If it's illegal and you're harmed I'm sure you can sue the people who did it and CloudFlare will have to hand over IP addresses. But is it CloudFlare's duty to police the Internet? Like ISPs, I think they should be content neutral unless illegal content like child porn is being hosted. Merely talking about services is not illegal as far as I know; only performing the DDoS attacks is.
1. Websites hosting services that have no other purpose but to DDoS other computers are absolutely illegal. Many such sites have been taken down by the FBI before, and both users and owners of the sites have been arrested. The problem is that there are many hundreds of such sites and tens of thousands of users, and law enforcement simply can't take down each and every one. Cloudflare is relying on the fact that most people won't be able to get a subpoena or file a lawsuit.
2. You could apply that same argument to any hosting provider. They're just letting people see content that you yourself have uploaded; why should they act as Internet police? And yet every hosting provider has a legal responsibility to take action if someone is using their services to spread malware, launch DDoS attacks, or hack other websites.
Cloudflare is able to weasel itself out of it because it is not actually a hosting provider. However, they won't even let you discover the real hosting provider after showing proof of extremely blatant criminal activity. This is why many criminals flock to them: they know they will be harbored and their botnet command & control / DDoS service / malware distribution network can stay up for longer than it would normally.
I work in the information security field and we're definitely seeing more and more malicious network operators moving to Cloudflare and staying there for a long time.
The legal system simply cannot process every single civil or criminal complaint everyone in the US may have. If a security researcher had to go through a court, and/or law enforcement, every single time they wanted a malicious domain taken down then their work would be nigh impossible.
Legal due process should be required when there are legal penalties or punishments. In this case, the bot herders and malware distributors are not subject to any criminal or civil penalties in response to abuse complaints: they do not go to jail and are not fined. Some of them will be fined or imprisoned, many years later, but everyone's better off if their botnets are shut down immediately instead of in 2-5 years.
It's a dealing between private entities: private entity X agrees to stop providing server or domain hosting for the bot herder after seeing a good faith report. A provider has every right to stop offering you service.
Without this sort of cooperation between entities, the Internet would be even more of a mess right now.
I agree they should not be policing. Instead they should allow you to contact the people who are hosting the actual content. Which is where DMCA notices have to go to, for example. Since they do not host the content, they claim the DMCA should not be sent to them, but they won't tell you who to contact instead.
So what? It's not their job to help copyright holders, their job is to protect their clients' privacy. Even the cops have to get a court order to find someone's private data from a business, but since it's copyright every man and his dog claiming to be the copyright holder should be handed private information willy nilly?
So, would you consider a site where you can click a button and have a DDOS attack launched for you to be illegal? Because that's exactly what's being referred to here, "DDOS-as-a-service".
Have fun filing lawsuits and sending out subpoenas when you're just trying to host a game server as a hobby and not making money off it. Cross-jurisdictional issues will also make this very difficult, even if you know who the attacker is.
