I recall this post[0] from cloudflare's CEO about when they terminated daily stormer back in 2017, and particularly this quote:
> Like a lot of people, we’ve felt angry at these hateful people for a long time but we have followed the law and remained content neutral as a network.
This is overall a very reasonable take and one I support from a player the size of Cloudflare: They should aim to remain as neutral as possible instead of enforcing arbitrary blocks on sites they disagree with.
Now, this post is from nearly 10 years go and I'm sure there have been many more cases that happened since then, their methodology likely did evolve, but I don't mind them protecting any site, regardless of their opinion towards its content.
"Our decision today was that the risk created by the content could not be dealt with in a timely enough matter by the traditional rule of law systems."
Bad example, that was clearly them yielding to a lynch mob in the performance of its duties, as the saying goes. They clearly would've been content neutral in that case too, if the mob hadn't turned against them too.
Reacting to public outcry by cutting off a legal stressor?
I just don't think it's that big a deal.
Being hosted on someone's private server is a privilege, not a right. As far as I know the host is legally responsible for the material they dispense.
In the abstract, I believe everybody should have access to web hosting. But upholding that mission is not the job of one private company.
Anyway, I guess "content-neutral" is an easier sell for most people than "We will 99 times out of 100 let you be even if you're pretty out-there, unless people start suing us about you and it's pretty plain to see you might be a degenerate force on the social internet, in which case yeah we'll tell you to beat it".
Like, it's not a power that should be exercised liberally. But be real. It's Kiwifarms. Businesses have a right to refuse service to recreational gangstalkers
Selling DDOS services is a lot more cut-and-dry than the daily stormer. This isn't a question of free speech, or hateful speech, etc. - this is advertising a blatantly illegal service that directly attacks both Cloudflare and their customers.
The article itself even says the tipping point for daily stormer was "the claim that we were secretly supporters of their ideology" which is hardly any sort of Due Process.
Given the resources required, I'd expect a good DDOS service probably has a reputation in the industry, plausibly some sort of certifications, etc. - selling an easily mis-used service requires a lot of protections
Conversely, this site proudly advertises that it has zero "Know Your Customer" restrictions, bypasses Cloudflare protections, etc.
Quoting the site directly: "Some popular use cases are taking down competitor websites, creating unfair advantages in games and personal agendas."
Even their CYA disclaimers are flimsy: "We simply ask to only use our tools on infrastructure that you own or are permitted to attack."
Cloudflare isn't an impartial, neutral network. People need to stop perpetuating this fig leaf.
To the outside world, Cloudflare acts as a host. Their servers serve the content fo whatever site is in their "network". It doesn't matter that some of those sites are being partially pulled from other backend servers that are outside their network again. Cloudflare is their service provider and they are their customer (free or not).
This is especially true with all their hosted stuff now like Workers, R2, etc., but don't let that muddy the discussion. Even without that they cache and serve the content.
When I do a lookup on beamed.st I get an IP in 2606:4700::/32 which is currently advertised from AS13335 "Cloudflare, Inc."
Edit: I now realize gruez meant the beamed.st site itself is behind Cloudflare DDoS, completing the loop to explaining what Cloudflare's involvement was :).
Sorry if I wasn't clear, when reading Taggart's post and subsequent chained comments and didn't see any explanation of what Cloudflare's involvement was.
Am I missing something on how to see more of the original post perhaps? As a sanity check I did a ctrl+f on "hosts" on the page and didn't get a match but I suppose that wouldn't help if I'm not in the right place to see the rest of the content.
> A part of the internet considered "Critical infrastructure" is being attacked with impunity, and those who could stop it are doing nothing.
i don't understand how ceasing to proxy their storefront would stop a ddos attack? it's not like CF infrastructure is being used for the DDOS, or is that actually the claim made?
i can get saying something like "they shouldn't be providing this service to them" but this isn't a critical service to their operation?
How do they know that behind the scenes Cloudflare has not handed over whatever IP and financial information they have on the attackers to the feds? AFAIK such things would not be disclosed until the attackers are locked up and the case is closed assuming such details are ever disclosed at all.
because unless they are remarkably stupid they didn't pay with their own credit card.
That doesn't mean that the information is necessarily useless but I'd not expect them to kick a door down any time soon.
