In what way is this a protection racket? That's sort of like complaining that mob-owned businesses enjoy the same police & fire protection that all other businesses have.

Cloudflare sells protection from the internet attacks through its network. The same company and network facilitates the organisation of those same attacks, and helps keep them anonymous.

That's a high-tech protection racket.

I get this argument. I have made it in the past.

But CF doesn't want to play Internet cop. Everyone who manages a service gets a constant barrage of "someone using your site did something offensive, I want you to kick them off your service!"

CF has decided they are just not going to play the game, at all. Because once they start, then all the piranha come to feast.

I'm not saying this means they aren't a racket, which is charging people money to solve a problem you made. But they do have some good reasons for simply refusing to censor what they offer.

It's not a game, it's policing your own network and keeping your business activities legal. My network has run an abuse desk for 15 years and there are no feasting piranhas (what does that even mean?).

Cloudflare definitely already runs an abuse desk, and ban accounts, they just choose not to ban network abuse tools. They are making the internet a more dangerous place for hosting, then asking you to buy a solution. They could search Google for "booter" and "ddos tool" and whatever else, and flag sites for banning, it's a project an intern could do. But they don't, and they suck for that.

They could ban booters. But then someone else will say "but you allow <some other type of site>! They're clearly bad, you should ban them too". And so they do, and now someone else complains about some other site. Once you start banning sites for the content they hold, where do you draw the line? I don't fault CloudFlare for drawing it at the legal barrier (e.g. no CP).

CloudFlare should not align itself with the adversaries its mission is to protect its users from. This isn't a slippery slope distinction, this is a binary exclusion.

> Once you start banning sites for the content they hold, where do you draw the line?

I mean, you could always just draw the line at booters. Not everything has such a slippery slope.

You can say that. But I guarantee you if they do that, other people will think they should ban other sites too.

Really the only way to avoid the problem is to not play the game, and so that's what CloudFlare does. It's pretty much the only defensible stance to take.

They can draw the line wherever they like, they are under zero obligation to provide a service to anyone they don't want to.

Call it a conflict of interest then. The worse the internet at large becomes, the more money cloudflare makes.

DOS attacks being a bad thing is the whole reason the service exists, so to then group it with "things some people consider offensive" is just double think. If Cloud Flare didn't want to play internet cop in regards to DOS attacks, it would not exist. Since it does, it might as well say the same things with both sides of the mouth.

DDoS attack protection is just one of the services CloudFlare offers. Saying it's the whole reason the service exists suggests that you haven't actually looked at what they do.

Change "the" reason to "one of the main reasons" (and going from the top left to bottom right, the second of their four main features), and notice how my point remains untouched?

Your point is still incorrect. CloudFlare is NOT playing "internet cop" for DOS. They're providing armor against it, but they're not "policing" it in any sense of the word.

So DOS are "clearly bad" when it comes to providing "armour" against them, but a matter of taste, something a person could not possibly have an opinion on when it's a client of theirs?

> they're not "policing" it in any sense of the word.

I didn't say they do, I say it's double faced. Which it is.

Most of those booters are on their free tier, so it's a bit hard to argue it's a racket.

If you want to claim it's unethical... maybe. But if you think about it from their position, it could genuinely get into a slippery slope if you start policing what services you're reverse proxying. Especially considering the rate they're growing now.

Think of it this way: should Google be compelled to remove all search results for all booters and other malware-related services? It's asking a lot.

Google already does that:

https://www.google.com/transparencyreport/safebrowsing/ https://www.stopbadware.org/blacklisted-by-google

Problem is, these are just frontends advertising the booter services. They're not serving malware themselves.

Cloudflare, like Google, does have a similar program and does remove websites that are directly hosting malware or phishing pages. They just don't remove the gray-area stuff, like hacking forums and black market customer portals.

It's not a racket. Refusing to police their own customers, and having customers that do bad things that CloudFlare incidentally helps protect against, does not make it a racket.

In a protection racket (or more accurately an extortion racket), businesses that don't pay up will get attacked by the racketeers, and so for the most part paying up just means the racketeer won't attack them. That doesn't even remotely describe CloudFlare. Whether or not you pay for CloudFlare doesn't affect whether some other customer of CloudFlare attacks you. And the fact that those other customers are using CloudFlare themselves does not make CloudFlare responsible for their actions.

Another implication: they could be using their access to these sites' traffic to prepare their own infrastructure for attacks before they happen.

There's nothing about their hosting of these sites that doesn't reek.

That is how DDOS protection works, learning from data and scale to better defend future attacks. Every large network and security operator does this. What is your issue with that exactly?

I don't mean they are learning from observing attack traffic, they have access to the command and control traffic.

That means they could know about an attack before it happens.

They could know how long it will last, who the target will be, and what volume of traffic to expect.

They could know who had ordered it, who had paid for it.

They. Also. Sell. Protection.

To call the situation deeply conflicting is an understatement.

Given that the whole class of operators seem somewhat shady, I imagine that sometimes they would need to fend off attacks from competition services. In that case, being on a free DDoS protection plan seems like a reasonable thing to do (from their point of view). As long as they're not initiating the DDoS via Cloudflare, I'm not sure how that would be unreasonable of CF's part, given that I assume it's all automated and nobody ever looks at what sites have signed up.

I don't like CF for their fishy SSL architecture, the increased centralization of internet traffic, and the constant captchas when using tor, but the DDoS protection part (regardless to what sort of people they're providing service for) seems fine.

I don't really understand your point. In 2012 I was working on a startup that was DDoS'd and it was not fun. This was back before Cloudflare offered a DDoS service and we ended up having to hire a random company in Canada to help get us back online. At the time there were surprisingly few people out there offering DDoS mitigation. Cloudflare wanted to help us but they were still in early development for their service, but I remember them being good guys. What's wrong with providing a service to help fight the bad guys?

He is pointing out that cloudflare is also hosting the DDOS sites.

Those are sites that you can go to to pay for a DDOS.

So they are taking money from the people who you are paying them to defend you against.

The problem comes from the conflict of interest when you're also hosting the bad guys

It's the same stance that antivirus developers have always had, more or less. As usual, the difference between blackhat and whitehat is very, very thin - if there is a difference at all.

Be careful posting random domains.HN might flag/throttle your account for spamming.happened to one of my accounts.

That's rare but possible. If you weren't spamming, I'm sorry. Let us know at hn@ycombinator.com and we'll fix it.

Thanks for the reply. it has been a while and i don't even remember the username of that account.it wasn't that important to me (plus, a relatively new account) so i didn't bother contacting HN.

By the same logic, the search engine you used to find those sites is also a "protection racket".

Really? That search engine sells DDOS protection?

Sure. I just searched for "ddos stresser" on three different search engines. The first 1-3 results were ads for Cloudflare and similar services, followed by organic results for several of the sites mentioned above. One could make the same dubious argument that it's a protection racket (free exposure for the "bad guys" while profiting from mitigation).

> Cloudflare will protect any site that doesn't host child porn

Doesn't that make it worse? They aren't saying they don't or won't police the content they protect. They are obviously capable and willing to draw a line on ethical or legal grounds, if they have done so in that case. They have just chosen to draw that line on one side of porn but another side of DDoS services.

Ultimately it is their decision to make, but I don't think it's unfair for people to question possible conflicts of interest in how that decision is made.

Why are you combining legal and ethical? They're capable and willing to draw a line on legal grounds. Seems pretty clear.

Not combining, that's why I said or.

And I said that because I'm not sure why they've made that decision...it could have been either or both. And sale of DDoS service is arguably illegal in at least some places, so they obviously aren't rejecting all illegal content.

I ... didn't say any of that.