This whole article seems conflate hosting an informational site run by the attackers and hosting the attack itself.
Used for these attacks, dunno, used for some attacks, yes. (But CF still remains a much less frequent nuisance than pretty much any other infrastructure provider.)
DDOS protection services were provided by companies like Akamai; call for pricing, big companies only, absolutely no anonymous sign-ups.
Cloudflare revolutionised the industry by providing free DDOS protection to anyone, including DDOS-for-hire services. Preventing them from DDOSing one another offline really let the DDOS industry take flight.
Cloudflare should simply enforce basic rules, like "don't run a cybercrime storefront", rather than letting criminal operations like this proliferate.
if they start sticking their fingers into sites and determining whether the site's content is "appropriate" or whatever, based on some sort of nebulous set of criteria, people will get (justifiably) big mad about it, guaranteed.
the "renting attack capacity [from cloudflare]" should have some evidence behind it, because as far as i am aware, the attackers are not using cloudflare infrastructure for the actual attack.
(its really jarring to see the general sentiment on this submission vs. the general sentiment on google submissions)
edit: and here it is straight from their TOS
https://www.cloudflare.com/en-ca/website-terms/
"7. PROHIBITED USES
As a condition of your use of the Websites and Online Services, you will not use the Websites or Online Services for any purpose that is unlawful or prohibited by these Terms. You may not use the Websites or Online Services in any manner that could damage, disable, overburden, disrupt or impair any Cloudflare servers or APIs, or any networks connected to any Cloudflare server or APIs, or that could interfere with any other party's use and enjoyment of any Websites or Online Services. You may not transmit any viruses, worms, defects, Trojan horses, or any items of a destructive nature through your use of Websites or Online Services. You may not exceed or circumvent, or try to exceed or circumvent, limitations on the Websites or Online Services, including on any API calls, or otherwise use the Websites or Online Services in a manner that violates any Cloudflare documentation or user manuals. You may not attempt to gain unauthorized access to any Websites or Online Services, other accounts, computer systems, or networks connected to any Cloudflare server or to any of the Websites or Online Services through hacking, password mining, or any other means. You may not obtain or attempt to obtain any materials or information through any means not intentionally made available through the Websites or Online Services. You may not to use the Websites or Online Services in any way that violates any applicable federal, state, local, or international law or regulation (including, without limitation, any laws regarding the export of data or software to and from the US or other countries).
Cloudflare retains the right (but not the obligation) to block content from its Distributed Web Gateway that Cloudflare determines (in its sole discretion) to be illegal, harmful, or in violation of these Terms. For these purposes, illegal or harmful content includes but is not limited to: (a) content containing, promoting, or facilitating child sexual exploitation and abuse or human trafficking; (b) content that infringes on another person’s intellectual property rights or is otherwise unlawful; (c) content that discloses sensitive personal information, incites or exploits violence, or is intended to defraud the public; and (d) content that seeks to distribute malware, facilitate phishing, or otherwise constitutes technical abuse."
in any case, its not a question of whether cloudflare can remove a website. of course they can, for whatever reason they want.
its a question of whether we want to be in a world where cloudflare starts making content-based decisions on website hosting. most people probably dont want that.
"You may not use the services to attack our infrastructure. You may use the services to advertise and charge for attacking our infrastructure".
if a police investigation turns up that X DDoS is linked to Y advertising site, the police should then submit a lawful takedown request, which cloudflare will oblige.
La Liga sued Cloudflare in Spanish court and won. Cloudflare now starts taking down content that directly violates La Ligas copyright, but mainly only in Spain. It looks like Cloudflare will happily still serve the exact same content outside of Spain.
In response to these court rulings, the got the US government involved and now there is talk of this being a digital trade barrier.
https://www.courthousenews.com/spanish-soccer-league-battles...
you are misunderstanding me, but im not sure if you are doing it on purpose.
if they receive a lawful order of course they should oblige. and without a lawful order they should not make content-based decisions on what to host.
>The mental loops people in these comments are using to support criminals is truly mind blowing.
this is a complete mischaracterization of what i am saying. and implying that i am... astroturfing for ddos? plain offensive.
i just dont want cloudflare ai-scanning my blog, seeing the word "DDoS" because i am in networking, and proactively removing my site from the internet.
You are ignorant of the law. You cannot host user content without being required to police it for at a minimum things like child porn.
