62 comments

[ 1.8 ms ] story [ 133 ms ] thread
(comment deleted)
Cloudflare publishes these marketing articles, spinning them as "helpful" for the community. The biggest community help Cloudflare could provide is kicking booters [1] from their network. They won't however, since it needs to protect the booters for Cloudflare's business to prosper.

1. http://whois.domaintools.com/booter.xyz

(Repeat this whois search for the top 10 booters found in Google)

> publishes these marketing articles

What's funny is that it's obvious to anyone who would received an email like this is that it's spam to be ignored. What makes an email like this any more believable than anything you get unsolicited by email making any claims or demand? The fact that it is mentioning DDOS instead Nigerian money? I am surprised that cloudflare feels the need to even write this up and the fact they they take it seriously is only mitigated by the marketing angle (which makes them smart instead of naive I guess).

Well, these mails are almost an exact copy of the ones the real armada collective sent out last year though? It would make sense to be wary of them if you heard about attacks carried out by them.

The question is, what should a small enterprise without protection against ddos do? Of course it's wiser to actually implement said protection, but it's a lot easier for the human mind to jump to the short-term and easy solution.

Well now if you were going to pull a scheme like that for real (and not just spray and pray 10,000 sites hoping a few would pay) wouldn't it makes sense to give the site at least a taste of what you can do for a short period of time? And do you honestly think that it's good business practice when receiving an email like that to just assume it's truthful and you need to swing into some kind of fire drill? I don't.
No, I never said I thought it was good business practice. But I'm saying it's not good business practice to ignore it. If you can afford to ignore it, then there's no issue, but there's plenty of sites that don't have protection against this, and have money on the line if they get taken down.

The cost of paying off (a semi-probable) attack, might be better than going down the next day, and having to firefight it.

I'm playing the devil's advocate here. I would not pay x thousand dollars because of an email from said group, but I can understand it slightly better than sending money for nigerian scams.

$100,000 in bitcoin would belie the "obvious to anyone". People don't understand what a DDoS really is, nor how to fix it, so the email becomes much more ominous than a Nigerian 419 scam.
It is a business decision for them. If they kick the booters off, they will DDoS each other to death and no one will be able to use the booters anymore.

You may not agree, but financially makes sense for them. They need the booters to be alive to sell their service.

-->not saying I agree at all with that mindset

> They need the booters to be alive to sell their service.

Well, I think this blog post clearly demonstrate that people are willing to pay for DDoS protection even without any attacks. This is pretty much a conspiracy theory way of thinking.

But paying customers of Cloudflare think otherwise.
Did you run any study to claim you know why are they buying those services? Security is not a one time purchase when someone is threatening you.
I work for CloudFlare, just an engineer and not a lawyer, etc. This is my opinion but I recognise I work here and am a dumb person from a legal perspective.

One of the things that CloudFlare cares about is due process. That has been blogged about too: https://blog.cloudflare.com/fighting-back-responsibly/

If CloudFlare were to subjectively decide to remove websites or DNS zones, due process goes out of the window as we'd be able to just do whatever we pleased to whomever.

We (collective HN readers, etc) cannot wish to restrict and prevent overreach if we indulge in the very same action by subjectively removing/blocking access. Either a company follows due process, or it does not.

Due process is extremely valuable to a society, relying on a transparent system that has an appeals process should be important to everyone... the legal system gives this, and it's value is so great to society in restricting overreach, that as individuals and as the wider company we have embraced due process, and rejected the things that would weaken it... our own actions.

If you wish to have booters or whomever else removed, please present our legal team with a valid legal request.

Indeed, it is the purpose of a court to follow due process, but not of a private entity. From CloudFlare's business standpoint, your decision makers should seriously weigh the reputation damage that this (perfectly legal) "willful negligence" attitude provides: a marketing director of your competitor pointed out that "CouldFlare is protecting most booters" in a phone call with me.
Indeed, it is the purpose of a court to follow due process, but not of a private entity.

