EVERYTHING about Booters (and CloudFlare)

Thu Jul 28 15:27:22 UTC 2016

On Wed, Jul 27, 2016 at 03:09:51PM +0000, Steve Mikulasik wrote:
> I am sure a lawyer would see it very differently, [...]

For what it's worth I agree, but I'm not an attorney (and neither
are most of us), so I'll write from the perspective of an operator.

The healthy functioning of the Internet community relies on mutual
cooperation.  It always has.  Part of that cooperation is ensuring
that one's own operation, whether it's a single server or a worldwide
collection of data centers, is not an operational hazard to the rest
of the Internet.  That is our first, our primary, our over-arching
responsibility at all times.  Understanding it, embracing it, and
practicing it is something required of all of us.

This isn't a question of what's legal and what's not -- after all,
that varies by jurisdiction and it's a moving target and the machinery
of jurisprudence moves a few orders of magnitude more slowly than
does Internet technology.  It's a question of what's right.  We should
all know that hosting spammers or phishers, DoS-attackers or carders,
or anyone/anything like that is wrong.  (Yes, there are gray areas where
reasonable people can differ about what's right/wrong.  But these
are not among them.)  We should all be doing everything we
can to avoid giving them services, and if we fail in that, if they
get by our screening, we should be cutting them off the moment we're
aware of their presence, and banning them permanently, AND informing
other operators in order to forestall their relocation.

This doesn't require legal involvement: it requires ToS that stipulate
it, and if, in 2016, any service *doesn't* have ToS that stipulate these
things: you need to get new attorneys and fix that today.

It also requires having a functioning abuse@ address (per RFC 2142
and decades of best practices) that connects to a functioning abuse
department that is empowered to investigate and act on everything
that shows up there.  In a better world, this wouldn't be necessary:
abuse sources/sinks/facilitators would already know of their own
involvement and nobody would need to tell them.  But we don't live
in that world and in some cases, it's arguably difficult to tell
even for very diligent operators.  So if third parties are doing you
the incredibly gracious favor of reporting abuse to you, thus making
*your* job easier despite the fact that *your* operation is making
their job harder...you should listen.  You should investigate.  You
should say thank you.  You should report the outcome.

This isn't hard.  It's really not.  (And to those who say "we get too
many abuse complaints", there is a very simple fix for that: stop
facilitating so much abuse.  The complaints will drop proportionately.)

The alternative to this is an Internet of escalating attacks and abuse --
which is where we find ourselves after a few decades of incompetence
and negligence (those who can't be bothered) and deliberate support
(those who choose to take dirty money and cash in on abuse).  It's already
pretty bad, which is why there are now entire sectors built on mitigating
it.  We can either continue to light stacks of money on fire (and that's
one of the smaller costs of this) trying to stave this off or we can
do what we should have been doing all along: be *personally* responsible
for what our technology is doing.  No excuses.  No stonewalling.  No blowoffs
with a nod to the legal department.  Just step up and do the right thing
for the good of the community -- because without that community, even
the biggest, richest operation is of no importance and value whatsoever.

---rsk