Hacker News new | past | comments | ask | show | jobs | submit login
Feedly gets hit by DDoS attack, refuses to give in to blackmail (grahamcluley.com)
219 points by chmars on June 11, 2014 | hide | past | web | favorite | 134 comments

Do people really get punished for it? I mean the actual ones behind those bot, not the innocent ones that had their computer hacked without knowing.

If yes, how long does it normally take to get them? If At all? Weeks? Months? Years?

These days DDoS seems far too easy, far too common.

Heavily depends on company's presence in media and how much pressure the owner puts into it. The reports I submitted with evidence of DDOS and traces to the blackmail'er through IC3 form[1], none were replied.

On another side, as bliker mentioned, those are usually kids. Replying to them that you have submitted an official IC3 report usually stops them, and some were even asking to cancel the report.

[1] - https://www.ic3.gov/complaint/default.aspx

I quite liked this article about the issue. http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gb...

> The shocking thing about these DDoS-for-hire services is that — as I’ve reported in several previous stories — a majority of them are run by young kids who apparently can think of no better way to prove how cool and “leet” they are than by wantonly knocking Web sites offline and by launching hugely disruptive assaults. Case in point: My site appears to have been attacked this week by a 15-year-old boy from Illinois who calls himself “Mr. Booter Master” online.

From Wiki "For the time being there are no good technical means to counteract misuse of NTP servers"


not entirely true.

enabling source filtering in all networks will essentially kill off these UDP amplification attacks, because the attacker wouldn't be able to spoof your address as the source address.

Is there a good reason for someone to want a high volume of NTP requests? How do the owners of these servers not share more of the blame for sending so much data at a web server?

It should be straight forward to implement a protocol that each NTP server won't send data to the same ip more than once every 10 seconds regardless of the number of requests.

It's already been fixed. Newer version of NTP don't reply with more data than it gets sent, so you can't use the server for amplification. It's servers that have not been updated that are issues.

Drop all port 123 packets that are heading to the DDOS'd server from anything but the authorized NTP server is a pretty good start.

Where do you drop the packets? If your filter is inside your own network, and your bottleneck is your network connection to the outside world, then you're out of luck.

If you can arrange with your upstream internet access provider for them to filter out junk before it hits the bottleneck, then great - but that involves cooperating with people, which may take some time.

DDOS is always handled by the upstream by definition.

Yes, people get jailed for DDoS attacks, at least in the UK. For example, two attackers were jailed for 5 years in 2013 for an extortion attempt and DDoS attack against an online casino: http://www.cnmeonline.com/news/ddos-playground-bully-blackma...

Jailtime for extorting a casino sounds like a good deal.

There will always be people who want to get some easy money and have the brains for that. Instead of playing the cat and mouse game we better take care that our networks are protected from, at least, small to mid-range DDoS attacks. The alternative is potential oppression from the governments - "you fear the bad guys, OK, then we will take some more freedoms from you and improve our surveillance to catch them".

There's no reason you can't punish criminals like this and still have a free, democratic, and open society.

Criminals work hard to re-invest their money in the upper world. Once they successfully do that punishing them can become very hard. Free, democratic and open societies are far more vulnerable to this than dictatorships, there you are either part of the 'in-group' or you're going to be hunted.

An open society makes the assumption that people play by the rules and that those that do not will be caught and can be punished. But in reality that assumption does not hold true. Witness the extent to which the Mafia has been able to ruin your country. They've managed to infiltrate the highest echelons of politics, live like kings and in general are so far above the law that it's farcical.

Punishment is for small time criminals. So yes, hackers, burglars, extortionists and so on stand some chance of being caught. But the big fish (in this case, the bosses of the hackers) will likely get away with it while some patsy does time.

Italy is the country where I live, but I'm not sure I'd call it "mine". If it were mine, I'd run it differently :-) I am not a citizen in any event.

I think you're wrong in any event: the more open and well run a society is, the harder it is for mafias to really take root. That's why they are stronger in places like Italy than in, say, Sweden: http://en.wikipedia.org/wiki/The_Moral_Basis_of_a_Backward_S...

And truth be told, there has been progress in the fight against the Mafia, just that it's a long slog, not something that's going to be fixed from one day to the next.

