DDoS Attacks Will Now Be 'Something You Only Read About In The History Books', Says Cloudflare CEO

Louise Matsakis, writing for Motherboard: Cloudflare, a major internet security firm, is on a mission to render distributed denial-of-service (DDoS) attacks useless. The company announced Monday that every customer -- including those who only use its free services -- will receive a new feature called Unmetered Mitigation, which protects against every DDoS attack, regardless of its size. Cloudflare believes the move is set to level the internet security playing field: Now every website will be able to fight back against DDoS attacks for free. "The standard practice in the industry for some time has been to charge more if you come under attack," Matthew Prince, the CEO of Cloudflare, told me on a phone call last week. Firms often "fire you as a customer if you're not sort of paying enough and you get a large attack," he explained. "That's kind of gross."

Hubris

[DaMattster]

That's just Hubris and I am going to store this little nugget for when Cloudflare does get DDoS'd. Then I will laugh.

Re:Hubris

TFA did sound like a challenge.

Re:Hubris

[Zocalo]

Matthew Prince should have a chat with Bill Gates about how well his 2004 prediction at Davos that spam will be a solved problem within two years worked out.

Also from that link:

[Gates] hailed search technology firm Google as a "great company"; its approach reminded him of Microsoft 20 years ago. But he also predicted that Microsoft search technology would soon outpace that of its rival.

I suspect Prince's powers of prognostication are no better than Gates'.

Re:Hubris

[Gussington]

That's just Hubris and I am going to store this little nugget for when Cloudflare does get DDoS'd. Then I will laugh.

That's just Hubris and I am going to store this little nugget for when Cloudflare doesn't get DDoS'd. Then I will laugh.

Re:Hubris

[phantomfive]

The only way this works (financially) is if they can publicize well enough, "DDOS against Cloudflare won't work, they have too much bandwidth," and people stop trying.

IF they are successful in holding off a few well-publicized DDOS attempts, then their strategy will probably work.

Re:Hubris

[pushing-robot]

Gmail launched a few months after Gates's prediction, and within a couple years had pretty much solved the unsolicited spam problem by monitoring the flow of mass emails and crowdsourcing spam identification to users. Other email providers and spam filters followed suit. A 'solved problem' doesn't mean the problem doesn't exist anymore, it means that there are now solutions to said problem.

And re: search, you can't really fault him for supporting his own company.

Re:Hubris

[Daetrin]

That's just Hubris and I am going to store this little nugget for when Cloudflare does get DDoS'd. Then I will laugh.

That's just Hubris and I am going to store this little nugget for when Cloudflare doesn't get DDoS'd. Then I will laugh.

That's just Hubris, and I am going to store both these little nuggets for when Cloudflare does or doesn't get DDoS'd. Then I will laugh. At someone. (This isn't Hubris, this is just good planning.)

Re: Hubris

Spam is a solved problem, from several angles.

The solution was to reject everything other than verified senders, and consider problematic senders as spam automatically. This solution was ignored. So we tried with pattern-matching heuristics. These systems became more and more complex, until they evolved enough to reject everything other than verified senders, and to consider problematic senders as spam automatically.

Re:Hubris

[Wrexs0ul]

Came here to say someone will take this as a challenge. You made it by post #2

Sadly no mod points, but you win the internet for today.

Re:Hubris

[Zaelath]

Well, not only that, but this really is an insurance pool and they've decided to treat it as such.

Realistically, if they've got a bigger pipe than any of the botnets out there, it doesn't matter which of their customers is under attack.

Re:Hubris

[Spamalope]

Doesn't Cloudflare charge for bandwidth like other cloud providers? Wouldn't this really translate to 'I dare you to give me a big payday at my customer's expense' assuming that's the case?

Re:Hubris

[Obfuscant]

The only way this works (financially) is if they can publicize well enough, "DDOS against Cloudflare won't work, they have too much bandwidth," and people stop trying.

No, that's not enough. They either also have to become the host to every website on the planet, or convince everyone who would attempt a DDoS that they are and thus shouldn't bother trying.

That's what ""something you only read about in the history books" means. It never happens.

Of course, to be financially beneficial to Cloudflare, all it takes is this, from TFA: "Cloudflare has even protected the websites of DDoS perpetrators, while selling services to mitigate them." Yes, when you sell mitigation services against attacks from people you also sell network services to, it is a win-win for you. Not so much for anyone else.

What's scary is that this guy keeps talking about "Now every website will be able to fight back against DDoS attacks for free." Fighting back is not the same as mitigating damage from.

Re: Hubris

[tepples]

Then the problem becomes how a new sender with valid DKIM and SPF becomes verified.

Re: Hubris

[scdeimos]

Then the problem becomes how a new sender with valid DKIM and SPF becomes verified.

