[lucb1e]

In all 3 links this is the only relevant part I've been able to find regarding them being malicious:

> Heck, if the DDoS for hire services protect themselves against DDoS attacks by using CloudFlare then CloudFlare must be damn good!

So they protect their customers from DDoS attacks. All of them. I see nothing bad in this. Saying they shouldn't is like saying a government should put all criminals together in a village and then have them perform criminal activity on each other.

The link to Kreb's is basically the same: people protecting themselves. Should CloudFlare play for judge and ban people that do not violate their terms? Because I'm sure they boot people that perform illegal activities on their network or otherwise harm their network from within, but I can see why they don't proactively take down any website mentioning "we offer DDoS attacks". Like I said before, that person A kills another person doesn't mean that another person may kill person A, at least not within our current laws. Even if it did, is CloudFlare the one who should be calling the shots?

Finally your first link is someone complaining to CloudFlare about LOIC (or related perl scripts launched from VPSes) and cloudflare responds that they see no harmful traffic and that logs or other details should be attached. Merely saying "hey I'm having trouble" has never gotten anyone further in resolving issues. That's why we have logs so that CloudFlare can check their own logs to see what happened. Perfectly reasonable.

So yeah elaboration is necessary. I do not see why CloudFlare is harmful.

[akerl_]

The point being made above is that Cloudflare charges users to protect them from attacks, but they're also providing protection (from attacks and identification) to the people performing the attacks. To many, it appears that they're helping to allow malicious activity because it benefits the sale of their services.

[mst]

This sounds like the same argument would apply to selling bullet proof jackets to people who also own guns.

[pktgen]

> Should CloudFlare play for judge and ban people that do not violate their terms? Because I'm sure they boot people that perform illegal activities on their network or otherwise harm their network from within, but I can see why they don't proactively take down any website mentioning "we offer DDoS attacks".

DDoS attacks are illegal in most countries, including the US where CloudFlare operates. It would be reasonable for them to include something in their terms about not allowing illegal activities. Then, if it's brought to their attention via a verifiable abuse complaint, yes, they should cease providing service to that user. They are a private company and do not have the obligation to provide service to any particular person; there is no "rights" issue here.

Proactively, as in proactively monitoring and reviewing each site they provide service to, would no doubt be a huge burden and difficult or impossible, but I don't think anyone has suggested that. The only thing they need to be doing is the same as any responsible ISP, have an abuse@ mailbox (which they do), review and take the appropriate action on complaints.

[tokenizerrr]

As far as I understand it the problem is as follows:

1. Bad guys get a site behind cloudflare, and host illegal content

2. You want to report said bad guys to their host, for whatever reason.

3. You discover they use cloudflare. You now do not know where they are hosted.

4. Cloudflare will not tell you their actual IP addresses.

[lucb1e]

If it's illegal and you're harmed I'm sure you can sue the people who did it and CloudFlare will have to hand over IP addresses. But is it CloudFlare's duty to police the Internet? Like ISPs, I think they should be content neutral unless illegal content like child porn is being hosted. Merely talking about services is not illegal as far as I know; only performing the DDoS attacks is.

[meowface]

1. Websites hosting services that have no other purpose but to DDoS other computers are absolutely illegal. Many such sites have been taken down by the FBI before, and both users and owners of the sites have been arrested. The problem is that there are many hundreds of such sites and tens of thousands of users, and law enforcement simply can't take down each and every one. Cloudflare is relying on the fact that most people won't be able to get a subpoena or file a lawsuit.

2. You could apply that same argument to any hosting provider. They're just letting people see content that you yourself have uploaded; why should they act as Internet police? And yet every hosting provider has a legal responsibility to take action if someone is using their services to spread malware, launch DDoS attacks, or hack other websites.

Cloudflare is able to weasel itself out of it because it is not actually a hosting provider. However, they won't even let you discover the real hosting provider after showing proof of extremely blatant criminal activity. This is why many criminals flock to them: they know they will be harbored and their botnet command & control / DDoS service / malware distribution network can stay up for longer than it would normally.

I work in the information security field and we're definitely seeing more and more malicious network operators moving to Cloudflare and staying there for a long time.

[nitrogen]

Is requiring legal due process such a bad thing?

[meowface]

In some cases? Yes.

The legal system simply cannot process every single civil or criminal complaint everyone in the US may have. If a security researcher had to go through a court, and/or law enforcement, every single time they wanted a malicious domain taken down then their work would be nigh impossible.

Legal due process should be required when there are legal penalties or punishments. In this case, the bot herders and malware distributors are not subject to any criminal or civil penalties in response to abuse complaints: they do not go to jail and are not fined. Some of them will be fined or imprisoned, many years later, but everyone's better off if their botnets are shut down immediately instead of in 2-5 years.

It's a dealing between private entities: private entity X agrees to stop providing server or domain hosting for the bot herder after seeing a good faith report. A provider has every right to stop offering you service.

Without this sort of cooperation between entities, the Internet would be even more of a mess right now.

[tokenizerrr]

I agree they should not be policing. Instead they should allow you to contact the people who are hosting the actual content. Which is where DMCA notices have to go to, for example. Since they do not host the content, they claim the DMCA should not be sent to them, but they won't tell you who to contact instead.

[icebraining]

So what? It's not their job to help copyright holders, their job is to protect their clients' privacy. Even the cops have to get a court order to find someone's private data from a business, but since it's copyright every man and his dog claiming to be the copyright holder should be handed private information willy nilly?

[devicenull]

So, would you consider a site where you can click a button and have a DDOS attack launched for you to be illegal? Because that's exactly what's being referred to here, "DDOS-as-a-service".

[pktgen]

Have fun filing lawsuits and sending out subpoenas when you're just trying to host a game server as a hobby and not making money off it. Cross-jurisdictional issues will also make this very difficult, even if you know who the attacker is.

[icebraining]

Fair trials are hard, let's go shopping!