DDoS Attacks Will Now Be 'Something You Only Read About In The History Books', Says Cloudflare CEO (vice.com) 100
Louise Matsakis, writing for Motherboard: Cloudflare, a major internet security firm, is on a mission to render distributed denial-of-service (DDoS) attacks useless. The company announced Monday that every customer -- including those who only use its free services -- will receive a new feature called Unmetered Mitigation, which protects against every DDoS attack, regardless of its size. Cloudflare believes the move is set to level the internet security playing field: Now every website will be able to fight back against DDoS attacks for free. "The standard practice in the industry for some time has been to charge more if you come under attack," Matthew Prince, the CEO of Cloudflare, told me on a phone call last week. Firms often "fire you as a customer if you're not sort of paying enough and you get a large attack," he explained. "That's kind of gross."
Hubris (Score:5, Insightful)
Re: (Score:1)
TFA did sound like a challenge.
Re:Hubris (Score:5, Interesting)
IF they are successful in holding off a few well-publicized DDOS attempts, then their strategy will probably work.
Re: (Score:2)
Well, not only that, but this really is an insurance pool and they've decided to treat it as such.
Realistically, if they've got a bigger pipe than any of the botnets out there, it doesn't matter which of their customers is under attack.
Re:Hubris (Score:4, Insightful)
The only way this works (financially) is if they can publicize well enough, "DDOS against Cloudflare won't work, they have too much bandwidth," and people stop trying.
No, that's not enough. They either also have to become the host to every website on the planet, or convince everyone who would attempt a DDoS that they are and thus shouldn't bother trying.
That's what ""something you only read about in the history books" means. It never happens.
Of course, to be financially beneficial to Cloudflare, all it takes is this, from TFA: "Cloudflare has even protected the websites of DDoS perpetrators, while selling services to mitigate them." Yes, when you sell mitigation services against attacks from people you also sell network services to, it is a win-win for you. Not so much for anyone else.
What's scary is that this guy keeps talking about "Now every website will be able to fight back against DDoS attacks for free." Fighting back is not the same as mitigating damage from.
Re: (Score:2)
Came here to say someone will take this as a challenge. You made it by post #2
Sadly no mod points, but you win the internet for today.
Re:Hubris (Score:5, Interesting)
Also from that link:
I suspect Prince's powers of prognostication are no better than Gates'.
Re:Hubris (Score:5, Interesting)
Gmail launched a few months after Gates's prediction, and within a couple years had pretty much solved the unsolicited spam problem by monitoring the flow of mass emails and crowdsourcing spam identification to users. Other email providers and spam filters followed suit. A 'solved problem' doesn't mean the problem doesn't exist anymore, it means that there are now solutions to said problem.
And re: search, you can't really fault him for supporting his own company.
Re: Hubris (Score:1)
Spam is a solved problem, from several angles.
The solution was to reject everything other than verified senders, and consider problematic senders as spam automatically. This solution was ignored. So we tried with pattern-matching heuristics. These systems became more and more complex, until they evolved enough to reject everything other than verified senders, and to consider problematic senders as spam automatically.
Re: (Score:2)
Then the problem becomes how a new sender with valid DKIM and SPF becomes verified.
Re: (Score:2)
Then the problem becomes how a new sender with valid DKIM and SPF becomes verified.
They shouldn't be. We see plenty of spam that passes SPF and DKIM validation because it's very little effort for spammers to add that information when they're setting up their DNS records. It's clearly not difficult for them to spread DKIM keys through their botnets. Thankfully there are other "tells" that give away the majority of spam.
Re: (Score:2)
What might these "tells" be, so that a responsible server operator can avoid them in, say, legitimate notifications that a customer's order was accepted or shipped or that a product on a customer's wishlist has come back in stock?
Re: (Score:3)
Re: (Score:2)
Email spam seems pretty solved. As you say, the new problem is forum spam.
Re:Hubris (Score:5, Funny)
That's just Hubris and I am going to store this little nugget for when Cloudflare does get DDoS'd. Then I will laugh.
