TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

46% Positive

Analyzed from 1728 words in the discussion.

Trending Topics

#cloudflare#attackers#ddos#illegal#protection#services#don#hosting#should#ubuntu

Discussion (47 Comments)Read Original on HackerNews

wood_spiritabout 1 hour ago
The article puts it very succinctly: Cloudflare fronts attackers for free and bills the victims for relief.

Ddos protection services can be cast as a digital protection racket where they have a perverse incentive to keep attackers attacking. “It's a dangerous internet out there; you'd better pay us to protect your website from the attackers using our free tier.” At the least, even if there is no active collusion or profit sharing or anything like that, there is not a clear side that the DDos protector service is on?

okanatabout 1 hour ago
The thing is, you can control a neighborhood, a country etc. from attackers and establish control over violence.

How can we do that, if we would like to preserve relative anonymity and global nature of the internet?

People can indeed form cooperatives to handle the protection, but this is hard to manage globally as an entity. DDoS protection is done by primarily having too much capacity to tank it and then filter it. The required investment is rather high.

idle_zealotabout 1 hour ago
This seems like one of those cases where you need to assign responsibilities and obligations to those enabling the damage, even if their offerings also enable a lot of good. If you have the capacity to offer cheap/free VPS, then you also need to cover the cost of protecting against the DDoS attacks that service enables. You don't get to offload that burden on to the victims. If that makes your VPS offerings more expensive then so be it; that's the result of pricing in the externalities.
altairprimeabout 1 hour ago
You can’t have both ‘sockpuppet-grade anonymity’ and ‘held liable for their actions’ in the same society, whether Internet or otherwise. Both in reality and online, those that create sockpuppet corporations-slash-identities are unmasked only when their web of sockpuppetry is pierced by e.g. ‘reused a mailbox’, ‘used a neighbor’s identity’, ‘used a family member’s identity’, and so on. Until such investigations, sockpuppets get away with billions of dollars-slash-gigabits of crimes every year, and barring the ever-incompetence of most criminals, the Internet is a vast improvement over shell corporations in that regard. Still. It is technically possible to be able to ban the controlling human of an online sockpuppet without violating their anonymity, but we lack the societal infrastructure to do so — and since our own techno-utopian societies have invested no effort in doing so, it seems like the core utopian ideal could be ‘freedom from consequences’, rather than ‘freedom of anonymity’. If that’s a valid interpretation, then the core issue is not ‘preserve relative anonymity’, it is ‘preserve relative non-liability’, which may offer new avenues for much cheaper investment than pseudoanonymity would cost.
johnmaguireabout 1 hour ago
> People can indeed form cooperatives to handle the protection, but this is hard to manage globally as an entity.

This is a fascinating idea. Is this something anyone is working on?

necovekabout 1 hour ago
In a sense, one can argue IPFS can do it, provided the content is syndicated widely enough. It is not, though.

Similarly, BitTorrent does roughly the same once the peer relationships are established.

apiabout 1 hour ago
It's a protection racket born of fundamental weaknesses in the Internet's bedrock protocols.
jwitthuhnabout 1 hour ago
"Renting attack capacity from [cloudflare]" is inaccurate as I understand things. That group hosts their site behind cloudflare but I have not seen anyone claim that cloudflare's infra is used for the attacks.

This whole article seems conflate hosting an informational site run by the attackers and hosting the attack itself.

AntonyGarandabout 2 hours ago
Relevant post from last week:

> Why is Cloudflare protecting the DDoS'er (beamed.st) attacking Ubuntu servers?

https://news.ycombinator.com/item?id=48025001

john_strinlai7 minutes ago
people will always be able to pick a handful of sites they think shouldnt be allowed to use cloudflare hosting services.

the problem is that every person will have a different handful of sites. much better for everyone if cloudflare doesnt discriminate their services based on nebulous criteria. they should host everything and anything until a lawful order is received.

the "renting attack capacity [from cloudflare]" should have some evidence behind it, because as far as i am aware, the attackers are not using cloudflare infrastructure for the actual attack.

AntiUSAbahabout 1 hour ago
Completly agree, cloudflare protects scammers on a huge scale and no one cares...