(Moreover since cloudflare has a free tier you could use their service while handing over only a single email)
This is the dumbest post I’ve read. The attackers have a site seemingly hosted by/orange clouded by Cloudflare. They aren’t providing botnet or DDOS capabilities. Cloudflare tries to act as a third party that follows the law when the law gets involved. They don’t want to actively police the internet in the same way they don’t actively abolish piracy (see Anna’s Archive). There are exceptions to this of course, but on average I don’t find it necessary for Cloudflare to knock down the site of the attackers because they sell illegal services. Isn’t this what HN bitches about anyways, CF being a centralised authority? Now you’re bitching that it’s not using its centralisation powers?
Remember that Cloudflare does a MITM on every connection to every website they front.
CF not only protects them... they have real time intelligence on who is getting attacked, who is paying for it, and all the parameters of the attack (type, volume, duration, etc).
What would your sales team give for leads this hot?
It would be way more complex for AWS to look at data in VM's then for cloudflare to look at unencrypted HTTP traffic. Heck they probably already do for various monitoring.
>It would be way more complex for AWS to look at data in VM's then for cloudflare to look at unencrypted HTTP traffic.
Most enterprises aren't using AWS as a VPS provider. They're going to be using other products like API gateway, ELB, or WAF, all of which expose traffic for easy analysis. Even if for whatever reason they are, the pareto principle applies. They don't need to care about the long tail of e-commerece vendors out there, only the whales. For that, they can just get an intern (or nowadays, LLM) to dump out the disk and manually dissect whatever's on there.
I recall this post[0] from cloudflare's CEO about when they terminated daily stormer back in 2017, and particularly this quote:
> Like a lot of people, we’ve felt angry at these hateful people for a long time but we have followed the law and remained content neutral as a network.
This is overall a very reasonable take and one I support from a player the size of Cloudflare: They should aim to remain as neutral as possible instead of enforcing arbitrary blocks on sites they disagree with.
Now, this post is from nearly 10 years go and I'm sure there have been many more cases that happened since then, their methodology likely did evolve, but I don't mind them protecting any site, regardless of their opinion towards its content.
[0] https://blog.cloudflare.com/why-we-terminated-daily-stormer/
[1] https://news.ycombinator.com/item?id=15031922
Kiwifarms back in 2022: https://news.ycombinator.com/item?id=32706673
"Our decision today was that the risk created by the content could not be dealt with in a timely enough matter by the traditional rule of law systems."
Bad example, that was clearly them yielding to a lynch mob in the performance of its duties, as the saying goes. They clearly would've been content neutral in that case too, if the mob hadn't turned against them too.
> yielding to a lynch mob
Reacting to public outcry by cutting off a legal stressor?
I just don't think it's that big a deal.
Being hosted on someone's private server is a privilege, not a right. As far as I know the host is legally responsible for the material they dispense.
In the abstract, I believe everybody should have access to web hosting. But upholding that mission is not the job of one private company.
Anyway, I guess "content-neutral" is an easier sell for most people than "We will 99 times out of 100 let you be even if you're pretty out-there, unless people start suing us about you and it's pretty plain to see you might be a degenerate force on the social internet, in which case yeah we'll tell you to beat it".
Like, it's not a power that should be exercised liberally. But be real. It's Kiwifarms. Businesses have a right to refuse service to recreational gangstalkers
Selling DDOS services is a lot more cut-and-dry than the daily stormer. This isn't a question of free speech, or hateful speech, etc. - this is advertising a blatantly illegal service that directly attacks both Cloudflare and their customers.
The article itself even says the tipping point for daily stormer was "the claim that we were secretly supporters of their ideology" which is hardly any sort of Due Process.
How would you differentiate the good and bad DDoS services?
There is a use case for buying them for testing purposes to apply on yourself, so it's not as cut-and-dry as you would expect.
Given the resources required, I'd expect a good DDOS service probably has a reputation in the industry, plausibly some sort of certifications, etc. - selling an easily mis-used service requires a lot of protections
Conversely, this site proudly advertises that it has zero "Know Your Customer" restrictions, bypasses Cloudflare protections, etc.
Quoting the site directly: "Some popular use cases are taking down competitor websites, creating unfair advantages in games and personal agendas."
Even their CYA disclaimers are flimsy: "We simply ask to only use our tools on infrastructure that you own or are permitted to attack."
Not "Require", "ask".
And that's diligence that Cloudflare would need to enforce on every single site they have?
This one is fairly obviously bad, but some will be more ambiguous, and I wouldn't expect Cloudflare to be the one policing them all.
Cloudflare isn't an impartial, neutral network. People need to stop perpetuating this fig leaf.
