"The attacks are also highly concentrated in a small number of locations mostly on the US west coast."
Does that mean the attacks are against a small number of locations on the west coast or originate from those locations? I suppose if they are originating from a small number of locations (is a location a single IP?) then it's easier to defend? It's hard for me to wrap my head around attacks of this scale.
Cloudflare uses BGP Anycast, I think what that indicates is the sources are all / mostly systems on the US West coast and when using anycast you tend to end up at the nearest data center.
"...very large L3/L4 floods aimed at the TCP protocol."
If these attacks aren't simple floods of bogus TCP segments (SYN floods, etc) and they're actually completing the TCP handshake then tracing their source should be trivial (since, by definition, they couldn't use forged source addresses).
I'm assuming that they are just floods of bogus TCP segments w/ forged source addresses, which seems like a simple-enough "upgrade" that could have been deployed to existing botnets.
Right. Assuming it was SYN floods, and spoofed IP addresses, do you imply that Cloudflare should send back 400gbps of SYN+ACK syn cookies packets to the wide internet?
I'm getting quite fed up with CloudFlare using HN as marketing tool.
Their maffia style feature up-sales (oh you want the features that matter, start paying 8k a month), lack of responsibility flowing through their infrastructure, 'we do not host anything so we are not responsible' attitude...
If i use that mentality or reasoning when stolen or other illegal goods flow through my house or shed, the police will not accept that as an excuse.... facilitating criminals.
> Their maffia style feature up-sales (oh you want the features that matter, start paying 8k a month)
They offer for more in their free plan than any other CDN of their ilk which I've used (good look getting Akamai for free!!). However if you know a service like CloudFlare that's as good as CloudFlare are and are as cheap as you suggest they should be, then I'm sure many on here would love to hear your recommendations ;)
> lack of responsibility flowing through their infrastructure, 'we do not host anything so we are not responsible' attitude...
That's exactly how the vast majority of the tech industry works though. No service provider wants to be held accountable for the illegal activities of a small minority of their users. It's like blaming the telephone companies because a terrorist happened to lease a line from them. Or blaming Google for automatically crawling a site which hosts warez. What you're asking is the in-house moderation at scale and that's unsustainable.
>If i use that mentality or reasoning when stolen or other illegal goods flow through my house or shed, the police will not accept that as an excuse.... facilitating criminals.
I appreciate no analogy is perfect but yours is further off than most. People shouldn't get access to your property without your concent so it's hard to argue that you weren't aware of the illegal activities happening in your house. However if you gave your house keys to friends who then went behind your back to distribute said content without your knowledge and knowing that you would disallow it if you were aware then you wouldn't be facilitating the criminals. CloudFlare offers an automated service at scale. Occasionally that gets abused but it's not something they condone. Blaming CloudFlare for that is like blaming kitchen knife manufacturers because some thugs used their blades to stab someone.
I don't think you've tried to report abuse to CloudFlare before, have you? Your analogy is actually further off. CloudFlare IS aware of the abuse and illegal activity. They DO condone it through their inaction. They claim since they aren't the actual source of the content, they don't have to do anything about it, effectively letting the criminals and scammers continue their abuse behind their shield. They have all the capability in the world to respond to valid abuse complaints, and actually stop the abuse, but they actively choose to allow it.
If they start accepting takedown requests as a general policy, though, they become an attack vector themselves. Their customers would start getting calls saying "give us $LARGE_SUM in untraceable bills or there'll suddenly be thousands of plausibly-authentic complaints that your $VALID_BUSINESS is actually a malicious site"; no one wants that. They've decided to not make themselves the internet police for a reason.
For the amount of traffic information they leech from your visitors, yes they should consider offering this for free, you are already paying with the privacy of your users.
And i'll give example, you can create forced browser checks for countries you select. You want to block the country completely? Only available for enterprise.
While imho, the first requires the exact check to determine if a forced browser check should happen, but a block of the country requires an enterprise grade service? Bull shit.
You go to mcdonalds, order a burger without cheese and get charged more then when you order a burger with cheese where you ask the cheese to be checked before it gets applied to the burger, more work. Is this metaphor simple enough?
Interesting choice of an example. I'll tell you the actual reason we don't let most customers block countries entirely: we don't want to help facilitate the balkinazation of the Internet.
Cutting an entire country's population from being able to access some content is, per se, a bad thing. You're correct that the challenges we do allow for all customers are more work for us. However, they resolve the (largely bogus) perceived security risks some people cite for blocking whole countries while only minorly inconveincing legitimate users from those countries.
This was a decision I made early on in Cloudflare's history, anticipating someday we may operate at a scale where it would matter. And, now that we do operate at that scale, I'm glad I did or I fear we would be a force in carving up the Internet into increasingly regional pockets of information.
Aha the CEO, what a pity i noticed it so late, I hope you actually do something about their non stop posting of CF blog content here for advertisement.
That is careful or convenient use the word 'most'; But it is not an answer to the question that has been asked. And you still offer the feature (if paid for), so saying you do not want to facilitate balkanisation and still having the feature, seems a bit contradicting to me. Will you be removing this option/feature from your services totally?
Currently it IS possible, and CF lets everybody do it, as long as they pay for the enterprise membership. At least that is what understood from CF admin panel, i assume the information it displays is correct. And your reply lacks any proper reasoning why it costs serious money to block while it technically requires less resources, meaning less costs, that was the actual question.
