[EdwardDiego]

So he ran a DDoS network that wasn't behind Cloudflare, but used Cloudflare to stop his website being DDoSed by competitors, and this means Cloudflare was helping him DDoS others?

No, it means Cloudflare was helping keep his website up, in a neutral manner.

In other words, exactly what Cloudflare have stated their policy is.

Now if Cloudflare allowed him to run DDoS code on its Workers, then yes, that's Cloudflare helping him.

Very false equivalence.

[rdtsc]

> No, it means Cloudflare was helping keep his website up, in a neutral manner.

I think it's more subtle than that. It was keeping his website up to make a profit. It benefits Cloudflare to have powerful, well run bot networks out there ready take out any site which do not have Cloudflare's protection.

Yeah, it's a neutral manner on one level, but at a higher level it's bit more nuanced.

[EdwardDiego]

I feel like that's assuming a lot about Cloudflare - what evidence is there of such Machiavellian maneuovres on their behalf?

Would it be impossible to run DDoS as a service for profit without Cloudflare? People were doing fine at just that before Cloudflare ever existed.

[mike_d]

> Would it be impossible to run DDoS as a service for profit without Cloudflare?

Quite frankly, yes. Before CloudFlare won the race to the bottom, you'd have to front thousands of dollars per month for bulletproof DDoS shielded hosting to get started.

There is a finite amount of DDoS-for-hire business that used to keep itself in check because they were constantly throwing attacks at each other raising everyone's "cost of goods sold" so to speak. By protecting these providers shops and ignoring abuse complaints CloudFlare helps more of them stay in business increasing the frequency and size of attacks needing to be mitigated.

I do not believe CloudFlare really thought this out. I believe it was a happy accident.

[prvit]

> Before CloudFlare won the race to the bottom, you'd have to front thousands of dollars per month for bulletproof DDoS shielded hosting to get started.

Before Cloudflare there was decent DDoS protected hosting available for low hundreds of dollars per month, you didn’t have to pay prolexic.

[EdwardDiego]

Cheers :) Happy accident makes a lot more sense than "deliberate policy".

[Borgz]

These defenses of Cloudflare's behavior are getting very silly. Is there anything that Cloudflare could protect that you wouldn't be OK with? Because a DDoS-for-hire service is illegal, unethical, and contradictory of Cloudflare's stance that "cyberattacks, in any form, should be relegated to the dustbin of history."[1] Most importantly, it should be obvious to anyone that a company that has a purported goal of protecting its customers from some harm should not also be attempting to facilitate that same harm.

[1] https://blog.cloudflare.com/cloudflares-abuse-policies-and-a...

[EdwardDiego]

I don't really give two hoots about Cloudflare, I just don't like false statements, like when "Cloudflare helped me run a DDoS network" actually means "Cloudflare kept my website from being DDoSed", with the addendum "and I'm bad, therefore, not protecting KiwiFarms is hypocritical."

It's just dumb.

[mike_d]

It is like renting a storefront in a mall and selling goods stolen from other shops in the mall. What the storefront is doing is illegal, and offering them free rent hurts the other legitimate shop owners in the mall.

To extend the analogy, the mall also refuses to tell the other store owners who owns the shop so they can take legal action. (Cloudflare quite famously will just forward your complaints about hosting illegal services to the service themselves)

[Borgz]

You have admitted in your earlier comment that "Cloudflare was helping keep his website up." You are saying that "Cloudflare helped keep his website up" does not logically imply "Cloudflare helped me run a DDoS network".

Even if you genuinely believe that, how are you confident enough that people generally share your interpretation of what constitutes help to call the statement in question "false"?

[xboxnolifes]

Following this, their ISP, their electric company, their server hosting location, and presumably their government (with their monopoly on violence) also helped them run a DDoS network.

What's next, is the landscaper helping run the DDoS network because they cut the grass outside so people can access the building better?

[Borgz]

The most important factor to consider here is knowledge.

If it is the case that Cloudflare provided services to this website with full knowledge that it was a DDoS-for-hire service, which seems likely, this would significantly increase their culpability. This may also apply to the server host, if the server host directly worked with them.

I find it difficult to believe that the ISP, electric company, or government knew of the actions that this DDoS service was taking, and how their own actions benefitted them, since these entities are so far removed from the DDoS service. But if they did have knowledge of what was happening, of course they would be culpable to some extent.

I also disagree with the implication that we have to make a black-and-white judgment of "they helped" or "they didn't help". Depending on the extent of involvement, a third-party can have varying levels of culpability in the DDoS service's actions.

[Beltalowda]

> with the addendum "and I'm bad, therefore, not protecting KiwiFarms is hypocritical."

That is not how I read it at all; I didn't read a strong conclusion in the article one way or the other, but if anything I would say it's "if you kicked off KiwiFarms, then why not all the DDoS services?"

But most of all, I think it's a nice example on how "being neutral" is actually quite tricky around the edges.

[danShumway]

> with the addendum "and I'm bad, therefore, not protecting KiwiFarms is hypocritical."

Is that the takeaway people have from this article? My reading wasn't that the author is advocating that Kiwi Farms should have been left up. They're asking for DDoS sites to be added to the ban list.

The "hypocrisy" that they keep bringing up is Cloudflare's claim that inaction in these instances is a neutral stance, and that in actuality Cloudflare is an active participant in helping these sites stay online.

[vladvasiliu]

It could be argued that the website was an integral part of the operation, presumably for getting clients, or advertising the services. Even if the website itself or Cloudflare don't do the DDoS themselves, it's still something that's presumably important.

This kind of pedantic reasoning could be applied to any forum: the forum software doesn't do any active harm to anyone. It "only" serves to coordinate the bad actors.

Just like the DDoS site does. So, how is it different?