[jessaustin]

If Cloudflare kicked accused DDOS-for-hires, the first step in any DDOS campaign would become "accuse target of being DDOS-for-hire". That wouldn't actually be a step forward for DDOS victims who use Cloudflare, because then they would have to provide human input to some sort of appeal process ASAP, rather than Cloudflare just working automatically to thwart an attack.

[pktgen]

An accusation should not be sufficient, obviously. Why can't CloudFlare take abuse complaints, verify and take action based on that?

In fact, this is precisely what they've done in the past, though they'd only provide the host details rather than stopping service to a site. (I don't think they'll even go this far anymore, rather they'll give you the abuse email for the host and tell you to have the host contact them, which is ridiculous.) I've filed a few such complaints myself. In one instance, the booter site didn't provide any info about its services without registration, so I linked to the hackforums thread where it was being offered. CloudFlare declined this as sufficient proof. Luckily, I could register an account without payment, and that gave me the options to pay to launch attacks, so I sent the login details to CloudFlare and they accepted that.

[jessaustin]

Your experience seems to contradict the insinuation that "Cloudflare is knowingly providing cover to the DDOS-for-hire companies after being informed of what they are doing", to which I responded. So I guess there's no problem after all?

[pktgen]

I don't think it contradicts that. CloudFlare is indeed knowingly providing cover to them. The fact that they'll give you an abuse email to the actual host doesn't change them continuing to provide service to such sites, even when they acknowledge a site is a booter.

[jessaustin]

I think we agree, that any defensible policy would lie somewhere between "ignore all accusations of booting" and "credulously believe all accusations of booting". Re-reading your comment, I'm not sure, but are you saying that CF are at the former end of the policy spectrum? That's regrettable.

I wonder, however, if even the latter policy would solve the booter problem. Accessible websites are convenient for commerce, but they aren't required.

Also, any argument you make about CloudFlare could also be made about Google: I see http://quantumbooter.net as the second link and http://top10booters.com/ as the fifth link at https://www.google.com/search?q=booter+services

[pktgen]

> I think we agree, that any defensible policy would lie somewhere between "ignore all accusations of booting" and "credulously believe all accusations of booting".

I agree with this.

> Re-reading your comment, I'm not sure, but are you saying that CF are at the former end of the policy spectrum? That's regrettable.

Somewhat. As of my last experience with them (which was like a year ago), they will accept abuse complaints for booters. If you can prove to them the site is a booter, by providing documentation on the site itself (not hackforums or anywhere else where it's being advertised, which is understandable as it's basically hearsay, though a bit difficult) indicating the site offers a DDoS service, they will provide the abuse@ email of the hosting company. They will tell you to have the abuse@ people contact them directly for further details. This is the only action they will take.

But my opinion is they should, upon confirming the site is a booter, terminate their service to the site. It would also be nice if they would continue to provide the host details, in addition, so the reporter can contact the actual host and have the site taken down from there as well.

> Also, any argument you make about CloudFlare could also be made about Google: I see http://quantumbooter.net as the second link and http://top10booters.com/ as the fifth link at https://www.google.com/search?q=booter+services

Very good point, thank you for mentioning.

The difference I see is that CloudFlare actively provides a service to them, while Google is merely maintaining a keyword-based search listing for them. That being said, I can see both sides of this one.

My views on the legitimacy (rather, lack thereof) of booters: they are a service that serves absolutely no legitimate purpose. The sole purpose is to perform an illegal act against another person. I know a bunch of them are sold on hackforums as "stressers," i.e. "stress test your own server," but that also isn't a legitimate purpose - I can see no case where one would want to stress test their own services with some UDP or SYN flood over the Internet. Such a thing would only be done over a private network using your own packet generator.

[danielweber]

I may not have been clear where I made that comment, so let me explicitly say that I do not know the history or state of CF's abuse policies. CF may, in fact, be doing everything right. I was merely stating a condition that, if CF is doing what you quoted, then it would be a "big bunch of bullshit."