Laws and courts constitute a minimum or a "floor" standard for civic and commercial behavior. A society that has due process in its laws and on its books, but whose civic and commercial institutions all exhibit draconian knee-jerk behaviors is succeeding at being benevolent and just to the same extent that the Jim Crow south enfranchised black people. The comparison is unpleasant, but it is operationally correct. Laws on the books are only a skeleton. Values and principles have to be enacted by the flesh of civic and commercial society to be meaningful to people.

The values embodied by the laws on the books have also to be alive in civic society, or else they are not truly meaningful. It's not enough for only the government and courts to embody humanist and democratic values. Civic and commercial society has to embody them too. (Ask yourself, are you a part of civic and commercial institutions and intellectual movements that embody humanist and democratic values? Or are they authoritarian and withhold justice and free speech from those the group deems "unworthy?")

The idea that private individuals and businesses ought to conform to a prescribed set of moral values dictated by "society" is the very definition of "totalitarianism," no less because you give them nice-sounding names like "humanist and democratic," nor less because you attempt to create an emotional linkage of the reverse case to racism.

Are people free, independent actors, or are they merely cogs in some vast social machine, constrainted to operate in their private lives and businesses according to the arbitrary dictates of some self-appointed group of sermonizing moralists?

>Are people free, independent actors, or are they merely cogs in some vast social machine, constrainted to operate in their private lives and businesses according to the arbitrary dictates of some self-appointed group of sermonizing moralists?

False dichotomy.

It's not.

Given that there exist moralizers who propose that everyone ought to have to follow a certain set of values, you can either:

A) accept their authority and adopt their moral schema, or B) reject their authority.

There are no other options. All other possibilities are subsumed by one of these two, in one way or another.

>> False Dichotomy

> A) accept their authority and adopt their moral schema, or B) reject their authority. There are no other options. All other possibilities are subsumed by one of these two, in one way or another.

Maybe you need to Google "False Dichotomy?"

Rather than simply insulting me, you could perhaps propose exactly what the other options are, besides those two, that you think I'm missing here.

I will then either accept that you are correct and admit that I was wrong, or else show how the additional options you propose are actually subsumed into one of the two options that I've named above.

You can take the dialectic and synthesize an encompassing model. No authority need be accepted. No particular model need be wholly accepted.

I can agree, for example, that certain forms of expression can make some people uncomfortable and exclude them from participation, yet not agree with the proposed dictate that all professional groups must now shun anyone who has ever defended such forms of expression. However, if the context of tolerance is expanded beyond such a narrow formulation, then my conclusion is that those forms of expression should also be defended and we should refrain from punishing the actors retroactively. (Even as we ask people to refrain from them in certain contexts.)

You can expand such a discussion into emotional, psychological, and historical realms, as well as those of personal experience. It's always possible to expand the context of a discussion, since it's impossible for a person to understand every context at once.

I did this once with my ex-girlfriend's right-wing Christian mom. She was willing to listen to the plight of a previous ex-girlfriend's family and it changed her outlook. I've also seen it happen with a homophobic woman from rural Oklahoma who became best friends with a gay activist man.

It doesn't mean you have to agree on everything, but there is an exercise of self-awareness around the ease with which one human can "dehumanize" another in their own mind. Civil society is generally better served by civic discourse and less well served by shunning and actions usually shown to "the enemy." In fact, the root of social injustice is generally the propensity of people to do this in their minds. ("othering")

I hope that is a good demonstration.

>A)Are people free, independent actors

Your existence is dependent on ancestral inheritance (instincts, emotions, genetics etc) and your identity is dependent upon the relative social interactions with others. We are naturally, subconsciously affected by the way others in our environment act. Our minds are a codependent network, affected by all of the thoughts and actions of those who came before us.

You are currently using a language that you did not independently invent, for example, and so many of your thoughts are constrained to the limitations of that language.

>B) or are they merely cogs in some vast social machine, constrainted to operate in their private lives and businesses according to the arbitrary dictates of some self-appointed group of sermonizing moralists?

There are many subconscious social constraints, much of which evolved to enable the survival of the species, but it is possible to break free of them, especially when those constraints end up being contrary to survival.

