A familiar debate is once again surrounding Cloudflare, the content delivery network that provides a free service that protects websites from being taken down in denial-of-service attacks by masking their hosts: Is Cloudflare a bastion of free speech or an enabler of spam, malware delivery, harassment and the very DDoS attacks it claims to block?
The controversy isn’t new for Cloudflare, a network operator that has often taken a hands-off approach to moderating the enormous amount of traffic flowing through its infrastructure. With Cloudflare helping deliver 16 percent of global Internet traffic, processing 57 million web requests per second, and serving anywhere from 7.6 million to 15.7 million active websites, the decision to serve just about any actor, regardless of their behavior, has been the subject of intense disagreement, with many advocates of free speech and Internet neutrality applauding it and people fighting crime and harassment online regarding it as a pariah.
Content neutral or abuse enabling?
Spamhaus—a nonprofit organization that provides intelligence and blocklists to stem the spread of spam, phishing, malware, and botnets—has become the latest to criticize Cloudflare. On Tuesday, the project said Cloudflare provides services for 10 percent of the domains listed in its domain block list and, to date, serves sites that are the subject of more than 1,200 unresolved complaints regarding abuse.
The Spamhaus post noted how easy and common it is to find Cloudflare-protected websites that openly advertise services such as bulletproof hosting to cybercriminals.
“For years, Spamhaus has observed abusive activity facilitated by Cloudflare’s various services,” Spamhaus members wrote. “Cybercriminals have been exploiting these legitimate services to mask activities and enhance their malicious operations, a tactic referred to as living off trusted services (LOTS).”
Cloudflare has maintained throughout most of its history that it’s not in a position to moderate or police the content or behavior of the people using its “pass-though” services, which merely use Cloudflare’s vast network to streamline delivery and prevent outages caused by DDoSes. Unlike a web host, the company doesn’t host the material, and unlike media sites and search engines, it shouldn’t be responsible for investigating reports of abuse.
“Everyone benefits from a well-functioning Internet infrastructure, just like other physical infrastructure, and we believe that infrastructure services should generally be made available in a content-neutral way,” Cloudflare’s abuse policy webpage states. “That is particularly true for services that protect users and customers from cyber attacks.”
The policy has irked critics, who say it absolves Cloudflare of the responsibility it shoulders from making harmful content and services readily available. A good example is Brian Krebs, the security reporter behind KrebsOnSecurity. In 2016, his site collapsed, and it was at the time among the biggest DDoS attacks in history. When Cloudflare offered Krebs free protection shortly after the attacks started, the reporter declined.
“That DDoS happened not long after I spent many, many months writing about DDoS-for-hire services and how many of them were concentrated on Cloudflare and then I get hit by the biggest DDoS the Internet has ever seen,” Krebs told Ars. “I was really grateful for that outreach. It was a tough time. On reflection, I decided that their tolerance of DDoS-for-hire services on their own site really gave me pause there. At that point I didn’t even know who hit me or what hit me. It wasn’t clear to me whether they were part of the problem or the solution.”