Comment by chipperyman573
8 years ago
>Friendly reminder that Cloudflare willingly hosts the top DDoS-for-hire attack sites, and refuses to take them down when they are reported.
Why should CF be required to police the internet? CF doesn't even host them, they just protect their sites from DDoS and DNS.
Cloudflare has spent a lot of time gaslighting people into believing this, but it physically, scientifically, OSI model-y isn't true. Cloudflare hosts web sites. When Cloudflare CDN edges that content, that content exists on their servers. Just because the canonical store is on another machine doesn't mean they don't host the site. If I mirror a site from some other server, and you're loading that site from my server, I'm the one hosting that site. That's how HTTP works.
The argument that they don't know what's hosted on their network has also been demonstrated by evidence as nonsense. The reason the Pirate Bay got blackholed by Cogent last week was because Cloudflare was grouping all of the BitTorrent sites on their network onto a single IP address, and a Spanish court order related to a different site ended up BGP blackholing over two dozen torrent-related sites as collateral damage.
http://seclists.org/nanog/2016/Jul/400 https://mailman.nanog.org/pipermail/nanog/2017-February/thre...
Cloudflare is completely capable of enforcing this, yet they don't do anything about it. It benefits them financially to not do anything, because they get business from these DDoS attackers trashing other networks on the internet, making it so you can only have sites stay up if they are hosted by Cloudflare's broken, bleeding servers.
This is fundamentally an extortion racket. Frankly, it should be a crime. This is exactly the kind of problem laws exist for.
It's not the responsibility of anyone except the police to police those sites. Cloudflare aren't providing those attack sites with an attack vector, they are just serving their webpages. The post office isn't responsible for policing blackmail letters sent through the mail.
The theory that Cloudflare only enforces against sites they receive court orders for is yet another argument that is not backed by evidence. They actively take down phishing attacks, without warrants or court orders. Presumably because if they didn't, Google would shitlist them in pagerank. They behave responsibly and morally when it benefits them financially, and tell everyone they need court orders when it doesn't, even if that decision hurts the web.
It is everyone's responsibility to be responsible members of the internet community. Just because they've found a temporary legal loophole does not give them a moral blank check to be complicit in the murder of the Internet's ability to function.
1 reply →
But it sounds like in the absence of laws, you want private companies deciding what is allowed to be on the internet.
If you really want there to be a nightmare situation where private companies decide what gets to be a web site, just let Cloudflare keep doing this. You'll be left with a centralized internet run by 3 US-based CDN companies that only supports HTTP.
But yes, I absolutely do want private companies to make decisions like this. If Google didn't do this constantly, my search results would be a bunch of spam, scams and phishing attacks.
Requiring the police to get involved every time something bad happens (like a new phishing site) would be the end of the functioning internet and of our ability to enforce laws. Internet tech companies are absolutely expected to behave responsibly on a private level, and are given a lot of legal leeway on the assumption by the government that they will.
"CF doesn't even host them, they just protect their sites from DDoS and DNS."
The #1 excuse people use. They do more than just DNS, they deliver the actual data, that would have been delivered by the original host, to visitors. So I'd consider them hosting an automatically updated mirror, and as bad as the original host.
Related story:
I used to use Cloudflare for DNS, but I left because I was becoming uncomfortable with their policy regarding DDoS attack sites. We run our own Anycast CDN now for the HTTP, but I didn't want to have to deal with the DNS servers so I outsourced it to DNSimple.
Turns out that DNSimple unknownst to me started using Cloudflare's DNS servers under the hood. They were getting attacked by the DDoS attack sites Cloudflare hosts and it was threatening the service. I figured this out by doing a lookup of their nameserver IPs.
So my attempt to get away from using Cloudflare has meant that I'm just right back on Cloudflare's servers, again.
This is an insidious cycle that will not end well for the internet, or for our freedom on it. The internet will not be decentralized anymore if the entire thing sits on Cloudflare and depends on Cloudflare to function. Cloudbleed is a canary in the coalmine.
Note that if Cloudflare didn't have the content of those sites and their requests in memory this couldn't have happened.