It's frustrating because Italy is one of the most beautiful countries in Europe and has many nice people living there.

Funny you should mention Sweden, they actually have quite a bit of gang activity and organized crime there. It's not as visible as the Mafia and definitely not as organized but being an 'open society' is definitely perceived as being ripe for the plucking by the not-so-nice elements in our world.

I find it favorable to compare with the other opposite: dictatorships. There you usually have very little small time crime, all the crummy criminals are caught and punished (usually very harshly). But the government is the elephant in the room in those countries, they are the real criminals.

I think that crime is somehow systemic, that it is almost impossible to have an open society without having crime in the populace and as that model shifts towards a more closed society the crime shifts with it until the majority of it is found amongst those that rule.

There simply is an element of society that will try to game any model in such a way that they maximize their pay-off while minimizing their potential exposure to hard work. Parasitic behavior. And being a parasite works, it's a good niche to be in and plenty of people that find the regular roads to riches closed to them for whatever reason figure that they're going to get theirs no matter what.

I guess if by open you mean the government has surveillance everywhere and all your secrets are out in the open, that's true.

Bullshit. It's perfectly possible to get warrants to track down the bad guys in a case like this. No surveillance state needed.


Regular warrants given after the attack (to get records or add logging and records) and no pre-existing logging on the network (enforced on providers, or done by a central entity with or without legal permission) makes it really hard to track down attacks which are short-lived, highly mobile, etc.

I'm not sure where the current, ideal, and historical tradeoffs have been for this.

Pairing blackmail + DDoS is a guaranteed way to get the big guns to investigate.

Yes, but for the blackmail part, not the DDoS and then only if the perpetrators are in a country that cares to work with the laws of the victims country.

If all the ddos goes through a botnet, and the blackmail is done using Bitcoin, it could be really harsh for the authorities to find who is behind the attack.

Why do you think someone is innocent if they let some third party use their computer without permission? For essentially all malware that makes your computer part of a larger botnet, you have to be extremely careless to let it get on your device, not dissimilar to leaving your car unlocked when it is subsequently stolen and used in a crime (or just misused by playing kids). The latter is illegal[0], why should the former be ok?

[0] http://www.gesetze-im-internet.de/stvo_2013/__14.html

From our perspective - yes, that's pretty silly. But we are different, we are extremely far from the majority.

For many many people, computer is just a box for writing stuff in MS Word and watching porn.

Tell dont not to open .exe file in Email. "What is .exe files?"

Dont use IE "What is IE? Next time they click on it to get to the Internet"

Can You please stoping using XP? "Why should I pay for upgrade when everything i do is working perfectly fine?"

Honestly, there are people who dont know Shxt. And they dont want to know about it either. To them even basic computer usage is extremely complex. That is why Tablet, is getting the traction in Grandma and others who dont want anything but a Internet and Application capable Appliance.

How much do you know about your car's internal combustion engine and components?

Your home electrical?

Your home plumbing? Natural Gas? Lawn care?

The pumps that fuel your car tank?

Not everyone can be an expert in everything. Someone who makes their living perfecting one of those aspects might look at things you do and say "don't do that, you're damaging it" but to you its "who cares? I just need it to work and its been fine up until now!"

Computers/software might be your thing but they're not Grandma's so don't push your agenda on someone just because they might have some ignorance you don't.

Yeah, exactly. We almost live in computers, most of our friends and colleagues do, but there are so many people for who computer is just a black box. And there is nothing to be angry about. You don't want car mechanic, or plumber to be thinking that you are an idiot, casual users don't want that either, they just have more important things to care about :)

Indeed. I used to catch tons of shit about not understanding cars from a mechanic friend until his laptop died and I helped him recover photos of his kids.

Now we're both content to be wizards of our own domains without talking down to each other about it.

I would have expected a lot of HN users and a majority of those working professionally in technology to have at least basic high school knowledge of electrical and mechanical principals.

If I where interviewing some one for a developer role and they had not at least heard of ohms law or similar basic principals I would probably pass on them.

"not dissimilar to leaving your car unlocked when it is subsequently stolen and used in a crime"

In the US at least, this is not a crime. If someone leaves their car unlocked by accident, why should they get punished if someone steals it and uses it for a crime?

