A friend forward me your topic about Booters and CloudFlare. Then I decided to join the NANOG list. The *answer* for the first question about CloudFlare and Booters is at: https://www.youtube.com/watch?v=wW5vJyI_HcU (minute 45:55) given by the _CloudFlare CEO_ in the blackhat2013.
I investigate Booters since 2013 and I know many (if not all) the possible aspects about this DDoS-as-a-Service phenomenon. A summary of my entire research (or large part of that) can be watched at https://tnc16.geant.org/web/media/archive/3A (from minute 22:53). On top of that, I developed an algorithm to find Booters and publicly share such list (http://booterblacklist.com/). My main goal with this initiative is to convince people to blacklist and keep on track the users that access Booters (that potentially perform attacks)
If you have any question about any aspect of the entire phenomenon don't hesitate to contact me. By the way, I want to help deploy the booters blacklist worldwide and help prosecutors to shutdown this bastards. I have many evidences!
I covered the booter topic in a previous reply on a different (though
basically the same) thread. By "non-existent" you mean we are
processing thousands of reports per week. If you have something to
report you can certainly do so at cloudflare.com/abuse. We'd be more
than happy to process your report also.
From just a preliminary test, more than half of these domains are
hiding behind Cloudflare, and OVH has a sizable fraction too.
you mean are using cloudflare and ovh services.
I suppose it's inevitable, given that both are known for having
non-existent abuse departments.
as the OP made pretty clear, it's not a matter of an abuse contact.
it is the service not acting as a law enforcement agency and asking
for a court order. most large service providers operate in that way.
I have submitted abuse reports in the past, maybe from 2014 - 2015, but I
gave up after I consistently did not even get replies and saw no action
being taken. It is the same behavior with other providers who host malware
knowingly. I appreciate you coming out onto the list though, it's nice to
see that CF does maintain a presence here.
I am sure a lawyer would see it very differently, I could see someone looking at this like racketeering. They get paid to provide a service to defend against DDoS, well knowingly hosting people who conduct DDoS attacks. Cloudflare profits from both the victims and the criminals. If Cloudflare isn't acting in good faith to shut down these sites when they receive evidence they are bad actors, they could find themselves in a bit of trouble.
At this point Cloudflare would know that these bad actors are hosted on their service since we know many Cloudflare employees subscribe to the NANOG list, and the list of bad actors would now show up in their email server, ready for legal discovery.
Disclaimer: I have a ton of respect for Clouldflare and what they do on the internet.
As was mentioned in the BlackHat video the DDOS providers don't like
competition and they try to take each other out which is they they nee to
be on clouadfare. If they were all kicked off of Cloudfare then they would
all take each other out leaving no need for clouydfare's DDOS sevices. So
by hosting these companies they are ensuring that they will have business.
(I have no evidence to this. Just a theory..............)
They can monitor (passively or actively) all access to the sites they host, even
the ones that use SSL, and they often use their close working relationship with
law enforcement to explain why they don't terminate bad actors on their network.
You can probably assume that "the feds" are intimately aware of what they're doing.
Law enforcement (US or international) knows how to contact us if they
have an inquiry to make. We also publish a Transparency
Report that covers those legal inquiries: https://www.cloudflare.com/transparency/
Here's the list sorted by DNS provider. (Of course the DNS provider isn't
necessarily the hoster.) This list omits domains which don't seem to have
NS records at the moment.
abuse@ reports generates an auto reply indicating where our reporting
form is located.
Reports at our reporting form generate an auto reply confirming we
received the report. All reports filed via the form are reviewed by a
human and at a minimum passed on to
the responsible hosting provider so they are aware and they can follow their
policies to address with their customer.
This is why policy, as painful as it is to produce, is useful.
There isn't even general agreement on whether (or what!) Cloudfare is
doing is a problem.
Which is why interested parties need to get together and agree on some
sort of policy regarding this and similar things.
Or not and just let it go.
That policy could, at least in theory, be attached to peering
agreements, BGP agreements, address allocations, etc as contracts as a
means of enforcement. And if necessary presented to law enforcement or
courts as clearly defined violations of GAAP.
It may not be a law per se but it's the sort of thing a court case
might use, say in a civil damages suit or even law enforcement action,
to establish that defendant's behavior exhibited reckless disregard
and so on.
As an analogy you can't accuse someone of mayhem if no one can be
bothered to write down what mayhem might be and why the defendant
should have known their actions were mayhemic.
I am not seeing Justin's replies hitting my mailbox, only snipets of quotes
and replies... but my experience to date with CloudFlare has been exactly the
same, no response or action of any kind to abuse reports.
...Searching... here is an example. Banco do Brasil "you must update your
details" phishing fraud using compromised hosts. Example email and for details
neccessary to confirm sent to abuse@cloudflare.com on 7/17. Ten days later and
the compromised CloudFlare-fronted site is still up and still running. Would
there be any confusion if the following abuse report (plus attached original
email) arrived in your mailbox?