|
|
|
|
|
|
by echochamber1
3747 days ago
|
|
|
If you're using CloudFlare to protect your site against DDoS, you're essentially participating as part of a passive protection racket. "That's a pretty bold claim," you may reasonably contend. Here are the facts: - A very large proportion (I would conservatively estimate >50%) of DDoS-for-hire sites are hosted on CloudFlare. I couldn't find a comprehensive survey of all attack service providers, but in a recent sample[1], 100% of the services were protected by CloudFlare.
- CloudFlare will not discontinue service for customers offering DDoS-for-hire services unless you are the police and bring them a court order [2].
- If you are not the police and submit a report of someone operating an illegal service behind CloudFlare, they will forward you report, unredacted, to the owner of the IP range. They will not tell you who owns it prior to forwarding the report. It is highly likely that your identifying information will be passed to the (anonymous) individual operating the attack service and that their (likely bulletproof) hosting provider will do absolutely nothing. "Why do all of these services use CloudFlare?", you ask. One simple reason: before CloudFlare, the market of DDoS-for-hire services was somewhat self-regulating via all of the providers DDoSing each other. Since the advent of CloudFlare, though, many have used its protection to avoid attacks from the others, which has led to an increase in DDoS-for-hire services and a reduction in prices as they attempt to compete with each other. CloudFlare providing DDoS protection to these DDoS-for-hire sites therefore effectively increases the supply of such services. On top of that, "just use CloudFlare like everyone else" doesn't work for everyone -- people who don't easily fit into CloudFlare's plans (particularly people offering services via protocols other than HTTP/HTTPS) can't use it at all, while some others have to pay for a higher tier of service. It sounds pretty convenient for CloudFlare that all of these DDoS services are around (and cheap to use), doesn't it? Further reading: http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gb... [1]: http://arxiv.org/abs/1508.03410
[2]: https://blog.cloudflare.com/thoughts-on-abuse/ |
|
|