"Cutting an entire country's population from being able to access some content is, per se, a bad thing."
Yes, to filter solely based on the origin, race etc of a person is even (often) unlawful(, some people even call it racism, though i think we are belong to the same human race, homo sapiens sapiens.) Though we both know we are not talking about human users, that is not the reason why people put their site behind cloudflare? Nobody generally complaints about having too many legit visitors on their website.....
You want to use this feature when under DDOS (been target of 'quite' a few). And when you see 99.999% bogus crap traffic from a country (or countries; which normally doesn't give you any site visitors) give me one real reason why not to block it (be it temporarily), and for allowing CF to keep passing through requests from BAD hosts?
I will just leave it at this before i catch myself writing another rant. Though i honestly and respectfully hope, you will think about taking more responsibility about the junk flowing through your network and the amount of HN posts for marketing purposes.
thinkMOAR, Internet Surfer, RBL operator & owner, Systems Engineer, Network Engineer, SysAdmin, Programmer, Webdesigner, Husband, Brother & Son.
Well just because they have access to some data doesn't mean they use it. Your ISP gets all of this data and more, and if you want you can setup CF to have anything really secure pass through their servers encrypted so they can't see it, and there are a variety of options for less-secure stuff (including a scenario where CF can inspect SSL encrypted information without needing direct access to the private keys so you can only allow them to inspect specific things).
But how do you run a service like cloudflare without having access to the data? Short of efficient fully homomorphic encryption it's not possible.
And from your analogy it sounds like you have issue with what they are putting behind the "paywall" not that they are doing it? If this is the case I understand where you are coming from, but I still don't really agree.
The web and the physical world aren't analogous, forced "checking" and blocking are 2 completely different things, and treating them as separate features doesn't set off any alarm bells in my head.
"Well just because they have access to some data doesn't mean they use it." This reads very naive in my opinion.
But no you didn't understand much of what i intended to bring across and even created a point for me i did write. I did not say they should not have access to your data.
I wrote, for the amount traffic information (if you can't or don't understand how to monetise that, please google a bit), they should _consider offering_ the service for free, including features that matter.
And to block something what do you have to do first? 'Check' if the condition to block is true or false. If country == x move request to the nearest recycle-bin seems to be the most efficient action, requiring the least of anything.
So it would make more sense in my opinion if it was vice versa, block countries for the default subscription, filter more 'advanced' as premium feature.
For some reason i doubt you have ever enabled CF in a ddos situation?
I don't like the fact that a significant percentage of page views on the Internet can be intercepted by a single organization either, but I think it's a bit weird to be concerned about privacy while arguing they should pivot to monetizing the traffic they see rather than continue to charge for the service they offer.
> You go to mcdonalds, order a burger without cheese and get charged more then when you order a burger with cheese where you ask the cheese to be checked before it gets applied to the burger, more work.
Will McD even allow you to order like that? Even if, I wouldn't be surprised if you had to pay extra - McD operates a standardized process for food preparation that ensures you get uniform quality everywhere in the world. They don't hire chefs, they hire people that follow detailed instructions to assemble your food. Making you a custom burger is a cost for them.
I agree with you. CloudFlare is infuriating to attempt to work with if you're trying to stop abuse. It remains a haven for bullet-proof hosting for all sorts of abuse. Need to run a spam campaign? Put your target site behind CloudFlare, they're happy to help you keep it up and running!
If they have detailed contact negotiations with known criminals, I can see how that's problematic. But as long as criminals get the same deal as everyone else, I don't see a problem. Mafia bosses get a regular phone line too, even if they use it to conduct illegal business.
Known abuse happens through their service, and they shield the offending party. You like all of those Viagra spam emails? You like the scams run against vulnerable people? That's not net neutrality. If CloudFlare was an above-board player they would take steps to stop this abuse traversing their services when they are brought to their attention. Instead, they know about the abuse and give the big middle finger to those who report it to them.
>Net neutrality is the principle [...] treat all data on the Internet the same, not discriminating or charging differentially by user, content, website, platform, application, type of attached equipment, or mode of communication.
Criminality can only be discerned by user or content. Both are protected under net neutrality
I've seen one at my previous place and the other at my current place. I've seen both bills and both features and the worst sides of both. I'd recommend cloudflare anytime to anyone.
isn't this because the attack is originating from office work computers? people come to office in the morning, turn on the pc = attack starts. at the end of the day they simply switch off their computer = attach stops.
If this was the result of many thousands of such machines, you'd see a much more gradual ramp up and shut down because they wouldn't be in such good sync with each other, plus the ceiling wouldn't necessarily be so sharp either. This is especially true once you consider timezones, and the fact that botnets are not generally confined to a single timezone. While this may be a lot of machines, the relative sharpness of the bandwidth graphs suggests a single control source turning things on and off, even though the attack itself may be using an arbitrary number of machines.
(Note the fact that it isn't perfectly sharp doesn't mean it isn't a single source... it takes time to command and control thousands of machines over the internet.)
Does that mean the attacks are against a small number of locations on the west coast or originate from those locations? I suppose if they are originating from a small number of locations (is a location a single IP?) then it's easier to defend? It's hard for me to wrap my head around attacks of this scale.