, but I would put dollars to doughnuts it is.
While I'm open to believe you if true, you need proof, links to affected people giving details, etc... Not your personal anecdote that may or may not have happened the way you describe it.
Otherwise your post is merely an unsubstantiated personal attack against akamai.
well if you've never offered factual proof to back your "I've seen things" statement, that's not a surprise. If you've ever given proof to back it up, I would love the corresponding link.
I'm surprised that the Azure or Google Cloud teams aren't on top of this. They want tech people to pay attention to their stacks, why not host a high profile site like this to gain the respect of the industry?
You want them to push the idea that isp and other middle men networks should not be dumb pipes, but charge a different pricing depending on traffic type and intent?
Your comment may have the best of intentions, but that's how you take net neutrality out the window.
For both Google and Amazon the cheapest transfer you can have is 0.02 USD/GB, which in case of such attach gives 5.5k USD / hour, or 400k USD for three days of the attack.
Amazon's actual ELB IPs can handle relatively little traffic, "prewarming" is required in order to add more ELB instances--during a DDOS attack, you'll be overwhelmed almost instantly. Route 53 uses DNS round robin, which is trivial to bypass if you're planning on a DDOS attack (by targeting a specific IP). Google actually gives you an anycast IP, so they're a better option.
All that being said: the idea that only ingress traffic matters during a DDOS attack isn't quite right. If the connections are legitimate, you either need to be able to detect the attack attempts (requires expensive coordination and mitigation techniques, especially if the attack is much larger than what a single NIC can handle) or actually serve back the content (which will make your egress skyrocket).
You just have to make sure your infrastructure doesn't try to auto-scale up to actually handle all the traffic or suddenly you have thousands of high-powered instances to pay for...
I think the bigger issue was that he wasn't a customer (they provided the service pro bono), not that Akamai wouldn't keep a customer that got hit with such an attack.
If I remember what cloudflare's article said, that 600gbps attack was a reflection/amplification attack, which for them is likely easier to filter out then just large amounts of direct DDoS traffic, which is what this was evidently.
Shouldn't it be the job of the police to protect his web property. The police, or another government agency, protects citizens offline, why not online? Why do we have to rely on private entities for basic protection online? Time for an online fire department or something similar?
have things changed so much that cloudflare has enough capacity to seriously contemplate handling something that Akamai could not handle?
You've gotta get the bandwidth to your filtering servers before you can filter it. DDoS mitigation, as I understand it, is first and foremost a matter of having more capacity than the attacker.
