November 14, 2024

SPAMHAUS VS. CLOUDFLARE — Cloudflare once again comes under pressure for enabling abusive sites Cloudflare masks the origin of roughly 10% of abusive domains, watchdog says.

Dan Goodin – Jul 31, 2024 11:22 pm UTC EnlargeGetty Images reader comments 43

A familiar debate is once again surrounding Cloudflare, the content delivery network that provides a free service that protects websites from being taken down in denial-of-service attacks by masking their hosts: Is Cloudflare a bastion of free speech or an enabler of spam, malware delivery, harassment and the very DDoS attacks it claims to block?

The controversy isn’t new for Cloudflare, a network operator that has often taken a hands-off approach to moderating the enormous amount of traffic flowing through its infrastructure. With Cloudflare helping deliver 16 percent of global Internet traffic, processing 57 million web requests per second, and serving anywhere from 7.6 million to 15.7 million active websites, the decision to serve just about any actor, regardless of their behavior, has been the subject of intense disagreement, with many advocates of free speech and Internet neutrality applauding it and people fighting crime and harassment online regarding it as a pariah. Content neutral or abuse enabling?

Spamhausa nonprofit organization that provides intelligence and blocklists to stem the spread of spam, phishing, malware, and botnetshas become the latest to criticize Cloudflare. On Tuesday, the project said Cloudflare provides services for 10 percent of the domains listed in its domain block list and, to date, serves sites that are the subject of more than 1,200 unresolved complaints regarding abuse.

The Spamhaus post noted how easy and common it is to find Cloudflare-protected websites that openly advertise services such as bulletproof hosting to cybercriminals.

“For years, Spamhaus has observed abusive activity facilitated by Cloudflares various services,” Spamhaus members wrote. “Cybercriminals have been exploiting these legitimate services to mask activities and enhance their malicious operations, a tactic referred to as living off trusted services (LOTS).”

Cloudflare has maintained throughout most of its history that its not in a position to moderate or police the content or behavior of the people using its “pass-though” services, which merely use Cloudflare’s vast network to streamline delivery and prevent outages caused by DDoSes. Unlike a web host, the company doesnt host the material, and unlike media sites and search engines, it shouldnt be responsible for investigating reports of abuse.

“Everyone benefits from a well-functioning Internet infrastructure, just like other physical infrastructure, and we believe that infrastructure services should generally be made available in a content-neutral way,” Cloudflares abuse policy webpage states. “That is particularly true for services that protect users and customers from cyber attacks.”

Further ReadingWhy the silencing of KrebsOnSecurity opens a troubling chapter for the NetThe policy has irked critics, who say it absolves Cloudflare of the responsibility it shoulders from making harmful content and services readily available. A good example is Brian Krebs, the security reporter behind KrebsOnSecurity. In 2016, his site collapsed, and it was at the time among the biggest DDoS attacks in history. When Cloudflare offered Krebs free protection shortly after the attacks started, the reporter declined.

“That DDoS happened not long after I spent many, many months writing about DDoS-for-hire services and how many of them were concentrated on Cloudflare and then I get hit by the biggest DDoS the Internet has ever seen,” Krebs told Ars. “I was really grateful for that outreach. It was a tough time. On reflection, I decided that their tolerance of DDoS-for-hire services on their own site really gave me pause there. At that point I didn’t even know who hit me or what hit me. It wasnt clear to me whether they were part of the problem or the solution.” Page: 1 2 Next → reader comments 43 Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at @dangoodin on Mastodon. Advertisement Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars