DDoS Attacks Will Now Be 'Something You Only Read About In The History Books', Says Cloudflare CEO

Louise Matsakis, writing for Motherboard: Cloudflare, a major internet security firm, is on a mission to render distributed denial-of-service (DDoS) attacks useless. The company announced Monday that every customer -- including those who only use its free services -- will receive a new feature called Unmetered Mitigation, which protects against every DDoS attack, regardless of its size. Cloudflare believes the move is set to level the internet security playing field: Now every website will be able to fight back against DDoS attacks for free. "The standard practice in the industry for some time has been to charge more if you come under attack," Matthew Prince, the CEO of Cloudflare, told me on a phone call last week. Firms often "fire you as a customer if you're not sort of paying enough and you get a large attack," he explained. "That's kind of gross."

Hubris

[DaMattster]

That's just Hubris and I am going to store this little nugget for when Cloudflare does get DDoS'd. Then I will laugh.

Re:Hubris

TFA did sound like a challenge.

Re:Hubris

Is your list of item stored in your Hubris folder also stored in your Hubris folder?

Re: Hubris

internet na'er-do-wells love a good challenge.

Re:Hubris

I want to get a tattoo of a butt on my butt.

Re:Hubris

[Zocalo]

Matthew Prince should have a chat with Bill Gates about how well his 2004 prediction at Davos that spam will be a solved problem within two years worked out.

Also from that link:

[Gates] hailed search technology firm Google as a "great company"; its approach reminded him of Microsoft 20 years ago. But he also predicted that Microsoft search technology would soon outpace that of its rival.

I suspect Prince's powers of prognostication are no better than Gates'.

Re: Hubris

I hate spam at my incoming mail servers, but truth be told: It is not really an issue in the inbox anymore.

Re:Hubris

[Gussington]

That's just Hubris and I am going to store this little nugget for when Cloudflare does get DDoS'd. Then I will laugh.

That's just Hubris and I am going to store this little nugget for when Cloudflare doesn't get DDoS'd. Then I will laugh.

Re:Hubris

[phantomfive]

The only way this works (financially) is if they can publicize well enough, "DDOS against Cloudflare won't work, they have too much bandwidth," and people stop trying.

IF they are successful in holding off a few well-publicized DDOS attempts, then their strategy will probably work.

Re:Hubris

[pushing-robot]

Gmail launched a few months after Gates's prediction, and within a couple years had pretty much solved the unsolicited spam problem by monitoring the flow of mass emails and crowdsourcing spam identification to users. Other email providers and spam filters followed suit. A 'solved problem' doesn't mean the problem doesn't exist anymore, it means that there are now solutions to said problem.

And re: search, you can't really fault him for supporting his own company.

Re:Hubris

[Daetrin]

That's just Hubris and I am going to store this little nugget for when Cloudflare does get DDoS'd. Then I will laugh.

That's just Hubris and I am going to store this little nugget for when Cloudflare doesn't get DDoS'd. Then I will laugh.

That's just Hubris, and I am going to store both these little nuggets for when Cloudflare does or doesn't get DDoS'd. Then I will laugh. At someone. (This isn't Hubris, this is just good planning.)

Re: Hubris

Exactly true. People won't waste their botnets time when they have other uses. But if even one ddos works, they'll be fighting them for years to come.

Re: Hubris

Spam is a solved problem, from several angles.

The solution was to reject everything other than verified senders, and consider problematic senders as spam automatically. This solution was ignored. So we tried with pattern-matching heuristics. These systems became more and more complex, until they evolved enough to reject everything other than verified senders, and to consider problematic senders as spam automatically.

Re:Hubris

[Wrexs0ul]

Came here to say someone will take this as a challenge. You made it by post #2

Sadly no mod points, but you win the internet for today.

Re:Hubris

[Zaelath]

Well, not only that, but this really is an insurance pool and they've decided to treat it as such.

Realistically, if they've got a bigger pipe than any of the botnets out there, it doesn't matter which of their customers is under attack.

Re:Hubris

[Spamalope]

Doesn't Cloudflare charge for bandwidth like other cloud providers? Wouldn't this really translate to 'I dare you to give me a big payday at my customer's expense' assuming that's the case?