Victim blaming is not the answer, it's just silly.

> In the US at least, this is not a crime. If someone leaves their car unlocked by accident, why should they get punished if someone steals it and uses it for a crime?

Negligence. If you own a powerful tool, you are at least in part responsible for it not to be misused. Similarly to how you are usually required to keep your guns locked away and are held responsible (at least ideally…) if someone steals them from your kitchen table and misuses them, you are held responsible if someone just sits in your car and drives off to kill someone.

> Victim blaming is not the answer, it's just silly.

Except that the victim in a DDoS is the person being ddos’d, not the random user who installed malware. If someone gave you a key and said “Enter this flat over there, take the computer, bring it to me and I’ll give you 10€“, you couldn’t later claim to be a “victim” because they stole your time. If someone sends you a file and goes “double-click this and you’ll get fantastic porn”, I don’t see how you could later claim to be a victim if they stole part of your data cap.

If someone tells you "Enter this flat over there, take the computer, bring it to me and I’ll give you 10€", its on you to realize that that is illegal (and morally wrong) and refuse to comply.

"Double-click this for fantastic porn", on the other hand, will sound perfectly legitimate to many unsuspecting computer users. And there is nothing inherently illegal about the act.

A gun is one of the few things you could reasonably make the negligence argument with. Anyone can get a car, or a knife, or a big plank, and leaving one in the street with no lock does not meaningfully contribute to crime.

I was just wondering why I couldn't hop on Feedly.

I feel sort of bad that this is what makes me finally self host my RSS reader, since it's totally out of their control, but I've been planning on jumping ship for a while, it's just been low priority for me. Goread has been tempting me though, so I guess I'll check it out.

I'm in the same boat. Was thinking of leaving for awhile, feel kind of bad this is what pushed me off the edge.

For me, I stopped and thought about how I access my RSS feeds. I used to be a pure desktop RSS reader, and then I started using both my phone and my desktop, and since Google Reader shut down I've mostly just been using Feedly on my phone. Since I only check my feeds on one device now, I don't need to worry about syncing across platforms, which is the primary purpose of Feedly in my opinion.

If that sounds like you, and you're on Android, check out gReader. While it can integrate with Feedly and a few other services, it can also just act like a "dumb" RSS reader and just download the feed content to your phone instead of relying on a sync service. So far I'm enjoying the experience.

try newsblur!

Any suggestions on the best RSS reader to self-host?

I like TT-RSS, mostly because it's easy to install, doesn't require a beefy machine, and support themes and plugins.

For example, I use it with the feedly theme (https://github.com/levito/tt-rss-feedly-theme) and af_feedmod to get a full text feed for various sites (https://github.com/m42e/ttrss_plugin-af_feedmod).

Second the recommendation for TT-RSS. For a few bucks it has a good Android app that can hook into your self-hosted server as well. For me it beats a plain old "dumb" mobile app with no sync service since I check so infrequently that I'll sometimes miss stories on feeds that don't maintain a full backlog of posts--it gives me peace of mind knowing that I have a cron job saving everything for me even when I'm not actively doing anything.

Since Google Reader went away I've tried to self-host from the Raspberry Pi. Low resource usage was a priority, then, and TT-RSS was a touch too heavy for my liking.

Miniflux was faster, which I now use for audio/visual content (also appreciated its encouragement to pare down my feed list) but the overall winner in terms of pure day-to-day simple usage is Newsbeuter.

It's a mutt-like RSS reader and it's just an extremely efficient way to keep on top of feed information. And of course it's nice to be able to read feeds over SSH directly.

[1] - http://miniflux.net/ [2] - http://newsbeuter.org/

Third here! I have it running on a $5 DigitalOcean VPS (along with Exim, Dovecot and a static website on Nginx) and it just flies. The SSD helps, though - it can be heavy on I/O.

Since it hasn't been mentioned yet, I'd like to suggest NewsBlur[1].


I didn't dare to install it on my machines since there are a lot of requirements.... I went the paid route instead.

I'm happy with Fever° (http://www.feedafever.com), that I host on an atom server on OVH with no performance problems.

