I ran the worlds largest DDoS-for-Hire empire and CloudFlare helped

09/03/2022


Today CloudFlare is in the spotlight for their decision to revoke access to a website behind their network, the timing comes just 3 days after they published a blog post discussing their abuse policies and making the following statement:

"Some argue that we should terminate these services to content we find reprehensible so that others can launch attacks to knock it offline. That is the equivalent argument in the physical world that the fire department shouldn't respond to fires in the homes of people who do not possess sufficient moral character"

I agree with CloudFlare's analogy, the fire department should respond to a fire at any home regardless of who lives in it. However this real world example is not an accurate representation of the situation CloudFlare is presenting. As the operator of the largest DDoS-for-Hire empire in the history of the internet, I have a unique perspective on the situation CloudFlare finds themselves in.

"Avoiding" an abuse of power

As the infrastructure provider for over 20% of all www traffic traversing the internet today, CloudFlare is in a position to enforce it's beliefs on a global scale. Most of the time this isn't a problem, lots of nefarious websites try to take advantage of the services CloudFlare offers and are rightfully kicked off. The problems arise in a small category of websites that blur the line. Is it okay to revoke access to a website promoting hate speech and violence? Who interprets what qualifies as hate speech? Should a single forum post in a sea of thousands disqualify an entire website? Who makes the decision on how these criteria are defined?

CloudFlare's answers to these questions has historically been: nothing. They have repeated again and again that because they are an internet utility they remain neutral on these topics and leave it up to the hosting providers to answer these questions. However CloudFlare is not a neutral utility, they are a publicly traded company and have shareholders to report to, can any fire department in the world say the same?

As a young cyber miscreant I operated dozens of booter ("DDoS-for-Hire") services throughout my teenage years, and every single one of them used CloudFlare to protect my websites from rival DDoS attacks. Without CloudFlare's "neutral" security service offerings I couldn't have facilitated millions of DDoS attacks. It's hard to stress just how instrumental CloudFlare is in the success of a booter services operation, booters that didn't have protection from CloudFlare would not remain online very long.

It looks like not much has changed throughout the years, just like I took advantage of CloudFlare's services many years ago, the first result on google for the search term "booter" is doing the same thing today. As long as CloudFlare doesn't intervene in the operation of these websites, they are "avoiding" an abuse of power, isn't that convenient?

Downstream Responsibility

As someone who has previously justified their actions by saying "I am not directly causing harm, the responsibility flows downstream to my end users" I can tell you it is a shaky defense at best. The situation would be different if CloudFlare was unaware of the booter websites they are offering protection to, but that is not the case. CloudFlare knows who they are protecting and chooses to continue doing so, being fully cognizant of the end result their actions will have. Let's talk about that end result because the hypocrisy of it all stings like a slap in the face as I type this.

CloudFlare is responsible for keeping booter websites online and operating, the very same websites who's sole purpose is to fuel CloudFlare's very own business model, selling DDoS protection. Dear reader please take a moment to reflect upon the last sentence.

CloudFlare is a fire department that prides itself on putting out fires at any house regardless of the individual that lives there, what they forget to mention is they are actively lighting these fires and making money by putting them out!

I'm reminded of a similar story published by my favorite journalist many years ago: Spreading the Disease and Selling the Cure

CloudFlare's own responsibility chart tells us they feel they have no obligation to take action against booter services flourishing under their network, even though the end result of their inaction means they will get more customers purchasing their security services and the internet as a whole will be infested with more DDoS traffic than it otherwise would be. If your business is putting out fires, ensuring a steady stream continue to be lit might just be in your best interests.

In either my case or CloudFlare's, we are both a few rungs detached on the ladder that ultimately ends with a DDoS attack and we are both financially motivated to not break this ladder. It's one thing to be on this ladder as a teenager with misguided aspirations and another to be a company with a 20 billion dollar market cap hiding behind a ruse of not wanting to censor free speech.

Regardless of the laws interpretation on where the responsibility falls for the facilitation of these attacks, there is no argument against the fact that should CloudFlare intervene and boot booter services off their platform (hah), the need for their paid protection services would diminish.

Closing Thoughts

Despite my critiques of CloudFlare in this blog, they offer an amazing public service to the world. I have been a CloudFlare user since I was I was 14 and continue to endorse their services. I've used CloudFlare in many ways throughout the years and todays article was written completely objectively. As a company who's mission is to help build a better Internet they are not aligned with that goal while these websites are allowed to flourish on their network.

The CEO of CloudFlare, Matthew Prince, has shown he is willing to intervene when he deems it necessary. If Matthew were to read this I would ask him, don't you think you would set a positive precedent by reversing course on your booter policy? There are no free speech or human rights considerations here, there is only the right choice and the wrong one.

Disclaimer: I am not proud of my past actions and understand I don't have the best record of building a better internet. I am working on fixing that with each passing day and hope you don't judge an entire persons character soley on the actions of their youth.

Written by Rasbora

rasbora.dev
rasbora@rasbora.dev
09/03/2022