To the outside world, Cloudflare acts as a host. Their servers serve the content fo whatever site is in their "network". It doesn't matter that some of those sites are being partially pulled from other backend servers that are outside their network again. Cloudflare is their service provider and they are their customer (free or not).
This is especially true with all their hosted stuff now like Workers, R2, etc., but don't let that muddy the discussion. Even without that they cache and serve the content.
Because their entire racket is providing MITM and DDoS as a service.
One of many perverse incentives that can be fixed only by legislation.
So Cloudflare can sell DDoS protection to Canonical.
They can't use the half-dozen other enterprise DDoS protection vendors out there?
The post seems skip explanation of what Cloudflare's involvement is?
read it.
cloudflare hosts the attackers.
>cloudflare hosts the attackers.
No, they provide DDoS protection, but the actual servers are likely hosted on some random VPS somewhere.
When I do a lookup on beamed.st I get an IP in 2606:4700::/32 which is currently advertised from AS13335 "Cloudflare, Inc."
Edit: I now realize gruez meant the beamed.st site itself is behind Cloudflare DDoS, completing the loop to explaining what Cloudflare's involvement was :).
Yes that looks the same whether they provide DDoS protection or host.
Ahhh, I completely misread who the DDoS protection was being provided to. Must be a slow day for me :). Thanks!
Sorry if I wasn't clear, when reading Taggart's post and subsequent chained comments and didn't see any explanation of what Cloudflare's involvement was.
Am I missing something on how to see more of the original post perhaps? As a sanity check I did a ctrl+f on "hosts" on the page and didn't get a match but I suppose that wouldn't help if I'm not in the right place to see the rest of the content.
> A part of the internet considered "Critical infrastructure" is being attacked with impunity, and those who could stop it are doing nothing.
i don't understand how ceasing to proxy their storefront would stop a ddos attack? it's not like CF infrastructure is being used for the DDOS, or is that actually the claim made?
i can get saying something like "they shouldn't be providing this service to them" but this isn't a critical service to their operation?
You can't buy more DDoS if the storefront is down right?
How do they know that behind the scenes Cloudflare has not handed over whatever IP and financial information they have on the attackers to the feds? AFAIK such things would not be disclosed until the attackers are locked up and the case is closed assuming such details are ever disclosed at all.
because unless they are remarkably stupid they didn't pay with their own credit card. That doesn't mean that the information is necessarily useless but I'd not expect them to kick a door down any time soon.
(Moreover since cloudflare has a free tier you could use their service while handing over only a single email)
All true points though I have met some incredibly dumb, brazen and cavalier criminals. We will not know until the dust settles.
This is the dumbest post I’ve read. The attackers have a site seemingly hosted by/orange clouded by Cloudflare. They aren’t providing botnet or DDOS capabilities. Cloudflare tries to act as a third party that follows the law when the law gets involved. They don’t want to actively police the internet in the same way they don’t actively abolish piracy (see Anna’s Archive). There are exceptions to this of course, but on average I don’t find it necessary for Cloudflare to knock down the site of the attackers because they sell illegal services. Isn’t this what HN bitches about anyways, CF being a centralised authority? Now you’re bitching that it’s not using its centralisation powers?
> They don’t want to actively police the internet
They do and they've done so in the past. They are just more okay with some illegal stuff than others.
and white supremacists, but not sex workers?
Lol
Because cloudflare is and always has been a bad actor. They protect all sorts of illegal stuff.
Remember that Cloudflare does a MITM on every connection to every website they front.
CF not only protects them... they have real time intelligence on who is getting attacked, who is paying for it, and all the parameters of the attack (type, volume, duration, etc).
What would your sales team give for leads this hot?
>they have real time intelligence on [...] who is paying for it,
This is credible as "amazon has real time intelligence on all their e-commerce competitors because they operate AWS".
It's true though, isn't it.... The question is do they use it?
It would be way more complex for AWS to look at data in VM's then for cloudflare to look at unencrypted HTTP traffic. Heck they probably already do for various monitoring.
>It would be way more complex for AWS to look at data in VM's then for cloudflare to look at unencrypted HTTP traffic.
Most enterprises aren't using AWS as a VPS provider. They're going to be using other products like API gateway, ELB, or WAF, all of which expose traffic for easy analysis. Even if for whatever reason they are, the pareto principle applies. They don't need to care about the long tail of e-commerece vendors out there, only the whales. For that, they can just get an intern (or nowadays, LLM) to dump out the disk and manually dissect whatever's on there.