All the faceshops I have reporeted to cloudflare, all these phising pages behind cloudflare I reported, never came down.

None of them.

For a company making billions, protecting people, they should take this stuff serious.

altairprimeabout 1 hour ago
If you’re not using the legal system to seek action from Cloudflare, you’re unlikely to be heard by them. “I was injured for $20 and I seek as redress the customer payment details (issuing bank, account number) provided to Cloudflare so that I can identify and file a claim for financial redress against them” would be a lovely small claims lawsuit, for example. I haven’t heard of anyone trying that yet but I’d love to admire the results if someone does!
PcChipabout 1 hour ago
I always assumed ubuntu was brought down to prevent ubuntu servers from patching copy.fail, so that hacking group could exploit as many targets during that time as possible
bayindirhabout 1 hour ago
copy.fail patches can be applied with minimum downtime, and a VM reboots in 30 seconds, tops, regardless of size. I believe all the apex servers are configured as HA to keep the load distributed, so normal users won't feel anything when copy.fail is patched.

Our users didn't feel a thing when we rolled out the patches.

Lukas_Skywalkerabout 1 hour ago
But the Ubuntu update servers are necessary to serve the update. Taking them down prevents the users from downloading the update. I don't know whether the update servers were affected though.
throw0101cabout 1 hour ago
> I always assumed ubuntu was brought down to prevent ubuntu servers from patching copy.fail

On Ubuntu copy.fail could be mitigated against with some modprobe(8) config tweaks:

    # echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
    # rmmod algif_aead
There may be some processes that use this functionality ("lsof | grep AF_ALG"), but it is not that widespread AIUI, and so disabling it should not be an issue for the vast majority of systems.
JeremyJaydanabout 1 hour ago
I'm not sure how correct this is but when you upgrade your tier on Cloudflare aren't the costs basically up to Cloudflare?

With the horror stories heard over the years I think a real issue is no hard pricing cap with forced shutdown.

Unless that's changed? I booted them a year ago..

lumaabout 1 hour ago
That'd be extortion, not blackmail. CF did neither thing.
btillyabout 1 hour ago
Hanlon's Razor applies here. "Never attribute to malice that which is adequately explained by stupidity."

Pretty much anyone can get onto the free tier for Cloudflare. The fact that someone is, doesn't mean that there is a business relationship with Cloudflare. There isn't.

In order to make this business model work, Cloudflare does essentially no due diligence. Getting onto the free tier before you need it, is cheap. And then if you really need them, you have every reason to start paying.

Ideally you'd hope that they would allow third party takedowns. But the ability to do third party takedowns provides a target for the exact attackers that their business is trying to protect against. They wouldn't have a business if they made that a viable target!

But the result of these business decisions, made for their main customer acquisition flow, makes them a tempting place to host malicious content, as well as good. Black hats make a sport out of taking each other out. And so have every reason to use Cloudflare.

Still doesn't indicate a relationship between Cloudflare and the bad actors who are taking advantage of the setup.

duskwuffabout 1 hour ago
> Ideally you'd hope that they would allow third party takedowns. But the ability to do third party takedowns provides a target for the exact attackers that their business is trying to protect against.

I don't think that argument holds water. There's a world of difference between knocking a site offline with a DDoS and making a legal request which results in a hosting provider shutting it down.

necovekabout 1 hour ago
What you are saying is that Canonical should have first updated the DNS to point at the attacker's web site IP (hosted by Cloudflare) for a few hours to let Cloudflare eat 3.5Tbps for a bit? :)
aggakakeabout 1 hour ago
With this kind of logic we can blame keyboard manufacturers for the illegal things their products wrote.
nicceabout 1 hour ago
Or water companies for selling water for them. Where is the line?
mcmcmcabout 1 hour ago
If a billboard company accepted an ad that included a threat on the president’s life or recruitment info for a known terror organization, are they complicit in the crime? Water is a basic utility so I don’t think that’s a fair comparison

This is more like a firearms dealer selling a gun to someone after they put their intended usage as “robbing banks” in the ATF form

nicce33 minutes ago
> If a billboard company accepted an ad that included a threat on the president’s life or recruitment info for a known terror organization, are they complicit in the crime? Water is a basic utility so I don’t think that’s a fair comparison

Yet Meta and Twitter are doing fine, while this has happened.