If you don't mind paying for rss, https://www.feedsapi.org is a decentralized option, you can use it to turn evernote or instapaper into an rss reader on the fly.

If you were a former Google Reader user, you might like Feedbin. I've been with them for the last year or however long and have been fairly happy.

How does this solve the problem of another DDoS against some other RSS reader? Are you going to suggest that if Feedbin gets attacked next, to hop to the next product?

Yeah, it doesn't really seem like "switch to the feed provider who isn't getting DDoS'ed" is a solution.

Or he saw the other guy is open to trying different RSS readers and simply made a recommendation.

I'm moving TO Feedly since they've already had their attack. Next round would be the some other provider.

Sadly, that doesn't seem to be the case, they're being DDoS'd again today (new attack).

I've been using Digg Reader for a while and I'm actually kind of shocked that most people haven't moved to that. It has its bugs (sometimes showing incorrect numbers, the mobile app locks up sometimes), but it's honestly the best alternative that I've found so far.

Maybe it has to do with its free-ness, as people worry about them shutting doors like Google Reader, but if you're looking for a free solution then I'd definitely recommend it.

The development has been glacial bordering on non-existent since launch on digg reader. The betaworks team that created it was able to do so in a matter of weeks– after re-writing and launching the new digg on a similar timeframe – which makes me think the current lack of progress is because they've moved on to other things (Instapaper, for one).

It's too bad, digg reader had a lot of promise.

I was a very happy Digg Reader user for a while, but the bugs just kept getting worse and worse, and I jumped ship.

Now I'm on BazQux, which works very, very well and very, very quickly, but has no mobile version and a design straight out of 1996.

And it's written in Haskell. Which makes me want to take a look at Haskell again :)

I thought they used Ur/Web.

Ur/Web is used mostly for generating JavaScript and part of web server. Most backend is written in Haskell.

You could look more here https://github.com/bazqux/bazqux-urweb

I've been super happy with Digg Reader. The few bugs I've seen are not that big of a deal. I've never seen anything that an actual page reload didn't solve. I've not tried the mobile app though.

If more users use Feedbin, then it will also be DDoSed and blackmailed. I think self hosting is the only solution here.

I'll second support for Feedbin. The interface is clean and uncomplicated, it's so cheap that it really isn't worth my time to self-host, and it works with my RSS apps of choice.

I've been using Fever since Google Reader shutdown: http://feedafever.com/

I have put together install instructions here: http://thornelabs.net/2014/05/10/install-fever-rss-reader-on...

I wonder why they're not using Cloudflare.

I was just thinking the same thing. I have a website that I run and I was DDoSed one week and got over 1 million page requests but Cloudflare deflected most of the traffic. My New Relic logs were crazy because it showed that traffic was WAY up; I immediately knew what happened though.

Seems that they are in a process in starting using it.

I don't know anything about Cloudflare, but isn't using a CDN with dynamic web-apps difficult? Sure you can host static content like javascript, CSS, images, etc. but caching stuff like what feeds, articles, etc. you've read can't be easy or efficient for a CDN.

They provide more than just a CDN. They manage your DNS so there are many more things they can do to deflect attacks.

If you read the comments on the Feedly blog, they are using Cloudflare.

Not sure what plan they're on or what kind of revenue they generate, but even the $200/month business plan is a life saver considering some of the features:

- Advanced DDoS protection (layers 3,4 and 7)

- 100% uptime guaranteed

- BGP Origins protection

- Web Application Firewall

It's now showing CloudFlare Error 522 (Connection timed out)

Not sure if they integrated CloudFlare now or it was present before.

Cloud flare is a protection racket. Some people don't use them on principle. They are the vendor selling chastity belts to stop rape. It is in their best economic interest that these attacks continue.

It's sad that to run a service now the expectation is to shovel money to another service to absorb UDP packets.

That's like saying bodyguards are a protection racket because muggers and assassins exist. Yes, it sucks to have to pay for defense, but that doesn't mean the problem is your defense vendor's fault, or that said vendor has done anything wrong at all.

I don't think anyone has a problem with offering defense services. The problem lies in that CloudFlare is helping to create the problem. It would be analogous to your bodyguard constantly hiring hitmen to make attempts at your life.

