I don't know how old the kid is, but sounds like someone between junior high and high school. I don't even know how to launch such massive DDoS attack yet. How many do I need to send such? This is interesting...
Side note: Krebs is an interesting person. I have come across his blog many times but I never bothered to find out his actual job. He's a journalist. no technical background. Self-taught. http://krebsonsecurity.com/about/
This is the best example of a civilian out there interested in protecting his data. He would go out his way to eliminate worm and hacker from touching his laptop... we need more civilian like this (not to blog or to go on a strike, but to be aware of the seriousness of the unsafe nature of the Internet).
Also, his article is really well-written. No doubt; he's a reporter after all.
What would be next? Service providers taking down a white hat site because it discloses vulnerabilities?
I'm quite frankly shocked that Krebs would make the argument to put security before freedom of speech and due process.
Also, CloudFlare is not an essential service nor are they a monopoly. So if CloudFlare goes too far with something, it's not a problem for their customers to leave them.
Put that way, I see them as responsible for the attacks. Maybe you'd feel differently if you were the target of some of these attacks.
I don't see the cost of CloudFlare's service as a problem. In fact, free DDoS mitigation is great. The problem is that they're willing to provide service to booters/DDoS-for-hire services.
Reputable providers prohibit this kind of activity in their AUPs, and there aren't that many companies with their own large networks capable of DDoS mitigation (many are just resellers). If CloudFlare stopped supporting such services, it would immediately put a large dent in the entire booter market because the kids would take care of shutting each other down, and individual booters would find it difficult to find a provider who can mitigate attacks and is willing to provide service to them. (In other words, let them fend for themselves. Screw them.)
> Maybe you'd feel differently if you were the target of some of these attacks.
I agree, and I think this is why a few of us (you and me, in particular) have different views compared to others.
(I have talked to you on WHT recently. Not under this name, but you might have an idea.)
Possibly the implication against CloudFlare is that a service which makes money off DDoS attack prevention (and many other things) shouldn't drum up business by encouraging such attacks. Though in CloudFlare's defense, the attacks wouldn't stop if the sites did. And I'm not sure what else CloudFlare could do to get people to fix NTP servers.
The reason why the DDoS market exploded is because you can now sell your services behind cloudflare for very little cost instead of competitors ddosing each other. You can see all the services being sold at hackforums.net.
Without a publicly assessable store front, you will not get funding.
Without funding you will not be able to rent servers to power reflection attacks and to process requests from hosts that turn a blind eye like ecatel.
Ecatel is the big one here. I don't know what it will take for their upstreams to shut them down, but it needs to happen. Do that and many of these reflected attacks will stop.
However hosts like Ecatel are known to specifically allow their customers to send spoofed packets at full speed 24/7.
I think most hosts will notice heavy bandwidth usage, investigate, and then terminate your account. This is why people buy servers at Ecatel even if it is more expensive.
Reputable hosts use uRPF or at least an ACL at their edge to drop any outbound traffic with a source address that isn't in their network.
People buy servers from Ecatel because they're one of the few that (intentionally) do not have such measures in place.
I have tested 5+ major hosts spoofing packets to a remote destination and they all allowed spoofing except OVH.
I know retarded isn't the right word, but nothing else I can think of represents kicking your future self in the balls so hard they're permanently destroyed and you're crippled for life.
This is how they justify hosting *booter.com. Personally, I don't see a big distinction. If you weren't hosting the frontend site, there would be no malicious packets going out from other people's networks. These booter sites attack each other all the time, so without DDOS protection they'd take of shutting each other down for us :)
Having sent multiple abuse complaints to CloudFlare regarding booters, I have found them difficult to work with. As we've established, they will not censor anything; instead, if they determine your complaint to have some level of validity, they will send you to the actual host.