Re:Hubris

What the hell are you talking about? Spam email has been a solved problem for many years. I haven't seen one in a long time and the spam filters never make false positives.

Re:Hubris

yeah, that point whoring ship has sailed

Re:Hubris

[Obfuscant]

The only way this works (financially) is if they can publicize well enough, "DDOS against Cloudflare won't work, they have too much bandwidth," and people stop trying.

No, that's not enough. They either also have to become the host to every website on the planet, or convince everyone who would attempt a DDoS that they are and thus shouldn't bother trying.

That's what ""something you only read about in the history books" means. It never happens.

Of course, to be financially beneficial to Cloudflare, all it takes is this, from TFA: "Cloudflare has even protected the websites of DDoS perpetrators, while selling services to mitigate them." Yes, when you sell mitigation services against attacks from people you also sell network services to, it is a win-win for you. Not so much for anyone else.

What's scary is that this guy keeps talking about "Now every website will be able to fight back against DDoS attacks for free." Fighting back is not the same as mitigating damage from.

Re:Hubris

It's already happening. I'm seeing network issues everywhere.

Re: Hubris

[tepples]

Then the problem becomes how a new sender with valid DKIM and SPF becomes verified.

Re: Hubris

[scdeimos]

Then the problem becomes how a new sender with valid DKIM and SPF becomes verified.

They shouldn't be. We see plenty of spam that passes SPF and DKIM validation because it's very little effort for spammers to add that information when they're setting up their DNS records. It's clearly not difficult for them to spread DKIM keys through their botnets. Thankfully there are other "tells" that give away the majority of spam.

Re: Hubris

[tepples]

What might these "tells" be, so that a responsible server operator can avoid them in, say, legitimate notifications that a customer's order was accepted or shipped or that a product on a customer's wishlist has come back in stock?

Re:Hubris

Roughly 20% of the email in my Google SpamBox is, technically speaking, legitimate email for me.

Re:Hubris

Struggling to see the relevance here.

Is your argument that one person made a prediction that failed (so you claim) therefore all predictions made by people will likewise fail?

That seems like an obvious non-sequitur to me.

You could make a case for 99% of all past predictions failing, therefore we should assume the next will fail also, but that's a very different argument. That would be inductive and probabilistic, but in any case that's not the argument you made. I fail to see any causal link or even correlation between Bill Gates' prediction and this one by Cloudflare.

Re:Hubris

I am guessing this is an XOR funtion.

Re:Hubris

spam is very much a solved problem, or at least one that is somewhat under control. No it will never completely disappear but it is well and truly under control and has been for a long time now.

Re:Hubris

[Zocalo]

And yet the spammers keep spamming. If spam was truly a solved problem, then there would be no money in it for them and they'd give up and move onto something else (actually some have - they've moved onto spam forums like Facebook and Twitter instead, or other aspects of cybercrime). Spam might *effectively* be a "solved" problem for you, and me for that matter, but it's clearly not a solved problem in the more general sense.

Re:Hubris

[Bengie]

I guess you didn't make it to the second sentence in the summary

every customer -- including those who only use its free services -- will receive a new feature called Unmetered Mitigation

Re:Hubris

[nasch]

Email spam seems pretty solved. As you say, the new problem is forum spam.

Nice marketing-lie

[gweihir]

Cloudflare may at this time be able to mitigate simple flooding-based DDoS as long as it does not get too large. If you are willing to make yourself dependent on them, that is. As soon as the DDoS is a bit more sophisticated and masks as legitimate traffic, your visitors will either be tortured by inane captchas or the mitigation vanishes. That is, if captchas hold up longer-term. Which is highly questionable.

In the end, this is a transparent and empty gesture implying strength, intended to sway those weak of mind.

Re:Nice marketing-lie

[Guspaz]

CloudFlare has several times handled DDoS attacks that were then the largest attacks recorded, including a 400Gbps in 2014 and a 600Gbps in 2016. Sometimes these are simple network traffic requests, sometimes these are masquerading as legitimate traffic. In the latter case, you'll see an interstitial page that appears to validate your browser using some sort of javascript. In either case, they certainly have a proven track record of handling very large attacks.