The idea that private individuals and businesses ought to conform to a prescribed set of moral values dictated by "society" is the very definition of "totalitarianism,"

A multicultural, inclusive society cannot tolerate intolerance, by definition. The rights of the individual, so long as they coexist peacefully, must be respected.

you attempt to create an emotional linkage of the reverse case to racism.

It's a functional and operational analogy. You had a situation where the letter of the law was respected, but the opposite was enacted in spirit. Have I touched a nerve?

Are people free, independent actors, or are they merely cogs in some vast social machine, constrainted to operate in their private lives and businesses according to the arbitrary dictates of some self-appointed group of sermonizing moralists?

I am advocating people as "free, independent actors." People who are free, independent actors and believe in humanist and democratic values can't afford to abrogate those values simply when it suits them. Even the vilest members of society should be accorded due process, at the very least.

private lives and businesses according to the arbitrary dictates of some self-appointed group of sermonizing moralists?

Democratic and humanist values are the very thing that prevents the establishment of the "self-appointed group of sermonizing moralists." The whole point of due process is to prevent the exercise of arbitrary power by a majority or by the loudest and richest. The whole point of due process is to ensure justice, even for the most hated part of society. The whole point is that society is imperfect and flawed, and must act with benevolent restraint, not from its unfiltered, hasty impulses.

Philosophically, the insistence on the right to stigmatize, and punish others in the civic and commercial spheres based on what they think or said in the past is very close to the insistence that a baker can refuse to bake a cake based on personal religious beliefs and perceived sexual orientations. World history over thousands of years shows that to err on the side of increased interaction and commerce is the pathway to peace and greater harmony and prosperity.

You fight violence through peace. You fight intolerance by tolerating. You can't easily fight violence with violence. You can't fight hate with more hate.

As for kicking out booters due to a TOS violation, though, I'm pretty much for that, so long as there aren't any false positives.

You are rather proposing a vast curtailment of personal freedom, according to your personal interpretation of reified "democratic and humanist values" -- an extremely vague and nebulous concept that, once stripped of the layers of indirection and obfuscation, amounts to nothing more than "what I personally happen to think constitutes good and proper behavior."

Moreover, you propose that not only the government, but also private entitites ought to be so regulated by your own arbitrary philosophical restrictions, a sort of Dead Kennedys "California Über Alles"-esque oppressive police state that not only promotes but mandates a particular narrow interpretation of liberal values.

This is no different in character from any other totalitarian dictatorship, though the exact set of values you advocate differs to a greater or lesser extent. They've all always thought of themselves as "good" and "moral" and "proper," all sought to improve society and remodel others' thinking by force and coercion, and always in the name of "ensuring justice."

You are rather proposing a vast curtailment of personal freedom, according to your personal interpretation of reified "democratic and humanist values" -- an extremely vague and nebulous concept

Not at all nebulous. Members of an intellectual, tolerant, multicultural society tolerate all those they practically can, and seek to talk to convince and listen to learn. Members of intolerant groups seek to silence, shun, and otherwise punish their perceived enemies. It's quite intuitive, commonsense, and plain as day.

private entitites ought to be so regulated by your own arbitrary philosophical restrictions

Really, I'd much rather that society at large understood these distinctions of philosophical and emotional self awareness, and enacted them of their own free will. This is why I make such comments. I'm trying to convince people that the freedom to act like a uber-jerk to people you don't like isn't an obligation to do so. Also, it's generally a bad idea.

This is no different in character from any other totalitarian dictatorship

Very different. There's a lot more listening and talking involved, and far fewer dictates. What's more like a dictatorship? Someone advocating for tolerance, or someone angrily insisting on their right to excommunicate people? In any case, thanks for revealing in what direction you're emotionally invested.

Please refrain from speculating about what my emotional investments may or may not be, and any other personal speculation, as that is not at all relevant to the discussion.

You have been making moral assertions in your original post on how private businesses ought to act, in order to be considered "good".

This is not fundamentally different in character than any other moral sermonizing of the past, though the exact specific values you advocate may differ. If you were ever to attain political power, it would not be different than any other oppressive dictatorship in history, all of whom thought they were simply trying to educate people on how to be "good".

