39 comments

[ 3.2 ms ] story [ 54.7 ms ] thread
This is insanely dumb. Cloudflare is providing free hosting services, not materially supporting the attacker. You can argue that cloudflare needs to be better, or adopt different values towards, taking down sites they host, but this organization could absolutely just serve elsewhere (or just advertise their services over telegram or the like).

Maybe there is a point to be made about monopoly power in hosting and ddos protection. I don't really see how this blog post, or labelling it blackmail, help make that point.

Seems unavoidable if you're running DDoS protection services. Of course the people performing the attack also don't want to get attacked back.

Taking down their info site wouldn't have made the attack go away anyway.

That'd be extortion, not blackmail. CF did neither thing.
It seems disingenuous to assume that CF offering some (unknown) amount of service to a malicious actor amounts to "blackmailing" someone that actor is attacking. CF could, and probably should, be better about not offering services to criminals but making a leap of logic certainly doesn't help anything.
"Renting attack capacity from [cloudflare]" is inaccurate as I understand things. That group hosts their site behind cloudflare but I have not seen anyone claim that cloudflare's infra is used for the attacks.

This whole article seems conflate hosting an informational site run by the attackers and hosting the attack itself.

I have no insight into this particular case/incident, but I do have to deal with a lot of http traffic management, and I've lately been seeing Cloudflare IPs show up a lot more often in my logs for probes and nuisances, and not because the traffic is being proxied (or at least, it doesn't have the CF-Connecting-Ip header).

Used for these attacks, dunno, used for some attacks, yes. (But CF still remains a much less frequent nuisance than pretty much any other infrastructure provider.)

I also found this confusing. And given how thorough and precise the author was with other elements, it seems like a deliberate gloss.
Yes, agreed these are very different things. Also I'm not really sure the argument holds, there are plenty of AWS Command and Control hosted servers and AWS victims, is AWS to blame or blackmailing? The answer is a large no.
AWS does have an abuse department though, and if you're in that space, you can send them abuse reports and they'll do something about that.
Linux users and FUD. Name a more iconic duo
The article puts it very succinctly: Cloudflare fronts attackers for free and bills the victims for relief.

Ddos protection services can be cast as a digital protection racket where they have a perverse incentive to keep attackers attacking. “It's a dangerous internet out there; you'd better pay us to protect your website from the attackers using our free tier.” At the least, even if there is no active collusion or profit sharing or anything like that, there is not a clear side that the DDos protector service is on?

(comment deleted)
Ok, so what's the solution?

I do agree with your comment. But obviously Cloudflare didn't invent DDoS. If Cloudflare just magically disappears tomorrow, the AI crawlers won't stop. So what's the alternative? It's not a world you need to upload a government-issued ID to browse the internet, right? ...right?

I always assumed ubuntu was brought down to prevent ubuntu servers from patching copy.fail, so that hacking group could exploit as many targets during that time as possible
Completly agree, cloudflare protects scammers on a huge scale and no one cares...

All the faceshops I have reporeted to cloudflare, all these phising pages behind cloudflare I reported, never came down.

None of them.

For a company making billions, protecting people, they should take this stuff serious.

Would you prefer a huge organization that arbitrarily censors websites without a mechanism for appeal or legal process? The current state of affairs is way better.
With this kind of logic we can blame keyboard manufacturers for the illegal things their products wrote.
This is a flawed analogy. The "keyboard manufacturer" in this scenario is the "router manufacturer" who Cloudflare buys off of, not Cloudflare.

In your scenario Cloudflare is more like a newspaper aggregator which carries all sort filth along with it's normal commentary.

If this was a normal situation one could just decide not to read some filthy newspapers, while letting those who want to read it make that decision for themselves.

But in the Cloudflare scenario all the major relevant normal newspapers decided to publish all their content through Cloudflare and if something objectionable is published along with it, instead of taking your beef to the original publisher, you have to to take it up with Cloudflare who might just forward your details to some very unsavory people without you having a chance to know beforehand.

Yes.

I find a similar pattern to Meta's scammer ads.

Huge publicly traded companies benefitting from the illegal actions of their clients, turning a blind eye, or conveniently delaying their takedowns.

Big companies need to absorb the liability of small companies, otherwise you get this delegated Sybil Good bank/Bad bank attack

Crimeflare - proudly extorting DDoS victims and protecting criminals while building a global surveillance dragnet since 2009!
I'm not sure how correct this is but when you upgrade your tier on Cloudflare aren't the costs basically up to Cloudflare?

With the horror stories heard over the years I think a real issue is no hard pricing cap with forced shutdown.

Unless that's changed? I booted them a year ago..

I am curious about the existence of https://beamed.su/

    The best IP Stresser service since 2022.
That is one way of putting "DOS" for hire

WTF does it really mean?

Hanlon's Razor applies here. "Never attribute to malice that which is adequately explained by stupidity."

Pretty much anyone can get onto the free tier for Cloudflare. The fact that someone is, doesn't mean that there is a business relationship with Cloudflare. There isn't.

In order to make this business model work, Cloudflare does essentially no due diligence. Getting onto the free tier before you need it, is cheap. And then if you really need them, you have every reason to start paying.

Ideally you'd hope that they would allow third party takedowns. But the ability to do third party takedowns provides a target for the exact attackers that their business is trying to protect against. They wouldn't have a business if they made that a viable target!