Are you actually claiming that CloudFlare is paying for DDoS attacks, or is that a really poor metaphor?

Perhaps a poor metaphor in your opinion. I don't believe, nor did I claim, CloudFlare themselves is carrying out DDoS attacks. What they _are_ doing is making it way easier for others to do it.

So, perhaps more to your liking would be selling armed guard services to guard against a gang robbery, while simultaneously funding and supporting (but not actually participating in, i.e. not actually providing people for) said gang.

If you're looking for an actual metaphor, it would be selling armed guard services to you and also to gangs. Its not even clear, in this metaphor, that said armed guard vendor can even tell the difference between law-abiding citizens and gangs - and they can't just shut down services to anyone accused of being a gang, because then the gangs get you by telling ARMED GUARDS, INC that you're a gang and then robbing you while you're not protected.

This metaphor got long and stupid, but at least its accurate. Stop fear-mongering just because you don't like CloudFlare.

You aren't getting it. The issue isn't that CloudFlare doesn't proactively seek out such sites. The issue is that when they are advised a site using their service is a DDoS service, and provided proof of that, _they don't care_ and continue providing service to it. The proper action would be to investigate the abuse complaint, try to conclusively determine if it is true and if so, terminate service to the site.

They don't do that, but continue to sell their DDoS protection service (beyond the free tier), so they are indeed a racketeering operation.

I confess I'm not very familiar with CloudFlare -- in what way are they making it easier to carry out a DDoS?

This comment by michaelt provides some background: https://news.ycombinator.com/item?id=7878053.

In more detail:

- These DDoS-for-hire services being referred to are called "booters," "stressers," or similarly retarded names. For a low fee (I think the average is probably around $10, but you can check yourself), one can buy access to one, where they're able to launch an attack for a period of time (the exact period depends on the booter, and some even charge more for longer attacks; 5-10 minutes at a time is probably around average now) by logging into a website, entering the IP/host, and clicking the "attack" button. That is, no skill. Check places like hackforums yourself and you'll find tons of these. Usually the booters are using Ecatel boxes (generally paid for by the booter owner) because they allow spoofing (which is another topic entirely), some use rooted boxes as well.

- These are very common in gaming, because any 12-year-old with access to mommy's credit card can get their hands on one. That's where the "booter" name comes from; the original meaning was to "boot" someone off Xbox Live (residential connections are obviously really easy to knock out).

- The vast majority of these booters are behind CloudFlare to mask their true host. This serves two purposes: it discourages abuse complaints against the host and also provides the sites with DDoS protection.

- Now, this is like drugs - booter owners don't tend to be friendly with each other. As with rival drug dealers, they'll attack each other and generally try to knock out their competition.

- The only reason these booters are able to operate is because of CloudFlare eliminating the DDoS aspect. If CloudFlare stopped providing service to these illegal sites, they'd be forced to fend for themselves, and it would basically be a "gang war" - everyone attacking each other. Which is fine with me, as if the booter kids are attacking each other, their booters aren't able to mess with anyone else. (Let dumb kids be dumb kids.) Eventually perhaps there will be a small number of booters that come out "on the top," able to withstand attacks, but this then has the effect of eliminating most of the competition, which means the prices will rise. This is also a desired effect, because it's harder to get mommy to agree to pay $100 for something (I'm sure they lie about it) than $10.

- So why not just put your own stuff behind CloudFlare and get rid of the problem? Well, besides the whole issue of not wanting to support this racketeering scam (yes, there is a free level of CloudFlare, but certainly they want to sell you the paid ones and the higher levels can withstand different attacks), this option is only open for websites.

FYI, my position in all this is as a game server owner who has dealt with this BS enough, and I'll admit I'm certainly biased towards that side.

CloudFlare stopping support here would go a long ways towards eliminating the booter problem. It won't eliminate DDoS attacks entirely, of course, but it will eliminate a whole class of them and probably the largest class (because actual botnet owners are rarer). I agree entirely with the assessment that CloudFlare is engaging in racketeering.

It is a protection racket ONLY if they are aiding or doing the attacks. I don't see how protecting a company from DDoS attacks is a protection racket by itself, care to elaborate?

