EVERYTHING about Booters (and CloudFlare)

Sigh, another long thread that goes nowhere in the end and simply dies a
dull dead. So let's add my 2ct donation into it.

First of all, CF like any other carrier/provider/hoster/whatever only
cares about the bucks, nothing else, you all do to, so that should be
clear enough. Them actually booting customers just because some other
instance (except through govermential powers) wants them to is not done,
as it would decrease the income. Period. Same goes for ISP's blocking
access to resources. They will simply switch to another provider and or
try to find workarounds for it (see pirate bay and the alikes). Thats like
mopping the floor while the fire sprinklers are still on.

Second, CF indeed offers DDoS mitigation, but only on their heavy paid
plans, if you also want the netflow logs of the attacks etc, it will cost
you extra. If you are on a free plan, and your assigned gw gets ddossed,
and they figure out you are the target, they drop the 'protection' by
simply changing dns to it's real values and letting the attacker know:
don't dos us if you want to hit that site, use the real endpoint IP
instead and you will hit them directly. (Been there with DroneBL, and as
soon as I figured out they do that, dropped them immediately). In the end,
you are better off at hosters like OVH/Foonet and such as they learned
from the IRC age where it was common to nuke clients/bnc's in order to
hijack nicknames/channels when the network didn't have channel/nick

Third, for those who do not know it yet, CF only acts as an intermediate
RELAY that provides a method of attempting to identify bad asses, nothing
more. And the badasses they also relay for? Testpigs and informational
source! (Keep your friends close, your enemies closer?).

Hell, aren't some of the best security advisors former hackers? At least
the ones I know used to be. And I rather have some decent hacker in my
team, keeping me updated with the stuff thats going on in the scene, then
some million dollar company trying to sell you crap that is always behind
the facts. Oh, and I am talking about real hackers, not those
scriptkiddies using ready made tools thinking they are god.

Fourth, and I see it in this mail as well and a lot of others: The
Jurisdictional issues. Why aren't there any international Cyber Crime laws
yet? We all do need to enforce crap like DMCA (which the
music/entertainment industry is responsible for), EU Cookie Law (which
should have been handled through the browsers and not force it upon the
websites) and it's inbread stupid derivates, but everyone, despite acting
out international by it's presence on a global spanning network, is still
hiding behind his/her's organizations local law. Kinda stupid, don't you
agree ?

Kind regards,

Alexander Maassen
Maintainer DroneBL

I'm sorry, but this entire discussion is predicated on half-truths and

nonsense spewing out of the CF team. It's a shame too, as they're
usually great community minded folks who are well respected around here.

No matter how you define the CloudFlare service, that they can claim

ignorance due to "common carrier" passthrough is preposterous,

especially given their purported knowledge of what's going on.
Likewise if the booter sites were connected to any other CDN,
WAF/proxy, public cloud provider, etc. Call it what you want, but at

the end of the day, they're providing connectivity and keeping the
storefront online. Want the problem stopped? Easy, stop it at the
source by denying them service. Every service provider (or its

upstream at some point) has an AUP which prevents the service from being

used for illegal purposes. Telling NANOG members that they don't
understand the nature of the CF service, and that they should somehow
get a pass, is dishonest.

That they're keeping these criminals online at the requirement of the

FBI? Anyone who's actually worked with law enforcement can tell you
that the first rule of fight club is to NOT talk about it, especially if
you're under gag order. A more likely story is they're just doing this
for the attention, and basking in it, kind of like a certain blog post
suggesting they pioneered the practice of configuring hosts with LACP
for throughput and HA.

If Justin/Matthew/Martin/etc. are listening, I implore you to do the

right thing and stop providing service to criminals. Full stop, without
caving in to your very talented marketing department. And to everyone
else, I'd ask you to do what you think is right, and treat CloudFlare's
anycasted IP blocks as you would any other network

harboring criminal activity and security risk to the detriment of your

customers. (Is Team CYMRU listening?) Much like the original spam
problem in the 90s, the collateral damage might be annoying at first,
but the end will justify the means.

Drive Slow (like a souped up Supra),
Paul Wall

They just lost all respect from here. Would someone from USA please

report these guys to the feds? What they are doing is outright

There are not international cyber crime laws because there is no international law enforcement agency with the reach to enforce them and because most countries like things like sovereignty. There is also an inherent conflict between private citizen hacking and state sponsored hacking and the line is sometimes blurry. If a state sponsor is using a private DDoS network, what are the chances they are going to allow an investigation/arrest in that case? There are already enough laws on the books in most cases to handle this stuff, there just isn't the law enforcement resources/interest to pursue this.

Companies like CloudFare generally end up in one of two states given my experience since the first public Internet became available.

1. Various service providers get screwed with enough and eventually retaliate by messing with CloudFare's connectivity/peering/availability to the point that CloudFare becomes an unviable platform for the nefarious services. This happened in the original spam wars with regularity. As soon as CloudFare becomes inconvenient or too visible to law enforcement, they move on to the next provider and enough legit business is scared away that CloudFare dies on the vine.

2. Eventually one of the nefarious services messes around with something large enough to create big law enforcement interest (a successful hit on a critical national resource) at which point they cut all the intergovernmental red tape and take out everyone including the hacker, the server farm, the hosting company, and anyone else involved. Remember that they don't necessarily have to prove a criminal case to shut your business down. All they really have to do is get a judge to order a seizure of enough of your gear to shut you down for a period of time that sends all your other business out the door. Note that I don't support/not support that tactic but it's a fact that it works. Sure, you can try to defend yourself but how deep are your legal pockets? The US Justice Department has shown time and again that they can wipe out large swaths of nefarious operators when they care enough to do so. They have also shown the ability to cross international border to do so. They put some serious dents in Pirate Bay and Anonymous. They don't kill them permanently but it doesn't matter to the guys sitting in prison for years.

Steven Naslund
Chicago IL