EVERYTHING about Booters (and CloudFlare)

Miles Fidelman mfidelman at meetinghouse.net
Thu Jul 28 17:15:58 UTC 2016


On 7/28/16 11:56 AM, Niels Bakker wrote:

> * mfidelman at meetinghouse.net (Miles Fidelman) [Thu 28 Jul 2016, 17:42 
> CEST]:
> [...]
>> Now if Cloudflare were to actively suggest that folks use vBooter to 
>> test systems, as a way to boost sales for Cloudflare - that would 
>> certainly be an interesting test case for RICO
>
> CloudFlare is doing nothing of the sort, and it's kind of vile for you 
> to suggest otherwise, even ostensibly by way of floating it as a 
> hypothetical.
>

Well, I don't know - if I were in the business of selling security 
services, I'd probably suggest that potential customers do some 
penetration and stress testing of their systems.  And that seems pretty 
legitimate.

For that matter - "here are some tools you can use to test your systems" 
also strikes me as pretty legitimate.

On the other hand - one might argue that publishing something like "How 
to Launch a 65Gbps DDoS, and How to Stop One" 
https://blog.cloudflare.com/65gbps-ddos-no-problem/ - pushes the limits 
a bit - depending on how much detailed "how-to" information one 
provides, and how much one presents oneself as the solution.

Granted, that there's a lot of value in education - I certainly want to 
know the various ways folks might attack our systems, and the various 
ways we might defend ourselves.  But there are limits - not just legal 
ones, but, as others have pointed out, ethical ones and ones of good 
taste.  The CERT draws its lines one place; on the other hand, Symantec 
publishes white papers that give some rather in depth analyses of 
specific viruses - there for the googling. Cloudflare certainly comes 
closer to one line than the other.

Opinions vary as to the ethics, taste, and legality of publishing 
detailed how-to information - there's certainly enough out there from 
sources with ill intent (including rather nasty libraries and tools that 
require little technical expertise to utilize) - so I tend to favor more 
details.

When one directly ties detailed how-to information, with product/service 
sales - now that strikes me as begging to be the target of some 
interesting test cases.  In Cloudflare's case - telling people how to 
attack a site, hosting free & openly available tools that can support 
such an attack, and selling services to mitigate the attack - now that's 
a test case just waiting to happen.  "How to Launch a 65Gbps DDoS, and 
How to Stop One" seems like an open invitation to ambulance chasers and 
aggressive prosecutors.

Miles Fidelman

-- 
In theory, there is no difference between theory and practice.
In practice, there is.  .... Yogi Berra




More information about the NANOG mailing list