From what I have read, Cloudflare takes considerable flack because they willingly provide services to the websites that let you buy and sell ddos-for-hire services.

Also, I believe their defense is "we are a proxy, not the host, go elsewhere to complain". So, yes- They appear to allow these booters to exist and thrive in a world where they were unable to (at this level) before.

* http://www.webhostingtalk.com/showthread.php?t=1235995 * http://www.organicweb.com.au/17240/internet/cloudflare-secur... * http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gb...

If Cloudflare is knowingly providing cover to the DDOS-for-hire companies after being informed of what they are doing, that's a big bunch of bullshit right there.

Just because a company temporarily relocates behind Cloudflare doesn't mean CF is guilty, though. They can't vet every website before it goes up and each time it updates.

If they aren't kicking these guys off their network for performing the same activities they defend against, though . . . well, "racket" is kind of the term for it.

If Cloudflare kicked accused DDOS-for-hires, the first step in any DDOS campaign would become "accuse target of being DDOS-for-hire". That wouldn't actually be a step forward for DDOS victims who use Cloudflare, because then they would have to provide human input to some sort of appeal process ASAP, rather than Cloudflare just working automatically to thwart an attack.

An accusation should not be sufficient, obviously. Why can't CloudFlare take abuse complaints, verify and take action based on that?

In fact, this is precisely what they've done in the past, though they'd only provide the host details rather than stopping service to a site. (I don't think they'll even go this far anymore, rather they'll give you the abuse email for the host and tell you to have the host contact them, which is ridiculous.) I've filed a few such complaints myself. In one instance, the booter site didn't provide any info about its services without registration, so I linked to the hackforums thread where it was being offered. CloudFlare declined this as sufficient proof. Luckily, I could register an account without payment, and that gave me the options to pay to launch attacks, so I sent the login details to CloudFlare and they accepted that.

Your experience seems to contradict the insinuation that "Cloudflare is knowingly providing cover to the DDOS-for-hire companies after being informed of what they are doing", to which I responded. So I guess there's no problem after all?

I don't think it contradicts that. CloudFlare is indeed knowingly providing cover to them. The fact that they'll give you an abuse email to the actual host doesn't change them continuing to provide service to such sites, even when they acknowledge a site is a booter.

I think we agree, that any defensible policy would lie somewhere between "ignore all accusations of booting" and "credulously believe all accusations of booting". Re-reading your comment, I'm not sure, but are you saying that CF are at the former end of the policy spectrum? That's regrettable.

I wonder, however, if even the latter policy would solve the booter problem. Accessible websites are convenient for commerce, but they aren't required.

Also, any argument you make about CloudFlare could also be made about Google: I see http://quantumbooter.net as the second link and http://top10booters.com/ as the fifth link at https://www.google.com/search?q=booter+services

> I think we agree, that any defensible policy would lie somewhere between "ignore all accusations of booting" and "credulously believe all accusations of booting".

I agree with this.

> Re-reading your comment, I'm not sure, but are you saying that CF are at the former end of the policy spectrum? That's regrettable.

Somewhat. As of my last experience with them (which was like a year ago), they will accept abuse complaints for booters. If you can prove to them the site is a booter, by providing documentation on the site itself (not hackforums or anywhere else where it's being advertised, which is understandable as it's basically hearsay, though a bit difficult) indicating the site offers a DDoS service, they will provide the abuse@ email of the hosting company. They will tell you to have the abuse@ people contact them directly for further details. This is the only action they will take.

But my opinion is they should, upon confirming the site is a booter, terminate their service to the site. It would also be nice if they would continue to provide the host details, in addition, so the reporter can contact the actual host and have the site taken down from there as well.

> Also, any argument you make about CloudFlare could also be made about Google: I see http://quantumbooter.net as the second link and http://top10booters.com/ as the fifth link at https://www.google.com/search?q=booter+services

Very good point, thank you for mentioning.

The difference I see is that CloudFlare actively provides a service to them, while Google is merely maintaining a keyword-based search listing for them. That being said, I can see both sides of this one.