Water was kinda intentional extreme end. Is there a line? Where is the line? Giving food for someone before they make a murder can give you much bigger jailtime than not giving it, and then just ignoring the knowledge that they are going to make a murder. It is not what you do but the act itself.

naikrovekabout 1 hour ago
how does anyone not know where the line is?

An example that makes it more clear: "by that logic it's my fault that i was robbed for leaving the door to my house unlocked."

No, it's the robber's fault you were robbed. The robbery is the illegal part. It is not illegal to leave a door unlocked. Back to your train wreck of an example: it is not illegal to sell keyboards, and it is not illegal to provide water to people. Extortion is illegal. Denial of Service attacks are illegal.

That's where the line is. It is the border between legal and illegal.

sophaclesabout 1 hour ago
Obviously we need to go after supermarkets and corner stores since criminals eat, so somewhere past that.
jmuguyabout 1 hour ago
It seems disingenuous to assume that CF offering some (unknown) amount of service to a malicious actor amounts to "blackmailing" someone that actor is attacking. CF could, and probably should, be better about not offering services to criminals but making a leap of logic certainly doesn't help anything.
Advertisement
TZubiriabout 1 hour ago
Yes.

I find a similar pattern to Meta's scammer ads.

Huge publicly traded companies benefitting from the illegal actions of their clients, turning a blind eye, or conveniently delaying their takedowns.

Big companies need to absorb the liability of small companies, otherwise you get this delegated Sybil Good bank/Bad bank attack

mcmcmcabout 1 hour ago
If they accept money to display malicious ads they should be prosecuted as accessories to the crime tbh
jpereiraabout 2 hours ago
This is insanely dumb. Cloudflare is providing free hosting services, not materially supporting the attacker. You can argue that cloudflare needs to be better, or adopt different values towards, taking down sites they host, but this organization could absolutely just serve elsewhere (or just advertise their services over telegram or the like).

Maybe there is a point to be made about monopoly power in hosting and ddos protection. I don't really see how this blog post, or labelling it blackmail, help make that point.

mjdabout 2 hours ago
It's not dumb. There's a conflict of interest.
sophaclesabout 1 hour ago
Yeah, I demand all my hosting providers be 100% vulnerable to DDoS for this reason.
deadbabeabout 2 hours ago
They didn’t.
amatechaabout 2 hours ago
Yeah, probably not - because they don't explicitly have to, as outlined in the post. The very architecture of CF's services essentially enables "blackmail as a service" in the sense that, CF protects the attacker and essentially creates a coercive environment in which the victim "has" to pay CF to protect them from... the very attacker that CF protects.
superkuhabout 2 hours ago
Right. It's more abstract than that. They protect (from legal consequence or even discovery) the attackers and host them on their infrastructure so they're untouchable. Then they sell the same "protection" to the victims. It's the classic mafia protection scam.
gruezabout 2 hours ago
>They protect (from legal consequence or even discovery) the attackers and host them on their infrastructure so they're untouchable

Victims can't file a subpoena to get account details?

superkuhabout 2 hours ago
I've never tried a subpoena. I've tried reporting them to ICANN for whois abuse contact violations and never received a response (after I recieved a response from cloudflare saying, "Go away, we don't care, sign up for our services and pay us to care."). Perhaps I should set up a gofundme or something for the thousands of dollars needed to get justice via subpoena.

If I were hosting illegal malicious actors doing this stuff on my home servers and refused to even say who was doing it I would 100% get my door kicked down by the FBI. But some persons, corporate persons, are more equal than others.

worikabout 1 hour ago
I am curious about the existence of https://beamed.su/

    The best IP Stresser service since 2022.
That is one way of putting "DOS" for hire

WTF does it really mean?

IshKebababout 1 hour ago
It is DDoS for hire. What are you asking exactly?
anonym29about 1 hour ago
Crimeflare - proudly extorting DDoS victims and protecting criminals while building a global surveillance dragnet since 2009!