Your position is, further, intrinsically hypocritical and self-contradictory. "A multicultural, inclusive society cannot tolerate intolerance, by definition" is a logical paradox. You either tolerate others, including those who are different from you, or you don't. That necessarily extends to people you disagree with, people whose values you personally abhor, etc.

Your position amounts to "Everyone should be tolerated, except those whom I don't personally like," burnished by yes, nice-sounding but vague and nebulous handwaving about multiculturalism, tolerance, "philosophical and emotional self awareness", "listening and talking," and so on, the various shibboleths of the California bourgeois soft-left that developed in the 1970s.

You even seek to arrogate intellectualism itself to your cause, implying that those who disagree with you are simply ignorant, unenlightened cretins who have not yet been properly educated.

I'm all for people not being jerks, but there is this profoundly arrogant and fundamentally misconceived notion inherent in what you write, that people are jerks simply because they don't know any better, because none of the enlightened educated kindhearted intellectuals has ever condescended to educate them during a kindergarten "teachable moment" of some sort about how being a jerk is actually wrong and, well, really mean and given them the opportunity to "listen to learn." That whole attitude is pure unbridled pomposity and sheer arrogance.

It's not the case. Society is not perfectable, and attempts to perfect it through coercion have invariably resulted in suffering and oppression. There will always be jerks in the world, no matter how many kindhearted liberals generously condescend to try to convince them otherwise. The exact form of their jerkdom will simply change to suit the new conditions.

Finally, here is the main difference between us: I don't mind at all if you believe all this stuff. Believe anything you like personally. I am happy to talk and explain my position, but I don't think there's any value in convincing you to change your mind, and that is not my goal, even though I disagree with you on many points. I accept that you are a different person with different views.

You, on the other hand, believe you have some holy sacred task to go around teaching people about how their existing ways are wicked and evil, and how they ought to change to conform to your personal views, and to the views of those like you. You're a classical missionary, only updated for the postmodern age, now without Jesus and with multiculturalism and so on instead.

As I said, I am not interested in convincing you otherwise, even though I disagree with this schema (though I'm happy to discuss.) The problem is that your preaching has extended beyond the confines of your personal space, at which point it is no longer your personal matter but now a matter for public society.

You believe you have a mission to spread your views to society at large, to coerce others to adapt to your personal view of "the good." That's the problem. That sort of thing has always, always ended badly in history.

You have been making moral assertions in your original post on how private businesses ought to act, in order to be considered "good".

This is not fundamentally different in character than any other moral sermonizing of the past

I rather see this like the idea that business deals should be mutually beneficial, that dealings should be honest, and that companies should be transparent. You are free to disagree of course, but what I'm advocating is fundamentally about cooperation and mutual benefit. It doesn't have to be moralizing, as it's supported by the mathematics of cooperation and the non-zero sum game as well as by the lessons of the long arc of history.

Your position amounts to "Everyone should be tolerated, except those whom I don't personally like,"

To be precise, my position is that everyone should be tolerated, so long as they behave civilly. This means they should be accorded the same rights as anyone else, and that those should be held sacrosanct, until it's no longer practical to do so. This is how I'd like to be treated, so this is how I advocate how everyone else should treat people.

You even seek to arrogate intellectualism itself to your cause, implying that those who disagree with you are simply ignorant, unenlightened cretins who have not yet been properly educated.

I find that I never have to do that. Pretty much, those who are ignorant quickly reveal themselves to the world. There is objective truth and knowledge of real value. Ignorance is obvious to real experts. I've been on both sides of this equation. If one is prostrate to the truth, then rebuttals to opponents simply write themselves. Largely, they just consist of paraphrases or 1 or 2 logical steps.

Society is not perfectable, and attempts to perfect it through coercion have invariably resulted in suffering and oppression. There will always be jerks in the world, no matter how many kindhearted liberals generously condescend to try to convince them otherwise. The exact form of their jerkdom will simply change to suit the new conditions.

On this we agree. No person is God or an oracle or otherwise infallible. This is why acting quickly is often a bad idea and acting from outrage is especially so. This is why the working assumption should always be that one is never in command of all the relevant facts. Hence: due process.

You believe you have a mission to spread your views to society at large, to coerce others to adapt to your personal view of "the good." That's the problem. That sort of thing has always, always ended badly in history.

I'm against coercion. That's my whole point. Don't coerce -- Convince! Humanist values have always ended badly in history? The USA has problems, but there are many wonderful things it has achieved. I'm still betting on that horse.

Could you start from something you think constitutes a horrible set of moral values and social standards and work your way to whatever you think is not vague and nebulous like "democratic and humanistic"? Like start with Hitler or Stalin and explain hiw what they did was bad and what would you do better?
Do I want to see booters online? Of course not.

But if CloudFlare were to shut them down without due process, that would damage their credibility - to the point where I would feel uncomfortable doing business with them.

I'm sure there's a group of people where CloudFlare's stance is damaging to their reputation.

But there's also a group of people where any other stance would damage CloudFlare's reputation.

Think also from the customer standpoint: people who need DDoS protection are people who are having their site shutdown without due process (by criminals who launch DoS attacks). When the company you hire to fix the problem becomes part of the problem, it's not good - and they would be part of the problem if they offered a 'send us an email and we shut down our users' denial of service attack vector.

Either way, CloudFlare is a part of the problem. They're either protecting booter services (thus necessitating your use of DDoS protection in the first place) or terminating the booter sites without "due process".

It's relevant to mention that CloudFlare already does terminate a class of sites without "due process": malware hosts. What makes malware hosts that much worse than booters? Answer: CloudFlare's IPs can get blacklisted for it.

Is it of comparable difficulty to reliably empirically establish 1) malware hosting and 2) operating a booter site?
I'd say yes: if you visit a purported malware URL and you are served malware, then it is a malware site. If you visit a purported booter site URL and it advertises booter services, then it is a booter. If the booter sites start trying to hide their identity, fine, I can see not removing that without proof. That will also severely injure the booter's signup rate, though.
Even when reporting malware hosts to them, the response to my abuse reports is "we are a reverse proxy, we do not provide hosting" - and then no further action is taken.
"Due process" means, quite literally, "process that is owed to you." It is the process that the government must, by law, provide when it is depriving you of liberty or property, to which (absent due process to deprive you of it) you otherwise have an inherent right.

Customers of a private business have no right or expectation of due process whatsoever, since nobody enjoys any inherent right to be a customer of a business. With a very few narrowly defined exceptions, private businesses are generally permitted to refuse service to anyone they wish, without explanation.

CloudFlare (and all other businesses) have always refused service to numerous classes of customer whose activities they deem abusive, in their own sole judgement, without any due process.

Read their terms of service, read AWS's terms of service, or Google's, or any other company's. They all already shut numerous people down without any due process, every single day. OP is simply suggesting they add one more category to the already long list of prohibited activities on their platform.

> Do I want to see booters online? Of course not. > But if CloudFlare were to shut them down without due process, that would damage their credibility - to the point where I would feel uncomfortable doing business with them.

The problem with this stance is it appears to be a conflict of interest. The easier it is to access a booter site, the more people who need Cloudflare's services.

I'm not saying that is the reason they do it. I'm just saying that is a conflict of interest that can really only be resolved by removing clearly labeled booter sites.

> Think also from the customer standpoint: people who need DDoS protection are people who are having their site shutdown without due process (by criminals who launch DoS attacks). When the company you hire to fix the problem becomes part of the problem, it's not good - and they would be part of the problem if they offered a 'send us an email and we shut down our users' denial of service attack vector.

Hosting booters makes them part of the problem is the flaw in that logic.

> please present our legal team with a valid legal request

What does this mean? What is a "valid" legal request? One that comes from an attorney? Or from a court? The way you phrase this it seems to say that "joe site owner" will be ignored by cloudflare.

A court order would do the trick... but even then, only if it were reasonable. Overreach could also be a court order that is unreasonable, i.e. Apple's fight against the backdoor to all iPhones.
I hereby request the CloudFlare only present Tor-users with a captcha when presented with a court order to do it.

