Comment by mattbee
8 years ago
Cloudflare isn't just a security hole in the middle of the internet, they're a protection racket.
If you wanted to pay to DDoS a site, search for "booter" and you'll get a list of sites that will take another site off the internet for money with a flood of traffic.
quezstresser.com webstresser.co topbooter.co instabooter.com booter.xyz critical-boot.com top10booters.com betabooter.com databooter.com
etc. etc. - from the first 30 results I could find 2 booter sites that weren't hosted by Cloudflare.
But hey, pay Cloudflare and your site too can be safe from DDoS attacks...
In what way is this a protection racket? That's sort of like complaining that mob-owned businesses enjoy the same police & fire protection that all other businesses have.
Cloudflare sells protection from the internet attacks through its network. The same company and network facilitates the organisation of those same attacks, and helps keep them anonymous.
That's a high-tech protection racket.
I get this argument. I have made it in the past.
But CF doesn't want to play Internet cop. Everyone who manages a service gets a constant barrage of "someone using your site did something offensive, I want you to kick them off your service!"
CF has decided they are just not going to play the game, at all. Because once they start, then all the piranha come to feast.
I'm not saying this means they aren't a racket, which is charging people money to solve a problem you made. But they do have some good reasons for simply refusing to censor what they offer.
12 replies →
Most of those booters are on their free tier, so it's a bit hard to argue it's a racket.
If you want to claim it's unethical... maybe. But if you think about it from their position, it could genuinely get into a slippery slope if you start policing what services you're reverse proxying. Especially considering the rate they're growing now.
Think of it this way: should Google be compelled to remove all search results for all booters and other malware-related services? It's asking a lot.
2 replies →
It's not a racket. Refusing to police their own customers, and having customers that do bad things that CloudFlare incidentally helps protect against, does not make it a racket.
In a protection racket (or more accurately an extortion racket), businesses that don't pay up will get attacked by the racketeers, and so for the most part paying up just means the racketeer won't attack them. That doesn't even remotely describe CloudFlare. Whether or not you pay for CloudFlare doesn't affect whether some other customer of CloudFlare attacks you. And the fact that those other customers are using CloudFlare themselves does not make CloudFlare responsible for their actions.
Another implication: they could be using their access to these sites' traffic to prepare their own infrastructure for attacks before they happen.
There's nothing about their hosting of these sites that doesn't reek.
That is how DDOS protection works, learning from data and scale to better defend future attacks. Every large network and security operator does this. What is your issue with that exactly?
I don't mean they are learning from observing attack traffic, they have access to the command and control traffic.
That means they could know about an attack before it happens.
They could know how long it will last, who the target will be, and what volume of traffic to expect.
They could know who had ordered it, who had paid for it.
They. Also. Sell. Protection.
To call the situation deeply conflicting is an understatement.
Given that the whole class of operators seem somewhat shady, I imagine that sometimes they would need to fend off attacks from competition services. In that case, being on a free DDoS protection plan seems like a reasonable thing to do (from their point of view). As long as they're not initiating the DDoS via Cloudflare, I'm not sure how that would be unreasonable of CF's part, given that I assume it's all automated and nobody ever looks at what sites have signed up.
I don't like CF for their fishy SSL architecture, the increased centralization of internet traffic, and the constant captchas when using tor, but the DDoS protection part (regardless to what sort of people they're providing service for) seems fine.
I don't really understand your point. In 2012 I was working on a startup that was DDoS'd and it was not fun. This was back before Cloudflare offered a DDoS service and we ended up having to hire a random company in Canada to help get us back online. At the time there were surprisingly few people out there offering DDoS mitigation. Cloudflare wanted to help us but they were still in early development for their service, but I remember them being good guys. What's wrong with providing a service to help fight the bad guys?
He is pointing out that cloudflare is also hosting the DDOS sites.
Those are sites that you can go to to pay for a DDOS.
So they are taking money from the people who you are paying them to defend you against.
The problem comes from the conflict of interest when you're also hosting the bad guys
It's the same stance that antivirus developers have always had, more or less. As usual, the difference between blackhat and whitehat is very, very thin - if there is a difference at all.
Be careful posting random domains.HN might flag/throttle your account for spamming.happened to one of my accounts.
That's rare but possible. If you weren't spamming, I'm sorry. Let us know at hn@ycombinator.com and we'll fix it.
Thanks for the reply. it has been a while and i don't even remember the username of that account.it wasn't that important to me (plus, a relatively new account) so i didn't bother contacting HN.
By the same logic, the search engine you used to find those sites is also a "protection racket".
Really? That search engine sells DDOS protection?
Sure. I just searched for "ddos stresser" on three different search engines. The first 1-3 results were ads for Cloudflare and similar services, followed by organic results for several of the sites mentioned above. One could make the same dubious argument that it's a protection racket (free exposure for the "bad guys" while profiting from mitigation).
You are essentially arguing against freedom of speech. Cloudflare will protect any site that doesn't host child porn. Yes that includes things which you don't like, but it also includes all the things you do.
> Cloudflare will protect any site that doesn't host child porn
Doesn't that make it worse? They aren't saying they don't or won't police the content they protect. They are obviously capable and willing to draw a line on ethical or legal grounds, if they have done so in that case. They have just chosen to draw that line on one side of porn but another side of DDoS services.
Ultimately it is their decision to make, but I don't think it's unfair for people to question possible conflicts of interest in how that decision is made.
Why are you combining legal and ethical? They're capable and willing to draw a line on legal grounds. Seems pretty clear.
1 reply →
I ... didn't say any of that.
DDoS attacks are the ultimate form of censorship.
You don't understand what freedom of speech actually means.