But the result of these business decisions, made for their main customer acquisition flow, makes them a tempting place to host malicious content, as well as good. Black hats make a sport out of taking each other out. And so have every reason to use Cloudflare.

Still doesn't indicate a relationship between Cloudflare and the bad actors who are taking advantage of the setup.

people will always be able to pick a handful of sites they think shouldnt be allowed to use cloudflare hosting services. the problem is that every person will have a different handful of sites. cloudflare should host everything and anything unless and until a lawful order is received.

if they start sticking their fingers into sites and determining whether the site's content is "appropriate" or whatever, based on some sort of nebulous set of criteria, people will get (justifiably) big mad about it, guaranteed.

the "renting attack capacity [from cloudflare]" should have some evidence behind it, because as far as i am aware, the attackers are not using cloudflare infrastructure for the actual attack.

(its really jarring to see the general sentiment on this submission vs. the general sentiment on google submissions)

>if they start sticking their fingers into sites and determining whether the site's content is "appropriate" or whatever

They already pick and choose. They have not decided to sit outside of it. Any claim about them not getting involved should be read as tacit approval. Because we know they will drop users they sufficiently disapprove of.

One of the few reasonable comments on this thread.

I don’t see how cloudflare could have prevented this at all. Even if they took down the info site of the attackers they could just host it on GitHub pages, or a million other free static site hosters.

Zero evidence that cloudflare actually enabled the attack itself from what I can tell.

Do you think people in that space aren't going to go after the "million other" static site hosts for hosting their content though? Yeah it's a game a whack a mole but there are some motivated whackers out there because they really don't like DDoS for hire services.
"... its really jarring to see the general sentiment on this submission ..."

I am heartened to see a high default level of suspicion, bordering on contempt, for a global observer MITM'ing as much of the Internet as they can.

I'm not sure if Cloudflare is a malicious actor but we should all behave as if they are.

Most people on planet earth will be able to trivially agree on a subset of all their lists which in fact shouldn't be able to use it
Articles like these seem to hold a weird belief that Cloudflare does not react to security reports or legal orders? From my experience, they react appropriately and relatively quickly compared to rest of the industry.

Could Cloudflare be more proactive or add more friction to their signups? Yes, probably, but the reasons they have outlined for not playing internet police make sense to me.

I don't think it should be a requirement to provide your credit card, phone number and a copy of your ID in order to host content on the internet...

I don’t think it should be a requirement to talk to cloudflare at all to host content on the internet. I certainly don’t.
The internet worked for so long because people responsible for each little island did what was for the most part in the best interests of the rest of the islands. If you didn't, other islands would shut off their links to you. Law enforcement was a last resort because 1. the courts don't move at the speed of the internet and 2. nobody wanted the internet getting top down governmental regulation because it was trans-national.

Cloudflare spent a bunch of venture capital to give away expensive things for free and buy market share. If you convince all the grocery stores to move to your island, you can operate a den of criminal activity with no fear of everyone else shunning you.

Talk to anyone who fights botnets, malware, or online scams. Once you hit the Cloudflare dead end you just have to give up. Law enforcement isn't going to take up a case where only 7,000 peoples computers are infected, and Cloudflare isn't going to investigate and take action themselves.

That's not a "weird belief". Cloudflare positions itself as "infrastructure". That means they think they are not responsible for the content that they carry.

In a normal scenario, if you want to protect your systems from other "bad" systems on the internet, you can block them on the IP layer.

But Cloudflare operates at the IP layer proxying data between you and good and bad (and everything in between) systems.

In a normal situation you could block and report a site that is run by the the mob, by either blocking them at the IP level or by contacting the abuse@ of the organization that is hosting the content.

Cloudflare is making it so that you can't do either. And if you send an abuse report to Cloudflare, you cannot be sure that they will not just forward your contact information directly to the entity that you are complaining about. They have changed their stance over the years to appear more responsible, but the fact remains:

If I want to send an abuse@ report to a system that is hidden behind Cloudflare I can not be sure that they won't just forward it without me knowing who they are forwarding it to.

Cloudflare & AWS wouldn't even INVESTIGATE a abuse report I sent because there weren't any "infringing URLs" or "specific resources".

I provided enough evidence for them to at least be able to kickstart a internal investigation or even CONTACT the abusive customer, which they did not do.

If it were a stresser, all they would see is a login panel. It's not like these sites are publicly advertising what they're doing...

I dislike CFs role in the modern Internet as much as the next person, but this is a bunch of speculation trying to connect dots with no basis other than that a Canonical cert renewal happened on the same day as a company transfer.

There might be somewhat of a tangential story, however, in that Njalla seems to have reorganized or changed ownership fairly recently[1], and that Njalla and immateriali.sm seem to be related entities[2]

https://xn--gckvb8fzb.com/njalla-has-silently-changed-a-word... https://www.wipo.int/amc/en/domains/decisions/pdf/2026/dio20...

There's not even any proof Beamed was responsible for the attack in the article--it's all speculation.

"Anonymous person on the internet claiming <thing>" is proof of nothing.

It's just as likely someone claimed they used Beamed to try to get a competing service taken down or direct attention elsewhere.

Don't get my wrong, Beamed looks like a scummy booter service with no legal purpose.

However, claiming companies should deplatform sites based on speculation is, imo, a very dangerous precedent.