Everything else means that process due to each tor user is violated.

Your own terms of use permit you to remove these sites:

"If the investigation reveals any information, act, or omission, which in CloudFlare’s sole opinion, constitutes a violation of any local, state, federal, or foreign law or regulation, this Agreement, or is otherwise deemed harm the Service, CloudFlare may immediately shut down your access to the Service."

I don't understand, what other evidence do you need that these websites are being used for ddos attacks?

Cloudflare is not an official government entity. As a business you have the right to refuse service to anyone. Refusing these websites service is not the same as being thrown in jail.

The link in question.

https://booter.xyz/

> We are a "DDoS for Hire" company

> Our best layer 4 UDP attack methods is dns amplification, ntp amplification, ssdp amplification

You think they are going to amplify on servers they own?

Dozens of ddos for sale websites being advertised on hackforums being protected by Cloudflare.

http://hackforums.net/forumdisplay.php?fid=232

http://whois.domaintools.com/serverboot.com

http://whois.domaintools.com/synstress.net

http://whois.domaintools.com/kronosbooter.com

http://whois.domaintools.com/instress.club

http://whois.domaintools.com/clickboot.co

And countless more.

I don't see why you need a "valid legal request" to remove clearly criminal operations from your network.

The conversation with almost every other network operator that I have goes something like this:

Me: "hey guys, the host at [operators ip address] is spamming/serving malware/phishing"

Them: "Hey thx, we'll check it out / notify customer"

If I check out a few days later, usually the criminals aren't on these people's network anymore.

With you it's like

Me: "hey guys, the host at [ip address] is spamming/serving malware/phishing"

CloudFlare: "We R a Reverse proxy"

And you don't do anything.

The problem with you is that you think you're some sort of savior of the internet, when all you are is a company providing a service, and you are free to terminate customers who are abusing the service you provide, without trying to pretend you are some sort of government like entity.

If you own a restaurant and one of your patrons keeps spitting in other people's food, you don't tell them that "Oh, but we have due process come back with a court order and maybe I'll ask him to stop." - you just kick them out.

It's your network - start taking responsibility for it.

I strongly support Cloudflare's stance. If the act of providing hosting to a party is legal, then cloudflare should never intervene. If the act is illegal, then law enforcement and courts should do their job.

I have much more confidence in companies that follow the law than those that arbitrarily pull the rug from underneath me for what they perceive is morally "right". I will not trust cloudflare if it turns into another Github.

I think the general problem with CloudFlare is the mismatch of what standards they hold other people to, and what standards they set for themselves.

They market themselves as a sort of savior of the internet, enforcing very tight control of what comes into their systems to protect their customers (c.f. the recent discussion about tor users), while at the same time they have an extremely permissive attitude for anything happening on their own networks.

The more specific problem with them is, that they aren't actually the hosters for the content that they serve, but just provide DNS service and Rproxy service for their customers.

This means, they also become a reverse-proxy for abuse complaints made to the backend hosters, which is where the real trouble lies.

The problem isn't really that CloudFlare decides or doesn't decide what should stay online, it's that they are preventing communication with the hosters in the first place.

So tired of this bullshit. You and your boss Matthew Prince make money off booter websites, actively host known ISIS sites, yet blog about how bad they are.

You know the illegal websites on your network, you knew the ISIS websites. And the booter sites as mentioned are obvious.

But as long as your marketing team can blog something cute up, you don't look like the shysters you are. Take responsibility for your network and stop using the 'reverse proxy' file a legal request course. There's due process and just hiding behind the DMCA to host terrorists and booters alike.

You shits know that someone who is being attacked, or knows of an ISIS / extremist website they won't go through the full legal written request. That's when it's your term to police your own network in some way.

Hiding behind asking for a legal written notice makes you and your Abuse Team sound useless, like you are.

Every reputable company in the world tries to make it as easy as possible to report abusive customers. That's the oil that greases the global internetworking machinery. Friendly sysadmins is the only reason we have the Internet today.