They shouldn't be. We see plenty of spam that passes SPF and DKIM validation because it's very little effort for spammers to add that information when they're setting up their DNS records. It's clearly not difficult for them to spread DKIM keys through their botnets. Thankfully there are other "tells" that give away the majority of spam.

Re: Hubris

[tepples]

What might these "tells" be, so that a responsible server operator can avoid them in, say, legitimate notifications that a customer's order was accepted or shipped or that a product on a customer's wishlist has come back in stock?

Re:Hubris

[Zocalo]

And yet the spammers keep spamming. If spam was truly a solved problem, then there would be no money in it for them and they'd give up and move onto something else (actually some have - they've moved onto spam forums like Facebook and Twitter instead, or other aspects of cybercrime). Spam might *effectively* be a "solved" problem for you, and me for that matter, but it's clearly not a solved problem in the more general sense.

Re:Hubris

[Bengie]

I guess you didn't make it to the second sentence in the summary

every customer -- including those who only use its free services -- will receive a new feature called Unmetered Mitigation

Re:Hubris

[nasch]

Email spam seems pretty solved. As you say, the new problem is forum spam.

Nice marketing-lie

[gweihir]

Cloudflare may at this time be able to mitigate simple flooding-based DDoS as long as it does not get too large. If you are willing to make yourself dependent on them, that is. As soon as the DDoS is a bit more sophisticated and masks as legitimate traffic, your visitors will either be tortured by inane captchas or the mitigation vanishes. That is, if captchas hold up longer-term. Which is highly questionable.

In the end, this is a transparent and empty gesture implying strength, intended to sway those weak of mind.

Re:Nice marketing-lie

[Guspaz]

CloudFlare has several times handled DDoS attacks that were then the largest attacks recorded, including a 400Gbps in 2014 and a 600Gbps in 2016. Sometimes these are simple network traffic requests, sometimes these are masquerading as legitimate traffic. In the latter case, you'll see an interstitial page that appears to validate your browser using some sort of javascript. In either case, they certainly have a proven track record of handling very large attacks.

Re: Nice marketing-lie

Both in 2014 and 2016 those sites went down and buckled from the bandwidth. Then they dropped Bruce because the ddos attacks against him were too large and wasn't cost effective.

So they are trying to rally against policies they themselves created...disgusting.

Re:Nice marketing-lie

[stephanruby]

you'll see an interstitial page that appears to validate your browser using some sort of javascript.

How do you move past that interstitial page? I'm not a bot, I swear. I just use an adblocker. And clicking on the link they tell me to click on just brings me back to the same page.

To me, CloudFlare has been synonymous with 404 and their CEO seems to be as delusional as Donald Trump. Instead of admitting that they can't follow through on their own marketing, they just double down on the lie.

Re:Nice marketing-lie

[Guspaz]

I've never had that problem using uBlock Origin.

Re:Nice marketing-lie

[gweihir]

These attacks are not particularly large or impressive. The only surprising thing was that somebody was willing to expose themselves (somewhat) by going larger than others before. But measured against what is possible, these werw not that big.

Re: Nice marketing-lie

Salem AC here, Bruce should say Brian, as in Brian Krebs. Typo.

"Hold my beer."

"Hold my beer." -- Internet

History

I guess we'll read about the concept of a decentralized world wide web in history books too then.

Re:History

[Wootery]

Amazon AWS would like a word.

Cloudflare CEO was also noted saying

[phorm]

Here, hold my beer...

The hackers quote was better.

[fleabay]

"What you have here is a failure to communicate"

What about Slashdotting protection?

[klashn]

Will a site be protected from being slashdotted? It's kind of a DDoS

Re:What about Slashdotting protection?

[DerekLyons]

I haven't heard of a site of any significance being slashdotted in well over a decade. Part of that is the 'net in general being much more robust than it was back around the turn of the century when slashdotting was common. Part of is that, well... to be frank, Slashdot is all but irrelevant anymore.

Re:What about Slashdotting protection?

The FBI site was unavailable at least for several minutes after releasing the Tsarnaev photos related to the Boston Marathon Bombings.

Lifelock

[pr0t0]

I'm so sure of our ability to protect your identity, I'm posting my social security number for all to see!

A few possible problems:

[Rick+Schumann]

1. They just threw down the 'digital gauntlet' at the feet of every hacker/hacker collective/black hat/white hat/whoever; they've more or less declared Open Season on themselves.
1A. They might know damned well they're doing this -- and want their own systems and methods tested in live-fire scenarios.
2. On the surface (allowing for some assumptions, for the sake of argument) this sounds great; but the 'hey, wait a minute..' moment soon comes, and you realize that they're setting themselves up as the Gatekeepers for the Internet; the digital Heimdall standing guard at the Rainbow Bridge to the Internet. That's a lot of power for one company to have, and with that power comes a lot of responsibility -- and potential for abuse.
3. DDoS attacks are just one form of digital treachery that is committed on the Internet; what about everything else?

Re:A few possible problems:

[Guspaz]

CloudFlare was handling roughly 10% of all web traffic a year and a half ago, presumably it's higher now. They're already one of the gatekeepers.

Re:A few possible problems:

[guruevi]

Cloudflare is big, it has hosting in a lot of major ISP's network. What Cloudflare does is when it notices a DDoS attack from a particular segment, it shifts the traffic to the closest originating ISP and then it only impacts the ISP which at that point is going to be motivated to getting the 'bad traffic' off their network whether that is by pressuring smaller ISP's or simply cutting them off.

Re:A few possible problems:

Ultimately, CloudFlare is a content distribution network. They cache your data in various places around the world with big pipes to those places. If you are using their "free" service they are only handling static content. There is fare less static content on the Internet these days. You can still get DDoS through anything dynamic that you do, which is almost all of your web site.

Re:A few possible problems:

[tepples]

anything dynamic that you do, which is almost all of your web site.

Unless the vast majority of the dynamic stuff runs client-side. This can be true if your site is a client-side single-page application, with restricted or no functionality on no-script browsers. Then most data that the site's client-side script handles can have a far-future Expires date.

Re:A few possible problems:

[houghi]

I do not understand point three. It is as if somebody cures AIDS and you say, "but what about the rest of the diseases?" as if it isn't a good idea to do one thing at a time.

Anyone read the article

The article gets in more detail about how DDos attacks are used to silence people because they are forced to pay extortion fees to mitigate the attacks. Basically cloudfare is saying they wonâ(TM)t kick a site when being attacked.

Somewhere, in a country not so far away...

[Opportunist]

"Hold my glass"

Yes, we'll be history

[Tablizer]

DDoS Attacks Will Now Be Something You Only Read About In The History Books

"Chapter 28. Civilization ended when the Mother of All DDoS Attacks took down an overly-confident company called Cloudflare..."

Re:Yes, we'll be history

They handle 10-20% of the internet. If a DDoS attack takes out cloudflare, large parts of the Internet will go with it. Country level backbones would likely get saturated by attack traffic.

Re: Yes, we'll be history

[Tablizer]

Is that Earth talking about humans?

This is an organisation that...

... caused one of the worst and least easily mitigated leaks of information the internet has seen before equifax... ... is run by a CEO that then blamed the slowness of the cleanup on Google and outright lied about Google's competitors' progress in cleaning up.

I'm sorry but fuck Cloudflare and Matthew Prince.

Clickbait

[HiloJoe]

That's what this is..

fucking morons

[gravewax]

If I was a cloudflare customer I would be looking at apossible transition to its competitors and planning said move right now. I am not sure if their marketing team is retarded or just plain clueless but they have invited wide scale attacks and NO they cannot mitigate well crafted large scale attacks and everyone hosted by cloudflare will be affected.

Re:fucking morons

[aaarrrgggh]

Why do you think they can't mitigate well crafted large scale attacks? Some of the things they do only balance the asymmetry of an attack, so that the resources used on the remote machine is comparable to the resources required on the host.

I am honestly curious what happens when average residential connections are gigabit, but I am sure they are planning for that.

Re:fucking morons

[gravewax]

there is only so much you can mitigate, we are already at a stage where home connections are at the scale when aggregated together that they can drown even the insane bandwidth levels that cloudflare have and if you design your attack that it mimics normal web site traffic it can be extremely difficult to handle.

In the year 3000

[Progman3K]

They'll be saying things like "remember that massive DDOS attack last year? That one's going in the history books too"

DDoS attacks only read about in the history books?

[najajomo]

Only when they disconnect all those compromised Windows desktops out there on the Internet.

Same old shit.

[Hylandr]

The ship was unsinkable they said.

Re:What about other forms of DDoS?

[tepples]

Does "better" mean "less objectionable to left-wing social justice warriors" or "less objectionable to right-wing paleoconservatives"?

CDN helps hide IP transitions

[tepples]

How does cloudflare help if I know the actual IP address(es) of their customer's server(s)?

A CDN helps your site remain up while your origin server rolls over to a new IP address by caching logged-out viewers' view of popular documents. It also lets you use IPv6 on the origin server, which makes it easier to fast-flux its IP address while still serving to user agents behind legacy IPv4-only networks.

Re:CDN helps hide IP transitions

[tepples]

IPv6 on the origin server

And what happens when you can no longer afford new IP addresses

2^64 addresses ought to be enough for anyone. Make the origin server IPv6-only, and rely on your CDN to proxy the /64, /60, or /56 that your provider offers to the IPv4-net.

Hold my Beer

[Tukz]

This reads like one big challenge.

Why announce it like this? It's just like announcing you've made an un-crackable DRM; you're awaking the kraken.