[jwitthuhn]

"Renting attack capacity from [cloudflare]" is inaccurate as I understand things. That group hosts their site behind cloudflare but I have not seen anyone claim that cloudflare's infra is used for the attacks.

This whole article seems conflate hosting an informational site run by the attackers and hosting the attack itself.

[michaelt]

In The Before Times, there were very few problematic DDOS operations because... they would all DDOS one another offline. Websites, control infrastructure, anything.

DDOS protection services were provided by companies like Akamai; call for pricing, big companies only, absolutely no anonymous sign-ups.

Cloudflare revolutionised the industry by providing free DDOS protection to anyone, including DDOS-for-hire services. Preventing them from DDOSing one another offline really let the DDOS industry take flight.

[xorcist]

It's been a well known story around Cloudflare from the beginning that they protect booters and other cybercrime actors just like any other (paying or non-paying) customer.

If you report the DDoS-for-hire actors that offer their services on forums where such things are offered openly, they reply with a template that freely interpreted say something along the lines that they can do nothing and who is a crimininal is .. like, just your opinion, man (checks notes) they say here they are a legit load tester operation, so nothing really we can do.

You can say they entered the scene because DDoS exploded in popularity, but you could just as easily make the argument it was the other way around. Make of that what you will but they sure made a lot of money from the same booters they protect their customers from.

[peanut-walrus]

So "big companies only, absolutely no anonymous sign-ups" should be the only ones able to put stuff on the internet without fearing that a random teenager can take your site offline for days just because they're bored?

[RIMR]

No. Nobody said that.

Cloudflare should simply enforce basic rules, like "don't run a cybercrime storefront", rather than letting criminal operations like this proliferate.

[edoceo]

How? Their sign-up flow would have to change dramatically. It might even become a process that is internally "expensive". There is likely one or more managers in charge of this decision and they don't want it. Additionally the current universe rewards the current situation (for them)

[eblume]

This is called KYC and is a standard part of operating a financial service. Seems to me like it should be part of internet infrastructure services as well. And, I thought, in some cases already is?

[t-3]

... and financial services companies huge and small still go out of their way to help their clients move money around in a myriad of ways, because it's very lucrative and there are so many loopholes and ways to obscure things. Offloading the responsibilities of law enforcement and regulatory bodies to private companies makes things worse for everybody. Providing non-crime services to criminals should not be a crime any more than selling a candy bar to a criminal is. As long as you aren't actively aiding or covering up for a crime, not reporting criminal activity is not even a crime in many areas, and if KYC can effectively identify criminals, law enforcement should be able to do it themselves.

[ozgrakkurt]

KYC is useless as a regular user. I hope it never infects industries outside the financial system.

Why care about them hosting an info page for anyone? Cyber criminals supposedly can host it a billion other ways so why care?

[t-3]

Plausible deniability is all they really need. Asking companies not to make money in very likely to be legal ways will never work. If these people are really doing illegal business in plain sight it should be easy for law enforcement to catch them.

[array_key_first]

The danger with this is that you're asking cloudflare to know more about you and your website and to be more ready to take websites offline. That's a monkey paw if ive ever seen one.

[iamnothere]

Seems like they could use Tor onion sites just as easily tbh.

[michaelmrose]

Why don't they?

[iamnothere]

Good question—they should?

Or maybe not, I’d rather have more Tor sites that aren’t questionable content. It’s a great tool for hosting even personal sites if you appreciate privacy and resilient infrastructure.

(The great thing, though, is nobody can prevent you, or anyone, from hosting your site there.)

[charcircuit]

Why didn't those companies use Telegram?

[BobbyTables2]

You mean if CloudFlare didn’t protect DDOSers, CloudFlare wouldn’t be able to provide as much service to the victims ?

[thaumaturgy]

I have no insight into this particular case/incident, but I do have to deal with a lot of http traffic management, and I've lately been seeing Cloudflare IPs show up a lot more often in my logs for probes and nuisances, and not because the traffic is being proxied (or at least, it doesn't have the CF-Connecting-Ip header).

Used for these attacks, dunno, used for some attacks, yes. (But CF still remains a much less frequent nuisance than pretty much any other infrastructure provider.)

[andrewaylett]

One of types of services Cloudflare provides goes by the name "Warp". Calling it a VPN is only wrong in ways that don't really matter — it has the effect of causing client traffic to appear to originate from a different IP address to the one they're notionally connected to the Internet via.

[anon84873628]

I also found this confusing. And given how thorough and precise the author was with other elements, it seems like a deliberate gloss.

[corvad]

Yes, agreed these are very different things. Also I'm not really sure the argument holds, there are plenty of AWS Command and Control hosted servers and AWS victims, is AWS to blame or blackmailing? The answer is a large no.

[fragmede]

AWS does have an abuse department though, and if you're in that space, you can send them abuse reports and they'll do something about that.

[TiredOfLife]

Linux users and FUD. Name a more iconic duo