
CloudFlare helps save Wikileaks' bacon - jgrahamc
http://techcrunch.com/2012/08/13/cloudflare-helps-save-wikileaks-bacon/
======
gary4gar
I think this move will help establish cloudflare as a strong brand. Great
marketing!

~~~
stfu
Cloudflare's stand on free speech is really impressive. I just wish more
companies would have such a strong position on that issue. They deserver all
the marketing/pr they can get, but first signs are already showing that they
not just making friends with their position: <http://www.cloudflare-
watch.org/>

~~~
interknot
FWIW "www.cloudflare-watch.org" currently resolves to an IP address used with
a DSL connection (adsl- _-_ - _-_.dsl.snantx.swbell.net).

------
mtgx
If the FBI comes knocking down your door and ask your to stop helping
Wikileaks, I think we'll have confirmation of who's been doing this to
Wikileaks.

~~~
jbooth
Even the FBI wouldn't be that obvious about it.

Now that I think of it, this is a great job creation program. Pay people to
attack wikileaks and wikileaks pays people to defend them. Sort of like
breaking windows and then someone has to fix them.

~~~
alttab
Ok, Zorg.

------
ck2
He really thinks the government push back is going to be via legal channels?

Who does he think is doing the ddos in the first place?

The ddos is happening at over 40GB/sec (2TB every minute). You need massive
resources for that.

~~~
jgrahamc
Where does the 40GBps number come from? Wikileaks appears to have tweeted
about 10Gbps. That's nothing unusual for CloudFlare to handle.

~~~
ck2
I didn't realize who you were at first.

You best set up a page that just says, "as long as this page is up, we have
NOT been served a National Security Letter from the FBI".

Because it's going to contain a gag-order that prevents you from even talking
to your lawyer. So probably want to ask them ahead of time what to do when you
get the letter.

~~~
mtgx
That's a good idea. But seriously, you can't even tell your lawyer to defend
yourself against something like that? How is that even remotely
constitutional? Does the US Congress pass laws that violate the Constitution
on purpose these days?

~~~
dangrossman
ACLU challenged it in two cases and that aspect was ruled unconstitutional in
both. The law was changed in 2005 to explicitly state that the gag order does
not stop you from talking to lawyers about the NSL.

~~~
tedunangst
Internet time passes much slower than real time. It's still 2004 here.

------
fiatmoney
Does CloudFlare have experience identifying the _source_ of attacks like this?
Because that could be quite interesting.

~~~
jgrahamc
I wrote up a little about our DDoS statistics here:
[http://blog.cloudflare.com/the-wednesday-witching-hour-
cloud...](http://blog.cloudflare.com/the-wednesday-witching-hour-cloudflare-
dos-st)

One important conclusion is that it's very hard to identify the source for
most DDoS attacks because the IP address is either forged, or innocent.
Identifying the true source would mean getting into the CnC of the botnet
being used. Our business isn't about tracking down who, but simply stopping
attacks.

~~~
blibble
I've been behind a large often-targeted service for the last 10 years or so,
and most of the large attacks we get are pretty easily filtered as our service
is TCP (like CloudFlare), and most of the attacks we get are either ping or
UDP floods, which we drop at the boundary.

a little harder is the SYN flood with spoofed addresses, how on earth can you
filter those?

~~~
swalberg
Aren't SYN-cookies [0] the traditional defence against SYN floods? The proxy,
or a device in front of it, could take care of that. Only connections that
complete the 3 way handshake would take up any room in the connection table.

0 - <http://tools.ietf.org/html/rfc4987>

~~~
blibble
it's just the sheer amount of packets hitting our network that cause the
issue, not what is inside them!

~~~
Dylan16807
I don't understand. Why is it simple to filter UDP but not simple to filter
based on a cookie? Is the validation cpu-expensive in bulk? Do you not have
the capability to filter that way at the boundary?

------
mp3geek
Will the massive DDos on wikileaks affect other cloudflare users? increased
latiency/server load?

~~~
jgrahamc
Unlikely. This stuff is our bread and butter. We are under DDoS attack 40% of
the time 24/7 (see: [http://blog.cloudflare.com/the-wednesday-witching-hour-
cloud...](http://blog.cloudflare.com/the-wednesday-witching-hour-cloudflare-
dos-st)). A 10Gbps attack is not unusual for us and we've seen much higher. We
have a lot of experience dealing with DDoS attacks.

~~~
jasonlingx
You guys are the best!!! :) now if only you supported wildcard dns so I can
protect my Wordpress site as well

~~~
steelersmobile
What does wildcard dns have to do with wordpress sites, I have 5 wordpress
sites with subdomains all pointing to one single server but protected behind
cloudflare. All sites have their own domain with their own subdomins, like
mobile.domain.com or whatever, but has nothing to do with wordpress or
cloudflare support, just create new records.

------
fragmede
> On Friday Wikileaks complained on Twitter that CloudFlare had preemptively
> blocked the organization from signing up.

I wonder what the actual error message is. Wikileaks actually had to complain
on Twitter before finding out they weren't actually blocked, just that there
was a special signup process for high-volume accounts.

If there are high-volume site operators who didn't want to tweet CloudFlare
for whatever reason, I wonder who else they could list as customers by now.

------
sp332
I'm not clear on how this works... Doesn't cloudflare just replace the
domain's DNS record to point to their own servers? So an attack on the
original wikileaks IPs would still be fairly effective. Maybe less effective
because CF delivers cached content to normal users, but it would keep WL from
delivering large files to the CF servers to begin with.

~~~
StavrosK
Well, it's easier to block packets coming from every IP except CloudFlare's
IPs, so I guess that would be one way of doing it.

------
alttab
And the initial product offering is free fellas.

------
cagenut
That network provider legal protection, does it apply if you're caching? Are
you caching wikileaks or just proxy/filtering?

------
1010011010
Headline in a few days: CloudFlare servers impounded on suspicion of "piracy"
or some such, CloudFlare executives arrested.

/sigh

