EVERYTHING about Booters (and CloudFlare)

Thu Jul 28 15:44:20 UTC 2016

Sigh, another long thread that goes nowhere in the end and simply dies a
dull dead. So let's add my 2ct donation into it.

First of all, CF like any other carrier/provider/hoster/whatever only
cares about the bucks, nothing else, you all do to, so that should be
clear enough. Them actually booting customers just because some other
instance (except through govermential powers) wants them to is not done,
as it would decrease the income. Period. Same goes for ISP's blocking
access to resources. They will simply switch to another provider and or
try to find workarounds for it (see pirate bay and the alikes). Thats like
mopping the floor while the fire sprinklers are still on.

Second, CF indeed offers DDoS mitigation, but only on their heavy paid
plans, if you also want the netflow logs of the attacks etc, it will cost
you extra. If you are on a free plan, and your assigned gw gets ddossed,
and they figure out you are the target, they drop the 'protection' by
simply changing dns to it's real values and letting the attacker know:
don't dos us if you want to hit that site, use the real endpoint IP
instead and you will hit them directly. (Been there with DroneBL, and as
soon as I figured out they do that, dropped them immediately). In the end,
you are better off at hosters like OVH/Foonet and such as they learned
from the IRC age where it was common to nuke clients/bnc's in order to
hijack nicknames/channels when the network didn't have channel/nick
services.

Third, for those who do not know it yet, CF only acts as an intermediate
RELAY that provides a method of attempting to identify bad asses, nothing
more. And the badasses they also relay for? Testpigs and informational
source! (Keep your friends close, your enemies closer?).

Hell, aren't some of the best security advisors former hackers? At least
the ones I know used to be. And I rather have some decent hacker in my
team, keeping me updated with the stuff thats going on in the scene, then
some million dollar company trying to sell you crap that is always behind
the facts. Oh, and I am talking about real hackers, not those
scriptkiddies using ready made tools thinking they are god.

Fourth, and I see it in this mail as well and a lot of others: The
Jurisdictional issues. Why aren't there any international Cyber Crime laws
yet? We all do need to enforce crap like DMCA (which the
music/entertainment industry is responsible for), EU Cookie Law (which
should have been handled through the browsers and not force it upon the
websites) and it's inbread stupid derivates, but everyone, despite acting
out international by it's presence on a global spanning network, is still
hiding behind his/her's organizations local law. Kinda stupid, don't you
agree ?

Kind regards,

Alexander Maassen
Maintainer DroneBL

On Thu, July 28, 2016 4:41 pm, Paul WALL wrote:
> I'm sorry, but this entire discussion is predicated on half-truths and
nonsense spewing out of the CF team.  It's a shame too, as they're
usually great community minded folks who are well respected around here.
>
> No matter how you define the CloudFlare service, that they can claim
ignorance due to "common carrier" passthrough is preposterous,
> especially given their purported knowledge of what's going on.
> Likewise if the booter sites were connected to any other CDN,
> WAF/proxy, public cloud provider, etc.  Call it what you want, but at
the end of the day, they're providing connectivity and keeping the
storefront online.  Want the problem stopped?  Easy, stop it at the
source by denying them service.  Every service provider (or its
> upstream at some point) has an AUP which prevents the service from being
used for illegal purposes.  Telling NANOG members that they don't
understand the nature of the CF service, and that they should somehow
get a pass, is dishonest.
>
> That they're keeping these criminals online at the requirement of the
FBI?  Anyone who's actually worked with law enforcement can tell you
that the first rule of fight club is to NOT talk about it, especially if
you're under gag order.  A more likely story is they're just doing this
for the attention, and basking in it, kind of like a certain blog post
suggesting they pioneered the practice of configuring hosts with LACP
for throughput and HA.
>
> If Justin/Matthew/Martin/etc. are listening, I implore you to do the
right thing and stop providing service to criminals.  Full stop, without
caving in to your very talented marketing department.  And to everyone
else, I'd ask you to do what you think is right, and treat CloudFlare's
anycasted IP blocks as you would any other network
> harboring criminal activity and security risk to the detriment of your
customers.   (Is Team CYMRU listening?)  Much like the original spam
problem in the 90s, the collateral damage might be annoying at first,
but the end will justify the means.
>
> Drive Slow (like a souped up Supra),
> Paul Wall
>
> On Wed, Jul 27, 2016 at 10:48 PM, Randy Bush <randy at psg.com> wrote:
>>> They just lost all respect from here. Would someone from USA please
report these guys to the feds? What they are doing is outright
criminal.
>>
>> hyperbole.  it is not criminal.  you just don't happen to like it.
>