In one instance, the booter site had no information on registration or what was offered, so I gave them the hackforums thread where the service is being sold. I realize this is basically hearsay and not sufficient evidence to actually shut a site down, but remember that they won't shut a site down in any case. They did not consider this acceptable enough to release information about the host. They wanted me to register an account there and provide it to them for verification. Luckily, I could register without actually paying anything, providing me a nice UI with a big "launch attack" button, and this was sufficient for them.
More recently, they will not even release the site's IP address. All they will do is tell you to email the abuse department of [host] and ask the abuse department to contact them for details. This is ridiculous.
CloudFlare purports to be against DDoS attacks, yet has no problem providing service to admitted DDoS attack services. In other words, CloudFlare is a racketeering operation. They create the problem, indirectly, and offer services to solve it. (I realize they offer a free tier, but their advanced mitigation features are only available on paid tiers.)
This is called racketeering. Create the problem indirectly and offer protection. Sound familiar?
Some people like me may suspect some viruses and trojans are created by AV companies out there. In fact malicious, money-greedy one (which no one would use until they got a nice pop that reads "your computer is infected now use our solution") do this. I don't know about the big players out there, but who knows?
If CloudFlare can handle such bandwidth and can defend such attacks for enterprise users, wow, that's a big win for them. Whether they should offer stronger mitigation for any level of users is a different story.
I don't have a problem with CloudFlare offering multiple service levels. That's just smart business. They are one of the relatively few companies with their own network that can mitigate attacks. And that's where the problem lies - they are using that capability to prop up booters (DDoS attack services, if you weren't familiar with the term). As others have said, booters would be largely uneconomical to operate without the cheap assistance of CloudFlare, because the booter "market" is similar to drug gangs - it's a "war" with the booter owners all trying to take out their competition. (So this makes DDoS attacks less easily available, a good thing for the rest of the Internet.)
The problem is that CloudFlare is choosing to allow them to operate, while offering protection services at the same time. This is the very definition of a racket. It is no different from "wouldn't it be a shame if your shop burned down, you should pay us money."
Now, I'm not saying that _all_ DDoS would instantly go away if CloudFlare stopped this. It wouldn't. It would make a significant difference though, IMO. Services like this make it easy for anyone with little skill to launch attacks, and with amplification techniques (NTP, DNS, SNMP, chargen, etc.) the booter needs very little hardware and bandwidth to launch massive attacks.
put it this way: if I am a security researcher and I want to publish a paper on DoDs, I can make use of CloudFlare to accomplish my objective. How do you distinguish good from the bad?
What do you propose they should do?
Publishing research papers about DDoS attacks is one thing. Selling a service that performs them (i.e. DDoS-for-hire) is completely different, IMO.
Also, DDoS isn't a big deal for most games. (MMOs, yes, but not most games.) If a gameserver is DDoSed, then a few dozen or a few hundred people are going to be unhappy. Whereas if a website is DDoSed, then tens of thousands of people will be unhappy at a minimum. Since most games aren't really affected by DDoS, it doesn't make much business sense for CloudFlare to try to offer gameserver protection. The market probably isn't big enough to warrant diverting CloudFlare time and resources.
I run (as a hobby) some game servers and have handled several DDoS incidents. Out of all of them, I think there's only been one that I couldn't find real-life details for. When this occurs and the perpetrator is a minor, and I can find details for them, I give the parents a friendly call and let them know. Usually this can be easily resolved in a peaceful manner and without any mention, threats or use of legal action.
several private messages sent by different users on the Spamdot[dot]biz forum who recommended to other members...
So, an archive of illegally obtained private communication? (Or, is it just questionably obtained by having several false identities across boards? The term hacked forums seems to suggest otherwise)...
I guess that by doing illegal surveillance, one kind find out things that aren't obvious. How surprising.
Why does it take so long until most rogue ISPs are detected and cut off the rest of the global internet?
Not a rogue ISP, just one that hasn't implemented BCP38 (which is most of them, unfortunately).
Is it really so easy? How does the ISP know that the package came from within its network?