Re: Nice marketing-lie

Both in 2014 and 2016 those sites went down and buckled from the bandwidth. Then they dropped Bruce because the ddos attacks against him were too large and wasn't cost effective.

So they are trying to rally against policies they themselves created...disgusting.

Re:Nice marketing-lie

[stephanruby]

you'll see an interstitial page that appears to validate your browser using some sort of javascript.

How do you move past that interstitial page? I'm not a bot, I swear. I just use an adblocker. And clicking on the link they tell me to click on just brings me back to the same page.

To me, CloudFlare has been synonymous with 404 and their CEO seems to be as delusional as Donald Trump. Instead of admitting that they can't follow through on their own marketing, they just double down on the lie.

Re:Nice marketing-lie

[Guspaz]

I've never had that problem using uBlock Origin.

Re:Nice marketing-lie

[gweihir]

These attacks are not particularly large or impressive. The only surprising thing was that somebody was willing to expose themselves (somewhat) by going larger than others before. But measured against what is possible, these werw not that big.

Re: Nice marketing-lie

Salem AC here, Bruce should say Brian, as in Brian Krebs. Typo.

Re:Nice marketing-lie

both of those attacks were successful, Cloudflare took considerable time to partially mitigate them and even then it crashed the sites in question. saying they have proven track record in handling them is like saying a drunk that gets beaten up once a week at the pub has a proven track record of handling themselves in a fight. Yes you have a better chance with them in front due to their scale and experience but they are by no means a silver bullet and most attacks are long over before any realistic mitigation can be put in place by them.

Re: Nice marketing-lie

I think it was Brian Krebs in 2016 who was ddossed. Also, he was on akamai, not cloudflare.

"Hold my beer."

"Hold my beer." -- Internet

History

I guess we'll read about the concept of a decentralized world wide web in history books too then.

Re:History

[Wootery]

Amazon AWS would like a word.

Cloudflare CEO was also noted saying

[phorm]

Here, hold my beer...

This just in!

CEO hawks product! News at 11.

The hackers quote was better.

[fleabay]

"What you have here is a failure to communicate"

Re: The hackers quote was better.

https://en.m.wikipedia.org/wiki/What_we%27ve_got_here_is_failure_to_communicate

What about Slashdotting protection?

[klashn]

Will a site be protected from being slashdotted? It's kind of a DDoS

Re:What about Slashdotting protection?

Those days are long long over. If a server can't handle being slashdotted these days then it's a shitty server with shitty code.

Re: What about Slashdotting protection?

Creimer once declared that his site was slashdotted. I'd post the comment link but he deleted his account like a coward. Go figure. Guy makes a bunch of lies up, deletes account when called out about it...news at 11.

Re: What about Slashdotting protection?

Hah, he actually did! What a coward. One less virtue signalling liar.

Re: What about Slashdotting protection?

Indeed, now he just posts under the names "CDReimer" and "ILoveBigFatCashews" as well as AC from time to time when he wants to spam affiliate links. Basically the community has outed him. He's an outcast that we all just point and laugh at.

Re:What about Slashdotting protection?

[DerekLyons]

I haven't heard of a site of any significance being slashdotted in well over a decade. Part of that is the 'net in general being much more robust than it was back around the turn of the century when slashdotting was common. Part of is that, well... to be frank, Slashdot is all but irrelevant anymore.

Re:What about Slashdotting protection?

The FBI site was unavailable at least for several minutes after releasing the Tsarnaev photos related to the Boston Marathon Bombings.

Lifelock

[pr0t0]

I'm so sure of our ability to protect your identity, I'm posting my social security number for all to see!

Re:Lifelock

Don't need, I already have it since Equifax leak !

A few possible problems:

[Rick+Schumann]

1. They just threw down the 'digital gauntlet' at the feet of every hacker/hacker collective/black hat/white hat/whoever; they've more or less declared Open Season on themselves.
1A. They might know damned well they're doing this -- and want their own systems and methods tested in live-fire scenarios.
2. On the surface (allowing for some assumptions, for the sake of argument) this sounds great; but the 'hey, wait a minute..' moment soon comes, and you realize that they're setting themselves up as the Gatekeepers for the Internet; the digital Heimdall standing guard at the Rainbow Bridge to the Internet. That's a lot of power for one company to have, and with that power comes a lot of responsibility -- and potential for abuse.
3. DDoS attacks are just one form of digital treachery that is committed on the Internet; what about everything else?