But this is also not a remotely ambiguous case. Any normal service would instantly terminate a client account if the client is blatantly and openly advertising their service to disrupt the business. This is not some "slippery slope grey area" where maybe they are breaking the law but who knows. They have a website that says "Here is our service to disrupt cloudflare." It's as black and white as you can get and any normal service would instantly terminate them as soon as they became aware.
yes, child sexual abuse material is covered by law, i.e. they already have a lawful obligation for that thus do not require a separate lawful order.
the issue is around arbitrary content-policing, where the decision is made by cloudflare rather than the legal apparatus.
having a website that says you do ddos for hire is not illegal. (doing the ddos is the illegal part. but that was not done with cloudflare infrastructure = cloudflare should not be involved unless they receive a lawful order).
i am going to choose to ignore your additional mischaracterizations and insults. it would super cool of you to stop calling me ignorant, an astroturfer for ddos, etc. over a simple disagreement.
That 18 USC 2 and 371 apply to the CFAA, too. What are those? Accomplice liability, which has been considered to include aiding and abetting. Hosting (and protecting, by virtue of your product) computer crime organizations could quite plausibly be rolled into accomplice liability.
if what you were saying was at all a plausible legal interpretation, it would have been brought to light over the last 16 years of lawsuits cloudflare has been involved in. or it would have been brought up by their literal room full of (actual) on-staff lawyers.
aiding and abetting requires knowledge of the crime and intent to facilitate it. cloudflare has neither.
I don’t see how cloudflare could have prevented this at all. Even if they took down the info site of the attackers they could just host it on GitHub pages, or a million other free static site hosters.
Zero evidence that cloudflare actually enabled the attack itself from what I can tell.
Cloudflare's core thing OTOH is to hide who I could be sending an abuse report to,
Possibly they will forward it ( more likely not) , but they will include my personal information in a report to an entity that is unknown to me, who are likely criminals, exposing me to danger.
They already pick and choose. They have not decided to sit outside of it. Any claim about them not getting involved should be read as tacit approval. Because we know they will drop users they sufficiently disapprove of.
Could Cloudflare be more proactive or add more friction to their signups? Yes, probably, but the reasons they have outlined for not playing internet police make sense to me.
I don't think it should be a requirement to provide your credit card, phone number and a copy of your ID in order to host content on the internet...
Cloudflare spent a bunch of venture capital to give away expensive things for free and buy market share. If you convince all the grocery stores to move to your island, you can operate a den of criminal activity with no fear of everyone else shunning you.
Talk to anyone who fights botnets, malware, or online scams. Once you hit the Cloudflare dead end you just have to give up. Law enforcement isn't going to take up a case where only 7,000 peoples computers are infected, and Cloudflare isn't going to investigate and take action themselves.
I’ve hosted content online for decades and never once talked to cloudflare.
In a normal scenario, if you want to protect your systems from other "bad" systems on the internet, you can block them on the IP layer.
But Cloudflare operates at the IP layer proxying data between you and good and bad (and everything in between) systems.
In a normal situation you could block and report a site that is run by the the mob, by either blocking them at the IP level or by contacting the abuse@ of the organization that is hosting the content.
Cloudflare is making it so that you can't do either. And if you send an abuse report to Cloudflare, you cannot be sure that they will not just forward your contact information directly to the entity that you are complaining about. They have changed their stance over the years to appear more responsible, but the fact remains:
If I want to send an abuse@ report to a system that is hidden behind Cloudflare I can not be sure that they won't just forward it without me knowing who they are forwarding it to.
> Why is Cloudflare protecting the DDoS'er (beamed.st) attacking Ubuntu servers?
Ddos protection services can be cast as a digital protection racket where they have a perverse incentive to keep attackers attacking. “It's a dangerous internet out there; you'd better pay us to protect your website from the attackers using our free tier.” At the least, even if there is no active collusion or profit sharing or anything like that, there is not a clear side that the DDos protector service is on?
I do agree with your comment. But obviously Cloudflare didn't invent DDoS. If Cloudflare just magically disappears tomorrow, the AI crawlers won't stop. So what's the alternative? It's not a world you need to upload a government-issued ID to browse the internet, right? ...right?
How can we do that, if we would like to preserve relative anonymity and global nature of the internet?
People can indeed form cooperatives to handle the protection, but this is hard to manage globally as an entity. DDoS protection is done by primarily having too much capacity to tank it and then filter it. The required investment is rather high.
This is a fascinating idea. Is this something anyone is working on?
Similarly, BitTorrent does roughly the same once the peer relationships are established.
[1]: https://blog.cloudflare.com/why-we-terminated-daily-stormer/
There might be somewhat of a tangential story, however, in that Njalla seems to have reorganized or changed ownership fairly recently[1], and that Njalla and immateriali.sm seem to be related entities[2]
https://xn--gckvb8fzb.com/njalla-has-silently-changed-a-word... https://www.wipo.int/amc/en/domains/decisions/pdf/2026/dio20...
All the faceshops I have reporeted to cloudflare, all these phising pages behind cloudflare I reported, never came down.
None of them.
For a company making billions, protecting people, they should take this stuff serious.