My views on the legitimacy (rather, lack thereof) of booters: they are a service that serves absolutely no legitimate purpose. The sole purpose is to perform an illegal act against another person. I know a bunch of them are sold on hackforums as "stressers," i.e. "stress test your own server," but that also isn't a legitimate purpose - I can see no case where one would want to stress test their own services with some UDP or SYN flood over the Internet. Such a thing would only be done over a private network using your own packet generator.

I may not have been clear where I made that comment, so let me explicitly say that I do not know the history or state of CF's abuse policies. CF may, in fact, be doing everything right. I was merely stating a condition that, if CF is doing what you quoted, then it would be a "big bunch of bullshit."

Allow them to exist, yes.

Help them thrive, how? I don't understand. Because they prevent DDOS-for-hire services from attacking each other? Surely "other DDOS-for-hire operators" are not the people charged with stopping DDOS-for-hire services.

DDOS-for-hire websites are naturally unstable - if not for the protection CloudFlare provides, they would all knock one another offline and there would be no DDOS-for-hire websites (or only a single, expensive winner).

Depending on your point of view, cloudflare providing the protection that makes DDOS-for-hire possible is either (a) them being fair and website-content-neutral, anything else would be censorship or (b) the glazier giving baseballs to the child who carelessly breaks windows with them, to generate demand for his services that would not otherwise exist.

The DDOS-for-hire company doesn't need a significant or even continuous web presence, does it? Seems ineffective to DDOS them.

EDIT Surely many of these DDOS-for-hire companies cross into illegal territory. CF can maintain a content-neutral stance by kicking illegal activity off.

The DDoS-for-hire being discussed here are called booters. Access to them can be bought for a few dollars (~$10), and then one is able to log into the site and click a button to attack someone for a few minutes (the exact time depending on the booter itself and sometimes how much you pay).

Illegal where?

Their position is a reasonable one: they are not the host, they are not responsible for content, don't ask them to censor.

Illegal in the country that CloudFlare does business in, the USA.

Isn't that an extortion racket when they force you to either buy their service or attack you?

Unless you are intending to accuse Cloudflare of aiding illegal activity in order to sell services, you may want to change your statement, as this could be considered libel.

Libel is nearly impossible to act upon in the USA. Thank you, first amendment.

Has to actually cause financial or significant personal harm. Something an HN comment will likely never achieve.

CloudFlare offers a free tier as well that provides protection.

I have upvoted the comment to protest HN people downvoting comments that they disagree. The comment is by no means spam, off-topic, etc.; the only problem is that it lacks one-or-two links to some backing information.

Wow. FYI racket is defined as offering to solve a problem that does not exist, or that would not exist if the offerer wouldn't force it upon you.

Unless you're claiming the blackmail group is made up of Cloudflare employees, you should choose your words more wisely.

In the security industry I've seen people watch exploits and DDoS attacks and all sorts of chaos with unfettered glee. It's good for business, it's good for my consulting, and (IMHO the key thing) it's good for increasing the social status of security people. "This is why you listen to me!" Plus we or our friends get to be interviewed by NPR. Hi, Mom!

Still, saying they are a racket is a step too far. There were lots of accusations of the antivirus vendors purposefully releasing viruses in the 80s and 90s[1], which would certainly be a racket if it were true.

[1] Not counting the products themselves as viruses.

> [1] Not counting the products themselves as viruses.

Pretty bold assumption IMO

IMO, CloudFlare meets this definition. For many DDoS victims, the problem would not exist without CloudFlare's help. Many cases like this are not some big bad guy with their own sizable botnet, they're just some kid using a booter bought with mommy's credit card. Without those booters being easily available, there would be no problem.

DDoS wouldn't go away without booters, but many small cases like this would be significantly reduced.

I wonder why nearly every self-hosted alternative RSS-reader here is a web-app; isn't using a desktop-application desirable? Like Firefox, Thunderbird, Liferea[1], Akregator[2], and probably lots of OS X applications?

[1] http://lzone.de/liferea/

[2] http://www.kde.org/applications/internet/akregator/

So much of what you're reading in RSS-reader is web content, naturally you'd want to click through things in your existing browsing experience. At least that's how I view it. I'd like to use a desktop-app but find myself never opening running it and instead jumping to feedly/google-reader etc.