Re:A few possible problems:

Censorship of legal websites?

Re:A few possible problems:

[Guspaz]

CloudFlare was handling roughly 10% of all web traffic a year and a half ago, presumably it's higher now. They're already one of the gatekeepers.

Re:A few possible problems:

Whatever techniques Cloudflare is using, there's nothing to stop other providers from adopting the same. So the "gatekeeper" effect isn't really there.

Re:A few possible problems:

[guruevi]

Cloudflare is big, it has hosting in a lot of major ISP's network. What Cloudflare does is when it notices a DDoS attack from a particular segment, it shifts the traffic to the closest originating ISP and then it only impacts the ISP which at that point is going to be motivated to getting the 'bad traffic' off their network whether that is by pressuring smaller ISP's or simply cutting them off.

Re:A few possible problems:

Ultimately, CloudFlare is a content distribution network. They cache your data in various places around the world with big pipes to those places. If you are using their "free" service they are only handling static content. There is fare less static content on the Internet these days. You can still get DDoS through anything dynamic that you do, which is almost all of your web site.

Re:A few possible problems:

they're setting themselves up as the Gatekeepers for the Internet;

Yes, exactly
You would read about DDoS attacks in the history books that will also detail how CEO of CloudFlare became the president of the Internet and outlawed all other providers.
Apple would maybe preserve a small premium/walled-off internet version that is not under CloudFlare's control.

Re:A few possible problems:

CloudFlare needs to do something to try to stay relevant now that everyone knows they cancel services to people they don't like.

Re:A few possible problems:

[tepples]

anything dynamic that you do, which is almost all of your web site.

Unless the vast majority of the dynamic stuff runs client-side. This can be true if your site is a client-side single-page application, with restricted or no functionality on no-script browsers. Then most data that the site's client-side script handles can have a far-future Expires date.

Re:A few possible problems:

[houghi]

I do not understand point three. It is as if somebody cures AIDS and you say, "but what about the rest of the diseases?" as if it isn't a good idea to do one thing at a time.

Anyone read the article

The article gets in more detail about how DDos attacks are used to silence people because they are forced to pay extortion fees to mitigate the attacks. Basically cloudfare is saying they wonâ(TM)t kick a site when being attacked.

Somewhere, in a country not so far away...

[Opportunist]

"Hold my glass"

Re:Only LUDDITES need DDoS protection.

Nobody expects the Spanish Appity Appquisition.

DDoS for those with the wrong speech

Assuming Cloudflare can still kick the bad speakers off the internet to protect us all from the toxic things that shouldn't be said.

Yes, we'll be history

[Tablizer]

DDoS Attacks Will Now Be Something You Only Read About In The History Books

"Chapter 28. Civilization ended when the Mother of All DDoS Attacks took down an overly-confident company called Cloudflare..."

Re:Yes, we'll be history

They handle 10-20% of the internet. If a DDoS attack takes out cloudflare, large parts of the Internet will go with it. Country level backbones would likely get saturated by attack traffic.

Re: Yes, we'll be history

[Tablizer]

Is that Earth talking about humans?

Re:Yes, we'll be history

They handle 10-20% of the internet. If a DDoS attack takes out cloudflare, large parts of the Internet will go with it. Country level backbones would likely get saturated by attack traffic.

yep, which is why some of the previous attacks protected by cloudflare affected many other people.

What about other forms of DDoS?

Hosting providers being gangbanged by groups of people complaining about a website's content is essentially a DDoS. What can Cloudflare do to protect against this?

Re:What about other forms of DDoS?

Tell the site owner to listen to the complaints and produce better content.

Re:What about other forms of DDoS?

[tepples]

Does "better" mean "less objectionable to left-wing social justice warriors" or "less objectionable to right-wing paleoconservatives"?

Prediction of A Hoisting By Their Own Petard

[forkfail]

Within a year, Cloudflare will have their own system distributed protection systems turned against them to DDOS their own servers.

 

This is an organisation that...

... caused one of the worst and least easily mitigated leaks of information the internet has seen before equifax... ... is run by a CEO that then blamed the slowness of the cleanup on Google and outright lied about Google's competitors' progress in cleaning up.

