You're seriously comparing DDoS attack markets to doctors?
It takes an intense contortion of the concept of freedom of speech to apply it to this malicious and illegal activity. I guess under that logic it's also okay for a personnel security company to host (or hide behind their nginx server) a hitman-for-hire marketplace too, as long as they're not the ones doing the actual killing?
DDoS attacks (and their store fronts) are not about freedom of speech. They are, always and everywhere, about the suppression and censoring of speech through violence. Protecting them means that you are protecting violence.
But if you're adamant on this being free speech, fine. Where's the free speech criticism for Cloudflare shutting down those phishing and malware distribution sites? Why are DDoS attack sites magically different and deserving of freedom of speech protection?
Cloudflare will obviously respond to law enforcement requests of what the origin server is. Krebs is not law enforcement, and neither are other DDoSers. What is your problem?
Let's say I'm running a site. It gets DDoSed. Almost all of the booters are behind Cloudflare. How do I proceed here? Call the local police? Email abuse@fbi.gov?
Most people just panic and start paying Cloudflare for protection. Pretty much for the same reason that most people pay into protection rackets instead of reporting them to law enforcement, because they're afraid and their livelihood is at risk.
Cloudflare also has this wonderful policy of forwarding abuse reports (with information on who reported) to the booter site in question. You can imagine the consequences of that from what just happened to Krebs for doing reporting on them.
I'm not saying that Cloudflare or DDoS mitigation shouldn't exist. I'm saying that should not protect sites that are doing the attacks that they profit to defend against.
My point is the traffic isn't coming FROM CloudFlare. When you're attacked, there's no way of knowing who is attacking you. Your recourses are the same even if CloudFlare wasn't protecting the brochure/control panel websites of the services.
If you are being DDoSed. What do you do? Call the local police? Email abuse@fbi.gov?
It's not a "brochure", it's how they meet their customers and take payment from them for their attacks. It's how they make it so anyone in the world can launch a 100Gbps+ attack in 5 minutes for $20.
If you get DDoS attacked, you panic and look for expensive DDoS mitigation, or you go out of business. Legally, enforcement for the specific attacker is almost impossible. Cloudflare both knows this and benefits from protecting it. They realize that customer connection is critical to the system functioning and yet continue to defend it.
> Let's say I'm running a site. It gets DDoSed. Almost all of the booters are behind Cloudflare. How do I proceed here? Call the local police? Email abuse@fbi.gov?
With or without Cloudflare in the mix, how the heck would you go about making the connection between a flood of traffic from a large number of IPs, and any particular booter site? I don't understand how taking Cloudflare out of the mix helps you stop the DDoS.
As an aside, the FBI is indeed interested in investigating large DDoS attacks. Contact your local field office to see if yours qualifies! :-)
Cloudflare realizes that the status quo makes it hard to prove standing to sue, and that's a large part of what allows them to get away with it. But if you go to Google right now and search (https://www.google.com/#q=ddos+booter), you will find that basically all of them are behind Cloudflare. They have spent an enormous amount of time brainwashing Silicon Valley into thinking that this is a free speech argument (as evidenced by some of the absolutely ridiculous comments in here comparing DDoS attackers to unpopular speech protection or making absolutely shameless comparisons to whistleblowers like Aaron Swartz).
DDoS-for-sale sites are not "free speech sites", they are for-profit criminal organizations engaging in the violent censorship of people that are too poor to afford proper DDoS mitigation or that want to control the privacy of their users by managing the SSL certs.
The booters aren't usually as powerful as these 600Gbps+ monsters, but they're quite adequate to wreck almost any network for a long time (most IP transit hookups for racks are 10Gbps or less, these attacks can be well in excess of 100Gbps), requiring you to spend exorbitant amounts of money to protect your site against what are essentially bored high schoolers with a spare $20, your competitors, or whomever. That money is then dumped back into the system, allowing the attackers to build even more sophisticated and powerful infrastructure, leading to worse attacks like the ones we're now starting to see. Krebs was one of the people to document this trend, and now his site has been censored off the net by the same people he was writing about. Why is it so surprising to everyone that he's avoiding Cloudflare?
< . But if you go to Google right now and search (https://www.google.com/#q=ddos+booter), you will find that basically all of them are behind Cloudflare.
Search Google? So should Google be delisting these sites?
If you're getting DDoS'd right now, and you want to sue the booter that is doing it, how would you know which one to sue? Cloudflare obscures the origin IP because it's a reverse proxy. But even if you know the origin IP, that's not the IP the DDoS is going to be coming from. So how does one match up an attack with a specific booter website?
As I just mentioned, Cloudflare realizes that the status quo makes it hard to prove standing to sue them or to go after the attackers, and that's a large part of what allows them to get away with it. How is the FBI supposed to conduct an investigation here? They're not going to be able to get subpoenas for every single DDoS booter behind Cloudflare (one group has documented over 200 of them).
I recognize that it's impossible to eradicate the problem 100%, but by driving it underground, you can dramatically reduce the amount of it by making it harder for them to conduct their business. Cloudflare could do this in a day if they wanted to, instead they sit behind a "free speech" argument waiting for someone to force them to cut it out. Don't say I didn't warn you if the government comes in to change the liability laws to prevent this sort of behavior in the future. Nobody's going to defend DDoS spam packets from criminal botnets as "free speech" when they're preventing all speech from occurring.
At least in the US, "advocacy of the use of force" is not protected by the constitution if it is "directed to inciting or producing imminent lawless action" and is "likely to incite or produce such action". https://en.wikipedia.org/wiki/Brandenburg_v._Ohio
It takes an intense contortion of the concept of freedom of speech to apply it to this malicious and illegal activity. I guess under that logic it's also okay for a personnel security company to host (or hide behind their nginx server) a hitman-for-hire marketplace too, as long as they're not the ones doing the actual killing?
DDoS attacks (and their store fronts) are not about freedom of speech. They are, always and everywhere, about the suppression and censoring of speech through violence. Protecting them means that you are protecting violence.
But if you're adamant on this being free speech, fine. Where's the free speech criticism for Cloudflare shutting down those phishing and malware distribution sites? Why are DDoS attack sites magically different and deserving of freedom of speech protection?