I'd really like to have a desktop-app w/o web service that sync'ed to my phone which I also like to read rss on.

My solution was (and still is) using Pocket[1] to read. I absolutely hate reading on laptop/desktop. I instead check out the feeds every so often using a desktop reader (elfeed nowadays, but seeking for sth. else as I'm no longer using Emacs), and save those I want to read to Pocket. This way I do not need an app that syncs my feeds on each device I have, but rather only Pocket on each of them.

[1] http://getpocket.com/

Multiple devices is the main reason I rely on a web service.

That's why I read RSS via IMAP. All of my devices have an IMAP client on them. I have a script which downloads RSS feeds and sends an email to me for each item, which is then filtered into a News folder via a Sieve filter. I spend half my time in my email clients anyway so I may as well get my RSS fix in the same place.

Interesting flow!

Personally I'm beginning to hate email... sorta wish the actually-important stuff in my email were sent to my RSS reader...

It can provide "your existing browsing experience" without being a web app: by running as a browser extension locally.

Because people want to sync their feeds and their current reading state across multiple devices (desktop, laptop, tablet, phone...). I also read my feeds somewhat sporadically: Since RSS usually only contains the last ~10 entries I would need to open my feed reader at least once a week to avoid missing an article.

I don't think I'm an RSS power user since I mostly use it for comics (~30), some techblogs and a couple of tumblr feeds.

I'm currently using bazqux[1] since it is fast and has a no-frills interface.

[1] https://bazqux.com

One of the problems is that the Android app is draining the battery whilst it can't connect to the Feedly servers.

The original posting on their blog: http://blog.feedly.com/2014/06/11/denial-of-service-attack/

> We are working in parallel with other victims of the same group and with law enforcement.

Last.fm is also experiencing "network difficulties" for a few days now, I'm curious if they are also on the same group.

[0] http://status.last.fm/

When they said in their post that they were working to neutralize the attack, I started wondering how they are doing that. If anyone else is curious, this article - http://www.infosecisland.com/blogview/22518-How-to-Protect-a... - briefly describes how DDoS are neutralized.

I posted it on HN a month ago, but it wasn't popular then: http://selfoss.aditu.de/ (yes, it's opensource)

What kind of low life do you have to be to do this kind of crap ? Is this what "hackers" do these days ?

Best thing they can do is offer a bounty :-D that seems to be extraordinarily effective

It looks like they got hit by a second one today.

How's this blackmail? What secret are they threatening to reveal?

Yep, from their blog.

"2:04am PST – Criminals are attacking feedly with a distributed denial of service attack (DDoS). The attacker is trying to extort us money to make it stop. We refused to give in and are working with our network providers to mitigate the attack as best as we can."


A quick google shows 'blackmail' definition can either be restrictive to secrets as you say or can encompass 'extortion' depending on the definition you use.

It's not blackmail, just plain old extortion.

They are probably saying "Give me money or I am going to continue DDoSing your site."


I guess the demise of XP is still a long ways off. If there were no XP users remaining, could there still be enough hackable computers to create a large enough botnet?

Considering a lot of intrusions happen via the web browser / plugins installed in the web browser (flash/java come to mind right off the bat), I don't think XP being retired has anything to do with future botnet sizes.

Even if everything was up to date, you still can't make sure that you don't get infected. The common hobby for kids these days: finding and writing exploits

it's a coktail,you cant only blame flash or java,the browser and the os running these stuff shares some responsibility.

Exactly how is the OS supposed to stop an exploited browser from doing anything malicious? Even if you have strict access controls like SELinux, that won't stop a browser from participating in a DDOS attack and changing settings like cache or homepage to get reinfected next session. And if you don't have strict access controls, like 99% of desktops, the exploited browser can freely install all the user-mode malware it wants. So XP vs. not-XP is completely meaningless at this stage.

A lot of these types of attack use amplification attacks (https://www.us-cert.gov/ncas/alerts/TA13-088A), often a carelessly-configured time server or name server, where only a small number of hosts are needed to wreak havoc.

Is that really a correlation? Have we seen a decrease in zombie counts as XP machines attrition out?

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact