[grey-area]

I could post more, but why bother?

The krebs story was interesting thanks, the forum posts less so. I understand why cloudflare are reluctant to start rejecting customers based on content, but surely it's illegal to sell DDOS services? Perhaps they should change their TOS to exclude any sites which sell attack tools/services, because it looks really bad for them to be protecting sites that promote DDOS, which then provides them with repeat business.

Are there still sites up protected by cloudflare which promote this sort of activity?

[PeterisP]

Sell service of running a DDoS for you? Probably illegal.

Selling attack tools, however, is explicitly legal in most places, it's just software just as a port-scanning tool, DeCSS or zero-day vulnerability data.

"Promoting this sort of activity" again is free speech issue, no matter what "that sort" is. For example, there are posts right here in HN that "promote this sort of activity", and it would be ridiculous if having such content is even close to allowing someone to take down a server.

In short, unless the actual site is performing illegal activities (implementing the DDoS or uploading childporn&stuff), I'd say that they're correct in explicitly ignoring whatever else the site is doing.

[grey-area]

Sorry, promote was a poor choice of words, I meant offer illegal services, not just talking about it or promoting it. I believe DDOS is illegal in many jurisdictions, and offering it for money more so. The allegation in the krebs article is:

a great many of today’s DDoS attacks are being launched or coordinated by the same individuals who are running DDoS-for-hire services (a.k.a “booters”) which are hiding behind Cloudflare’s own free cloud protection services.

I don't see Matthew Prince's post quoted above as a satisfactory response to this. This is morally and legally shady because cloudflare directly profit from the continued existence of DDOS, so they should be very careful to offer not a shred of evidence that they currently support people who carry out DDOS IMO, it would just be good business and current customers are going to get restless if they find cloudflare protects DDOS sites knowingly.

They've obviously taken a different stance (based on not wanting to filter customers on content), which I'm sympathetic to, but if the content is illegal and directly benefits them by facilitating more DDOS attacks, that equation changes.

[devicenull]

Yea. They don't really bother to take them down. Their logic is that the attack traffic isn't technically leaving via their network, so it's not their problem. Take a look at whois for the domains in that last forum link. Two of those domains are still pointed at cloudflare nameservers.

I'm sure there's tons more, but why bother compiling a list when nothing will change. If you're curious, a good place to look would be the hackforums 'DDOS as a service' section. I bet a lot of the active ones would go to cloudflare.