I'm sorry but fuck Cloudflare and Matthew Prince.

Clickbait

[HiloJoe]

That's what this is..

Re:Clickbait

Avoid Vice and go directly to Cloudflare's own ad:
https://blog.cloudflare.com/unmetered-mitigation/

There also is a more technical post:
https://blog.cloudflare.com/no-scrubs-architecture-unmetered-mitigation/

What does Brian Krebs think?

Didn't they drop him when a DDoS on his web site started affecting their other customers?

Krebs attack

Kinda ironic, this is what they kicked Krebs off for.

fucking morons

[gravewax]

If I was a cloudflare customer I would be looking at apossible transition to its competitors and planning said move right now. I am not sure if their marketing team is retarded or just plain clueless but they have invited wide scale attacks and NO they cannot mitigate well crafted large scale attacks and everyone hosted by cloudflare will be affected.

Re:fucking morons

[aaarrrgggh]

Why do you think they can't mitigate well crafted large scale attacks? Some of the things they do only balance the asymmetry of an attack, so that the resources used on the remote machine is comparable to the resources required on the host.

I am honestly curious what happens when average residential connections are gigabit, but I am sure they are planning for that.

Re:fucking morons

[gravewax]

there is only so much you can mitigate, we are already at a stage where home connections are at the scale when aggregated together that they can drown even the insane bandwidth levels that cloudflare have and if you design your attack that it mimics normal web site traffic it can be extremely difficult to handle.

Re:fucking morons

The trick is not to have a ton of bandwidth (although that's a requirement), but to have a point of presence at every major internet service provider.

If you try to DDOS them, you will only be DDOS'ing your own ISP and maybe their uplink (if you are at a smaller ISP). And if they are at all competent, all that will accomplish is to get your own connection turned off.

"But a DDOS uses thousands of BOT machines all over the world".

Yes, but there is no way that these bots will hit the same Cloudflare server. The bots are at different ISPs, and they will each be hitting their closest Cloudflare servers. That IP address you think you are attaking? It's shared between every Cloudflare point of presence.

For the technically inclined, it's a BGP trick called anycast routing.

In the year 3000

[Progman3K]

They'll be saying things like "remember that massive DDOS attack last year? That one's going in the history books too"

DDoS attacks only read about in the history books?

[najajomo]

Only when they disconnect all those compromised Windows desktops out there on the Internet.

And what if I know the IP address?

How does cloudflare help if I know the actual IP address(es) of their customer's server(s)?

It doesn't.

Marketing wank.

Same old shit.

[Hylandr]

The ship was unsinkable they said.

CDN helps hide IP transitions

[tepples]

How does cloudflare help if I know the actual IP address(es) of their customer's server(s)?

A CDN helps your site remain up while your origin server rolls over to a new IP address by caching logged-out viewers' view of popular documents. It also lets you use IPv6 on the origin server, which makes it easier to fast-flux its IP address while still serving to user agents behind legacy IPv4-only networks.

Re:CDN helps hide IP transitions

And what happens when you can no longer afford new IP addresses from your host or they cut you off? (4 or 6, they still cost...)

Re:CDN helps hide IP transitions

[tepples]

IPv6 on the origin server

And what happens when you can no longer afford new IP addresses

2^64 addresses ought to be enough for anyone. Make the origin server IPv6-only, and rely on your CDN to proxy the /64, /60, or /56 that your provider offers to the IPv4-net.

LOL! They already ousted Brian Krebs...

over the largest DDoS in recent history, and as I remember it told him he needed to pay for a much larger plan in order to continue recieving their services (which had previously been pro-bono... free in the terms used by Cloudflare in TFA...)

Basically this sounds like them just trying to market how great they are after a slump in sales due to their previous actions calling into question their anti-DDOS capabilities.

Re:LOL! They already ousted Brian Krebs...

It was Akamai who kicked Krebs off, not Cloudflare.

Hold my Beer

[Tukz]

This reads like one big challenge.

Why announce it like this? It's just like announcing you've made an un-crackable DRM; you're awaking the kraken.

Small print

Does not apply if the CEO doesn't approve of your politics.