I have multiple horror stories from my days at Malwarebytes about CloudFlare. They absolutely refuse to take down people who abuse their network- at best they'll block a single file from being distributed, but then the malware authors simply change the name of the file (or, more commonly, dynamically name the file something completely random). Their network is fantastic for malicious activity, not only because of the technology but because of their policies around it.
They will do everything to keep bad sites up, even flat out lying. Here's Matt Prince, their CEO, claiming that Malwarebytes was blocking their CDN because of "political" reasons, even though we had emailed him actual PCAP files showing that their network was distributing malware-
Despite the fact that Malwarebytes actively engages with communities and groups that teach people who to manage malware removal, and have always stood for free speech and only removes harmful software, Matt Prince tried to deflect front the truth of the situation by claiming this was about censorship. Really all it was about was that multiple clients of theirs were hosting pages that were actively infecting thousands of computers.
To make matters worse they put these customers who are hosting active exploits and malware right next to their small business customers, so any time someone threatens to block them they hide behind the innocent victims who are caught in the cross fire.
I should point out that I no longer work at Malwarebytes, and this all took place several years ago. I am only speaking about the portions of this that were public, and you can find all of that in the Malwarebytes forums and other places online.
As a security analyst, Cloudflare is a great friend and a terrible enemy. I've had numerous scenarios where I request information or takedowns of websites hosting blatantly malicious content, and not only do they refuse to cancel service, but they won't even give you the real IP address of the domain even if you have considerable evidence that abusive content is hosted there.
The most they'll do is give you the name of the hosting company, and even then getting that is like pulling a tooth. And of course, once you contact the hosting company, it can become like a chicken-and-egg problem "you'll need to contact the DNS provider so I know what server this is being hosted on." A hosting provider that issues thousands of VPSs and has a big IP space may not be able to find the offending user just given a domain name.
On the plus side, I use Cloudflare on many of my sites for the free DDoS protection, IP anonymizing, and anti-bot features. So far it's been great.
In all 3 links this is the only relevant part I've been able to find regarding them being malicious:
> Heck, if the DDoS for hire services protect themselves against DDoS attacks by using CloudFlare then CloudFlare must be damn good!
So they protect their customers from DDoS attacks. All of them. I see nothing bad in this. Saying they shouldn't is like saying a government should put all criminals together in a village and then have them perform criminal activity on each other.
The link to Kreb's is basically the same: people protecting themselves. Should CloudFlare play for judge and ban people that do not violate their terms? Because I'm sure they boot people that perform illegal activities on their network or otherwise harm their network from within, but I can see why they don't proactively take down any website mentioning "we offer DDoS attacks". Like I said before, that person A kills another person doesn't mean that another person may kill person A, at least not within our current laws. Even if it did, is CloudFlare the one who should be calling the shots?
Finally your first link is someone complaining to CloudFlare about LOIC (or related perl scripts launched from VPSes) and cloudflare responds that they see no harmful traffic and that logs or other details should be attached. Merely saying "hey I'm having trouble" has never gotten anyone further in resolving issues. That's why we have logs so that CloudFlare can check their own logs to see what happened. Perfectly reasonable.
So yeah elaboration is necessary. I do not see why CloudFlare is harmful.
Sure. I made a post a few weeks ago at https://news.ycombinator.com/item?id=7880514. There's other relevant posts in the same thread as well, but that's probably the best overview.
tedivm|11 years ago
They will do everything to keep bad sites up, even flat out lying. Here's Matt Prince, their CEO, claiming that Malwarebytes was blocking their CDN because of "political" reasons, even though we had emailed him actual PCAP files showing that their network was distributing malware-
https://forums.malwarebytes.org/index.php?/topic/108447-my-s...
Despite the fact that Malwarebytes actively engages with communities and groups that teach people who to manage malware removal, and have always stood for free speech and only removes harmful software, Matt Prince tried to deflect front the truth of the situation by claiming this was about censorship. Really all it was about was that multiple clients of theirs were hosting pages that were actively infecting thousands of computers.
To make matters worse they put these customers who are hosting active exploits and malware right next to their small business customers, so any time someone threatens to block them they hide behind the innocent victims who are caught in the cross fire.
I should point out that I no longer work at Malwarebytes, and this all took place several years ago. I am only speaking about the portions of this that were public, and you can find all of that in the Malwarebytes forums and other places online.
sampk|11 years ago
meowface|11 years ago
The most they'll do is give you the name of the hosting company, and even then getting that is like pulling a tooth. And of course, once you contact the hosting company, it can become like a chicken-and-egg problem "you'll need to contact the DNS provider so I know what server this is being hosted on." A hosting provider that issues thousands of VPSs and has a big IP space may not be able to find the offending user just given a domain name.
On the plus side, I use Cloudflare on many of my sites for the free DDoS protection, IP anonymizing, and anti-bot features. So far it's been great.
nothxbro|11 years ago
http://www.webhostingtalk.com/showthread.php?t=1235995
http://www.organicweb.com.au/17240/internet/cloudflare-secur...
http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gb...
lucb1e|11 years ago
> Heck, if the DDoS for hire services protect themselves against DDoS attacks by using CloudFlare then CloudFlare must be damn good!
So they protect their customers from DDoS attacks. All of them. I see nothing bad in this. Saying they shouldn't is like saying a government should put all criminals together in a village and then have them perform criminal activity on each other.
The link to Kreb's is basically the same: people protecting themselves. Should CloudFlare play for judge and ban people that do not violate their terms? Because I'm sure they boot people that perform illegal activities on their network or otherwise harm their network from within, but I can see why they don't proactively take down any website mentioning "we offer DDoS attacks". Like I said before, that person A kills another person doesn't mean that another person may kill person A, at least not within our current laws. Even if it did, is CloudFlare the one who should be calling the shots?
Finally your first link is someone complaining to CloudFlare about LOIC (or related perl scripts launched from VPSes) and cloudflare responds that they see no harmful traffic and that logs or other details should be attached. Merely saying "hey I'm having trouble" has never gotten anyone further in resolving issues. That's why we have logs so that CloudFlare can check their own logs to see what happened. Perfectly reasonable.
So yeah elaboration is necessary. I do not see why CloudFlare is harmful.
jlogsdon|11 years ago
pktgen|11 years ago