That's just Hubris and I am going to store this little nugget for when Cloudflare doesn't get DDoS'd. Then I will laugh.
Re: (Score:2)
That's just Hubris and I am going to store this little nugget for when Cloudflare does get DDoS'd. Then I will laugh.
That's just Hubris and I am going to store this little nugget for when Cloudflare doesn't get DDoS'd. Then I will laugh.
That's just Hubris, and I am going to store both these little nuggets for when Cloudflare does or doesn't get DDoS'd. Then I will laugh. At someone. (This isn't Hubris, this is just good planning.)
Re: (Score:2)
Re: (Score:2)
every customer -- including those who only use its free services -- will receive a new feature called Unmetered Mitigation
Nice marketing-lie (Score:2)
Cloudflare may at this time be able to mitigate simple flooding-based DDoS as long as it does not get too large. If you are willing to make yourself dependent on them, that is. As soon as the DDoS is a bit more sophisticated and masks as legitimate traffic, your visitors will either be tortured by inane captchas or the mitigation vanishes. That is, if captchas hold up longer-term. Which is highly questionable.
In the end, this is a transparent and empty gesture implying strength, intended to sway those weak
Re:Nice marketing-lie (Score:5, Informative)
CloudFlare has several times handled DDoS attacks that were then the largest attacks recorded, including a 400Gbps in 2014 and a 600Gbps in 2016. Sometimes these are simple network traffic requests, sometimes these are masquerading as legitimate traffic. In the latter case, you'll see an interstitial page that appears to validate your browser using some sort of javascript. In either case, they certainly have a proven track record of handling very large attacks.
Re: Nice marketing-lie (Score:1)
Both in 2014 and 2016 those sites went down and buckled from the bandwidth. Then they dropped Bruce because the ddos attacks against him were too large and wasn't cost effective.
So they are trying to rally against policies they themselves created...disgusting.
Re: Nice marketing-lie (Score:1)
Salem AC here, Bruce should say Brian, as in Brian Krebs. Typo.
Re: (Score:3)
you'll see an interstitial page that appears to validate your browser using some sort of javascript.
How do you move past that interstitial page? I'm not a bot, I swear. I just use an adblocker. And clicking on the link they tell me to click on just brings me back to the same page.
To me, CloudFlare has been synonymous with 404 and their CEO seems to be as delusional as Donald Trump. Instead of admitting that they can't follow through on their own marketing, they just double down on the lie.
Re: (Score:2)
I've never had that problem using uBlock Origin.
Re: (Score:2)
These attacks are not particularly large or impressive. The only surprising thing was that somebody was willing to expose themselves (somewhat) by going larger than others before. But measured against what is possible, these werw not that big.
"Hold my beer." (Score:5, Funny)
"Hold my beer." -- Internet
History (Score:2, Insightful)
I guess we'll read about the concept of a decentralized world wide web in history books too then.
Re: (Score:2)
Amazon AWS would like a word.
Cloudflare CEO was also noted saying (Score:1)
Here, hold my beer...
The hackers quote was better. (Score:1)
What about Slashdotting protection? (Score:4, Funny)
Re: (Score:2)
I haven't heard of a site of any significance being slashdotted in well over a decade. Part of that is the 'net in general being much more robust than it was back around the turn of the century when slashdotting was common. Part of is that, well... to be frank, Slashdot is all but irrelevant anymore.
Re: (Score:1)
The FBI site was unavailable at least for several minutes after releasing the Tsarnaev photos related to the Boston Marathon Bombings.
Lifelock (Score:2)
I'm so sure of our ability to protect your identity, I'm posting my social security number for all to see!
A few possible problems: (Score:5, Insightful)
1A. They might know damned well they're doing this -- and want their own systems and methods tested in live-fire scenarios.
2. On the surface (allowing for some assumptions, for the sake of argument) this sounds great; but the 'hey, wait a minute..' moment soon comes, and you realize that they're setting themselves up as the Gatekeepers for the Internet; the digital Heimdall standing guard at the Rainbow Bridge to the Internet. That's a lot of power for one company to have, and with that power comes a lot of responsibility -- and potential for abuse.