Cloudflare actively removes your ability to decide for yourself which websites and systems you want to connect to by obscuring their sources.
Without Cloudflare I could decide for myself that I want to block certain networks to connect to my networks.
Cloudflare hiding the origin of these networks along with it's size in the market make Cloudflare exactly that huge organization.
On Ubuntu copy.fail could be mitigated against with some modprobe(8) config tweaks:
# echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
# rmmod algif_aead
Our users didn't feel a thing when we rolled out the patches.
In your scenario Cloudflare is more like a newspaper aggregator which carries all sort filth along with it's normal commentary.
If this was a normal situation one could just decide not to read some filthy newspapers, while letting those who want to read it make that decision for themselves.
But in the Cloudflare scenario all the major relevant normal newspapers decided to publish all their content through Cloudflare and if something objectionable is published along with it, instead of taking your beef to the original publisher, you have to to take it up with Cloudflare who might just forward your details to some very unsavory people without you having a chance to know beforehand.
But if you tell UPS someone is using them to send bombs to people, and they don't act on it in the least and even look like they are shielding bomb senders, then it starts being their fault a little bit, doesn't it?
This is more like a firearms dealer selling a gun to someone after they put their intended usage as “robbing banks” in the ATF form
Yet Meta and Twitter are doing fine, while this has happened.
Water was kinda intentional extreme end. Is there a line? Where is the line? Giving food for someone before they make a murder can give you much bigger jailtime than not giving it, and then just ignoring the knowledge that they are going to make a murder. It is not what you do but the act itself.
An example that makes it more clear: "by that logic it's my fault that i was robbed for leaving the door to my house unlocked."
No, it's the robber's fault you were robbed. The robbery is the illegal part. It is not illegal to leave a door unlocked. Back to your train wreck of an example: it is not illegal to sell keyboards, and it is not illegal to provide water to people. Extortion is illegal. Denial of Service attacks are illegal.
That's where the line is. It is the border between legal and illegal.
They sold services to two customers, one of whom did a crime independent of cloudflare.
If a robber sees Bob buy a bunch of expensive electronics at WalMart, and then buys a crowbar and robs him, is WalMart somehow responsible for the robbery?
Yes, if Walmart somehow knew robber’s intentions, but sold anyway. That is the primary question actually. Was the intent or act known or not.
With the horror stories heard over the years I think a real issue is no hard pricing cap with forced shutdown.
Unless that's changed? I booted them a year ago..
Pretty much anyone can get onto the free tier for Cloudflare. The fact that someone is, doesn't mean that there is a business relationship with Cloudflare. There isn't.
In order to make this business model work, Cloudflare does essentially no due diligence. Getting onto the free tier before you need it, is cheap. And then if you really need them, you have every reason to start paying.
Ideally you'd hope that they would allow third party takedowns. But the ability to do third party takedowns provides a target for the exact attackers that their business is trying to protect against. They wouldn't have a business if they made that a viable target!
But the result of these business decisions, made for their main customer acquisition flow, makes them a tempting place to host malicious content, as well as good. Black hats make a sport out of taking each other out. And so have every reason to use Cloudflare.
Still doesn't indicate a relationship between Cloudflare and the bad actors who are taking advantage of the setup.
I don't think that argument holds water. There's a world of difference between knocking a site offline with a DDoS and making a legal request which results in a hosting provider shutting it down.
If a third party takedown system is poorly implemented (and it's pretty hard to create a balanced takedown system at scale), it may become more effective to abuse it instead of using DDoS.
I find a similar pattern to Meta's scammer ads.
Huge publicly traded companies benefitting from the illegal actions of their clients, turning a blind eye, or conveniently delaying their takedowns.
Big companies need to absorb the liability of small companies, otherwise you get this delegated Sybil Good bank/Bad bank attack
A more basic middle ground would be making the company liable for the damages (civil court not criminal).
Victims can't file a subpoena to get account details?
If I were hosting illegal malicious actors doing this stuff on my home servers and refused to even say who was doing it I would 100% get my door kicked down by the FBI. But some persons, corporate persons, are more equal than others.
If you refused to tell some random person who asked? No, you wouldn’t. If you refused to respond to a legal authority—a court-issued subpoena, for example—then there would be consequences.
As far as cloudflare is concerned you’re just a random person asking. They have no legal obligation to provide you with information.
That assumes of course that like Cloudflare you were hosting a web page and not the actual illegal activity, and were following the laws around hosting things.
So ICANN is complicit too? After all, if we adopt your interpretation, in some way ICANN is also turning an blind eye, both to what cloudflare is supposedly doing and also to what the domain registrars are doing.
Maybe there is a point to be made about monopoly power in hosting and ddos protection. I don't really see how this blog post, or labelling it blackmail, help make that point.
The best IP Stresser service since 2022.
WTF does it really mean?