Just look at the links above. They even boast about what lengths they'll go to to destroy the network for everybody, what resources they'll spare to destroy your competitor's operation, even what they'll charge for it. To defer these cases to the justice system is a travesty. Just imagine if Google did that with all the spammers in GMail, "yeah, whatever, write to the legal team". Email would be completely unusable.

Sure, globally we can carry one or two parasites on the system. And if you don't host these booters some Russian bulletproof hosting will. But being "just an engineer" doesn't absolve you of anything.

>Cloudflare publishes these marketing articles, spinning them as "helpful" for the community. The biggest community help Cloudflare could provide is kicking booters [1] from their network. They won't however, since it needs to protect the booters for Cloudflare's business to prosper.

Why do you get to decide who should and shouldn't get kicked off a given company's platform?

I mean, I positively detest Uber and am convinced they're making the world a worse place. Can I now hound everyone involved with their online presence? And then claim the only reason that they're not complying is because, one way or another, they're making money from Uber's existence?

As has been pointed out below, due process exists for a reason, and a good part of that is stopping the likes of you and me from dictating what other people should do.

> Why do you get to decide

Because I am a customer with a $35,000 yearly DDoS mitigation contract budget. Customers like me (a.k.a. the market) will decide, based on the provider's reputation, among other things.

Lots of customers in the world. You're going to need to spend a lot more than that to have the sort of leverage you're asking for.

Disclaimer: Not affiliated with Cloudflare in any way.

Cloudflare is not only selling DDoS protection; they are in the business of harboring DDoS booters.

Their business work like a mafia, collecting a protection fee while hosting booters themselves. It's disgusting.

Customers merely decide where to spend money. That doesn't let them control the product anymore than buying a stamp lets them decide who can use the postal service.
Why do you get to decide who should and shouldn't get kicked off a given company's platform?

Didn't the booter decide it when they offered DDOS services for pay?

OP didn't say THEY ought to decide; they said CloudFlare ought to decide.

CloudFlare is a business. Due process does not apply to businesses, since nobody has the inherent right to be a customer of a business under any circumstances. Except for a few very narrowly defined limits (such as not rejecting customers based on race or ethnicity), a business is quite free to refuse service to anyone it pleases, and to ban any activities it pleases.

Indeed, numerous classes of customer are already banned from CloudFlare[1]. OP is simply saying they ought to expand that to include one more, one that uses the platform abusively.

[1] https://www.cloudflare.com/terms/ , e.g. the sections on "Limitation on Non-HTML Caching", "Investigation", "DMCA & Abuse Reports", "No Third Party Beneficiaries," etc.

Due process is not required, but neither are many smart decisions. The point of due process is to increase the chances that you didn't do an innocent person harm.

I think it's very reasonable to say, "We won't suspend your account arbitrarily, and if someone asks us to suspend your account, we'll follow these procedures in making the decision."

What is a booter? That just looks like the name of their domain.
I had to google it, seems like it's a term for DDOS-for-hire services.
A booter is a DDoS-for-hire service. You pay them $X and they will DDoS someone for you.
If CloudFlare is friendly towards DDoS services, that's awesome. Maybe I'll do the reverse of this article: create a DDoS-for-hire site, have CloudFlare protect my site, I'll charge for the service in Bitcoin, then not launch any attack. Maybe I, too, can rake in $100K for doing nothing. /s
It's always shocking to me, that people who can rise to a position where they can make the call to pay a ransom, can be this incredibly gullible/stupid/naive!
This is more complex. $4k is not really that much for a company to spend. If you were wrong, well you lost someone's conference trip, if you were right you saved company much more.

Anyway, I hate this CloudFlare articles, it's clever marketing. Essentially they say that if you would use their service you could call bluff, and save that $4k, while they also contribute to the problem by protecting all DDoS for pay services.

If you're wrong, you're potentially spending $4K to mark yourself as an especially likely target for someone who doesn't even have the resources to attack you. It's not JUST risk mitigation, it's also about furthering this ridiculous economy that's been springing up since the first XDCC bots were born.
My company received one of these threats last week. We took it seriously, despite our suspicion it was an empty copycat threat.
Why redact bitcoin address that was used for threats?

Let crowd do analysis on address that belongs to criminal.