3. DDoS attacks are just one form of digital treachery that is committed on the Internet; what about everything else?
Re:A few possible problems: (Score:5, Informative)
CloudFlare was handling roughly 10% of all web traffic a year and a half ago, presumably it's higher now. They're already one of the gatekeepers.
Re:A few possible problems: (Score:5, Informative)
Cloudflare is big, it has hosting in a lot of major ISP's network. What Cloudflare does is when it notices a DDoS attack from a particular segment, it shifts the traffic to the closest originating ISP and then it only impacts the ISP which at that point is going to be motivated to getting the 'bad traffic' off their network whether that is by pressuring smaller ISP's or simply cutting them off.
Re: (Score:1)
Ultimately, CloudFlare is a content distribution network. They cache your data in various places around the world with big pipes to those places. If you are using their "free" service they are only handling static content. There is fare less static content on the Internet these days. You can still get DDoS through anything dynamic that you do, which is almost all of your web site.
Re: (Score:2)
anything dynamic that you do, which is almost all of your web site.
Unless the vast majority of the dynamic stuff runs client-side. This can be true if your site is a client-side single-page application, with restricted or no functionality on no-script browsers. Then most data that the site's client-side script handles can have a far-future Expires date.
Re: (Score:2)
Anyone read the article (Score:1)
The article gets in more detail about how DDos attacks are used to silence people because they are forced to pay extortion fees to mitigate the attacks. Basically cloudfare is saying they wonâ(TM)t kick a site when being attacked.
Somewhere, in a country not so far away... (Score:2)
"Hold my glass"
Yes, we'll be history (Score:1)
"Chapter 28. Civilization ended when the Mother of All DDoS Attacks took down an overly-confident company called Cloudflare..."
Re: (Score:1)
They handle 10-20% of the internet. If a DDoS attack takes out cloudflare, large parts of the Internet will go with it. Country level backbones would likely get saturated by attack traffic.
Re: (Score:1)
Is that Earth talking about humans?
Re: (Score:2)
Does "better" mean "less objectionable to left-wing social justice warriors" or "less objectionable to right-wing paleoconservatives"?
Prediction of A Hoisting By Their Own Petard (Score:1)
Within a year, Cloudflare will have their own system distributed protection systems turned against them to DDOS their own servers.
This is an organisation that... (Score:1)
... caused one of the worst and least easily mitigated leaks of information the internet has seen before equifax... ... is run by a CEO that then blamed the slowness of the cleanup on Google and outright lied about Google's competitors' progress in cleaning up.
I'm sorry but fuck Cloudflare and Matthew Prince.
Clickbait (Score:1)
fucking morons (Score:2)
Re: (Score:2)
Why do you think they can't mitigate well crafted large scale attacks? Some of the things they do only balance the asymmetry of an attack, so that the resources used on the remote machine is comparable to the resources required on the host.
I am honestly curious what happens when average residential connections are gigabit, but I am sure they are planning for that.
Re: (Score:2)
In the year 3000 (Score:2)
They'll be saying things like "remember that massive DDOS attack last year? That one's going in the history books too"
DDoS attacks only read about in the history books? (Score:1)
CDN helps hide IP transitions (Score:2)
How does cloudflare help if I know the actual IP address(es) of their customer's server(s)?
A CDN helps your site remain up while your origin server rolls over to a new IP address by caching logged-out viewers' view of popular documents. It also lets you use IPv6 on the origin server, which makes it easier to fast-flux its IP address while still serving to user agents behind legacy IPv4-only networks.
Re: (Score:2)
IPv6 on the origin server
And what happens when you can no longer afford new IP addresses
2^64 addresses ought to be enough for anyone. Make the origin server IPv6-only, and rely on your CDN to proxy the /64, /60, or /56 that your provider offers to the IPv4-net.
Same old shit. (Score:2)
The ship was unsinkable they said.
Hold my Beer (Score:2)
This reads like one big challenge.
Why announce it like this? It's just like announcing you've made an un-crackable DRM; you're awaking the kraken.