Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Security The Internet

DDoS Attacks Will Now Be 'Something You Only Read About In The History Books', Says Cloudflare CEO (vice.com) 100

Louise Matsakis, writing for Motherboard: Cloudflare, a major internet security firm, is on a mission to render distributed denial-of-service (DDoS) attacks useless. The company announced Monday that every customer -- including those who only use its free services -- will receive a new feature called Unmetered Mitigation, which protects against every DDoS attack, regardless of its size. Cloudflare believes the move is set to level the internet security playing field: Now every website will be able to fight back against DDoS attacks for free. "The standard practice in the industry for some time has been to charge more if you come under attack," Matthew Prince, the CEO of Cloudflare, told me on a phone call last week. Firms often "fire you as a customer if you're not sort of paying enough and you get a large attack," he explained. "That's kind of gross."
This discussion has been archived. No new comments can be posted.

DDoS Attacks Will Now Be 'Something You Only Read About In The History Books', Says Cloudflare CEO

Comments Filter:
  • Hubris (Score:5, Insightful)

    by DaMattster ( 977781 ) on Monday September 25, 2017 @03:06PM (#55261759)
    That's just Hubris and I am going to store this little nugget for when Cloudflare does get DDoS'd. Then I will laugh.
    • by Anonymous Coward

      TFA did sound like a challenge.

      • Re:Hubris (Score:5, Interesting)

        by phantomfive ( 622387 ) on Monday September 25, 2017 @03:37PM (#55261967) Journal
        The only way this works (financially) is if they can publicize well enough, "DDOS against Cloudflare won't work, they have too much bandwidth," and people stop trying.

        IF they are successful in holding off a few well-publicized DDOS attempts, then their strategy will probably work.
        • Well, not only that, but this really is an insurance pool and they've decided to treat it as such.

          Realistically, if they've got a bigger pipe than any of the botnets out there, it doesn't matter which of their customers is under attack.

        • Re:Hubris (Score:4, Insightful)

          by Obfuscant ( 592200 ) on Monday September 25, 2017 @07:29PM (#55263097)

          The only way this works (financially) is if they can publicize well enough, "DDOS against Cloudflare won't work, they have too much bandwidth," and people stop trying.

          No, that's not enough. They either also have to become the host to every website on the planet, or convince everyone who would attempt a DDoS that they are and thus shouldn't bother trying.

          That's what ""something you only read about in the history books" means. It never happens.

          Of course, to be financially beneficial to Cloudflare, all it takes is this, from TFA: "Cloudflare has even protected the websites of DDoS perpetrators, while selling services to mitigate them." Yes, when you sell mitigation services against attacks from people you also sell network services to, it is a win-win for you. Not so much for anyone else.

          What's scary is that this guy keeps talking about "Now every website will be able to fight back against DDoS attacks for free." Fighting back is not the same as mitigating damage from.

      • Came here to say someone will take this as a challenge. You made it by post #2

        Sadly no mod points, but you win the internet for today.

    • Re:Hubris (Score:5, Interesting)

      by Zocalo ( 252965 ) on Monday September 25, 2017 @03:17PM (#55261829) Homepage
      Matthew Prince should have a chat with Bill Gates about how well his 2004 prediction at Davos [bbc.co.uk] that spam will be a solved problem within two years worked out.

      Also from that link:

      [Gates] hailed search technology firm Google as a "great company"; its approach reminded him of Microsoft 20 years ago. But he also predicted that Microsoft search technology would soon outpace that of its rival.

      I suspect Prince's powers of prognostication are no better than Gates'.

      • Re:Hubris (Score:5, Interesting)

        by pushing-robot ( 1037830 ) on Monday September 25, 2017 @03:43PM (#55261995)

        Gmail launched a few months after Gates's prediction, and within a couple years had pretty much solved the unsolicited spam problem by monitoring the flow of mass emails and crowdsourcing spam identification to users. Other email providers and spam filters followed suit. A 'solved problem' doesn't mean the problem doesn't exist anymore, it means that there are now solutions to said problem.

        And re: search, you can't really fault him for supporting his own company.

      • by Anonymous Coward

        Spam is a solved problem, from several angles.

        The solution was to reject everything other than verified senders, and consider problematic senders as spam automatically. This solution was ignored. So we tried with pattern-matching heuristics. These systems became more and more complex, until they evolved enough to reject everything other than verified senders, and to consider problematic senders as spam automatically.

        • by tepples ( 727027 )

          Then the problem becomes how a new sender with valid DKIM and SPF becomes verified.

          • Then the problem becomes how a new sender with valid DKIM and SPF becomes verified.

            They shouldn't be. We see plenty of spam that passes SPF and DKIM validation because it's very little effort for spammers to add that information when they're setting up their DNS records. It's clearly not difficult for them to spread DKIM keys through their botnets. Thankfully there are other "tells" that give away the majority of spam.

            • by tepples ( 727027 )

              What might these "tells" be, so that a responsible server operator can avoid them in, say, legitimate notifications that a customer's order was accepted or shipped or that a product on a customer's wishlist has come back in stock?

    • Re:Hubris (Score:5, Funny)

      by Gussington ( 4512999 ) on Monday September 25, 2017 @03:35PM (#55261947)

      That's just Hubris and I am going to store this little nugget for when Cloudflare does get DDoS'd. Then I will laugh.

      That's just Hubris and I am going to store this little nugget for when Cloudflare doesn't get DDoS'd. Then I will laugh.

      • by Daetrin ( 576516 )

        That's just Hubris and I am going to store this little nugget for when Cloudflare does get DDoS'd. Then I will laugh.

        That's just Hubris and I am going to store this little nugget for when Cloudflare doesn't get DDoS'd. Then I will laugh.

        That's just Hubris, and I am going to store both these little nuggets for when Cloudflare does or doesn't get DDoS'd. Then I will laugh. At someone. (This isn't Hubris, this is just good planning.)

    • Doesn't Cloudflare charge for bandwidth like other cloud providers? Wouldn't this really translate to 'I dare you to give me a big payday at my customer's expense' assuming that's the case?
      • by Bengie ( 1121981 )
        I guess you didn't make it to the second sentence in the summary

        every customer -- including those who only use its free services -- will receive a new feature called Unmetered Mitigation

  • Cloudflare may at this time be able to mitigate simple flooding-based DDoS as long as it does not get too large. If you are willing to make yourself dependent on them, that is. As soon as the DDoS is a bit more sophisticated and masks as legitimate traffic, your visitors will either be tortured by inane captchas or the mitigation vanishes. That is, if captchas hold up longer-term. Which is highly questionable.

    In the end, this is a transparent and empty gesture implying strength, intended to sway those weak

    • by Guspaz ( 556486 ) on Monday September 25, 2017 @03:53PM (#55262031)

      CloudFlare has several times handled DDoS attacks that were then the largest attacks recorded, including a 400Gbps in 2014 and a 600Gbps in 2016. Sometimes these are simple network traffic requests, sometimes these are masquerading as legitimate traffic. In the latter case, you'll see an interstitial page that appears to validate your browser using some sort of javascript. In either case, they certainly have a proven track record of handling very large attacks.

      • by Anonymous Coward

        Both in 2014 and 2016 those sites went down and buckled from the bandwidth. Then they dropped Bruce because the ddos attacks against him were too large and wasn't cost effective.

        So they are trying to rally against policies they themselves created...disgusting.

      • you'll see an interstitial page that appears to validate your browser using some sort of javascript.

        How do you move past that interstitial page? I'm not a bot, I swear. I just use an adblocker. And clicking on the link they tell me to click on just brings me back to the same page.

        To me, CloudFlare has been synonymous with 404 and their CEO seems to be as delusional as Donald Trump. Instead of admitting that they can't follow through on their own marketing, they just double down on the lie.

      • by gweihir ( 88907 )

        These attacks are not particularly large or impressive. The only surprising thing was that somebody was willing to expose themselves (somewhat) by going larger than others before. But measured against what is possible, these werw not that big.

  • by Anonymous Coward on Monday September 25, 2017 @03:13PM (#55261791)

    "Hold my beer." -- Internet

  • History (Score:2, Insightful)

    by Anonymous Coward

    I guess we'll read about the concept of a decentralized world wide web in history books too then.

  • Here, hold my beer...

  • "What you have here is a failure to communicate"
  • by klashn ( 1323433 ) on Monday September 25, 2017 @03:20PM (#55261855) Journal
    Will a site be protected from being slashdotted? It's kind of a DDoS
    • I haven't heard of a site of any significance being slashdotted in well over a decade. Part of that is the 'net in general being much more robust than it was back around the turn of the century when slashdotting was common. Part of is that, well... to be frank, Slashdot is all but irrelevant anymore.

      • by Anonymous Coward

        The FBI site was unavailable at least for several minutes after releasing the Tsarnaev photos related to the Boston Marathon Bombings.

  • I'm so sure of our ability to protect your identity, I'm posting my social security number for all to see!

  • by Rick Schumann ( 4662797 ) on Monday September 25, 2017 @03:24PM (#55261877) Journal
    1. They just threw down the 'digital gauntlet' at the feet of every hacker/hacker collective/black hat/white hat/whoever; they've more or less declared Open Season on themselves.
    1A. They might know damned well they're doing this -- and want their own systems and methods tested in live-fire scenarios.
    2. On the surface (allowing for some assumptions, for the sake of argument) this sounds great; but the 'hey, wait a minute..' moment soon comes, and you realize that they're setting themselves up as the Gatekeepers for the Internet; the digital Heimdall standing guard at the Rainbow Bridge to the Internet. That's a lot of power for one company to have, and with that power comes a lot of responsibility -- and potential for abuse.
    3. DDoS attacks are just one form of digital treachery that is committed on the Internet; what about everything else?
    • by Guspaz ( 556486 ) on Monday September 25, 2017 @03:56PM (#55262047)

      CloudFlare was handling roughly 10% of all web traffic a year and a half ago, presumably it's higher now. They're already one of the gatekeepers.

    • by Anonymous Coward

      Ultimately, CloudFlare is a content distribution network. They cache your data in various places around the world with big pipes to those places. If you are using their "free" service they are only handling static content. There is fare less static content on the Internet these days. You can still get DDoS through anything dynamic that you do, which is almost all of your web site.

      • by tepples ( 727027 )

        anything dynamic that you do, which is almost all of your web site.

        Unless the vast majority of the dynamic stuff runs client-side. This can be true if your site is a client-side single-page application, with restricted or no functionality on no-script browsers. Then most data that the site's client-side script handles can have a far-future Expires date.

    • by houghi ( 78078 )

      I do not understand point three. It is as if somebody cures AIDS and you say, "but what about the rest of the diseases?" as if it isn't a good idea to do one thing at a time.

  • by Anonymous Coward

    The article gets in more detail about how DDos attacks are used to silence people because they are forced to pay extortion fees to mitigate the attacks. Basically cloudfare is saying they wonâ(TM)t kick a site when being attacked.

  • DDoS Attacks Will Now Be Something You Only Read About In The History Books

    "Chapter 28. Civilization ended when the Mother of All DDoS Attacks took down an overly-confident company called Cloudflare..."

    • by Anonymous Coward

      They handle 10-20% of the internet. If a DDoS attack takes out cloudflare, large parts of the Internet will go with it. Country level backbones would likely get saturated by attack traffic.

  • Within a year, Cloudflare will have their own system distributed protection systems turned against them to DDOS their own servers.

     

  • by Anonymous Coward

    ... caused one of the worst and least easily mitigated leaks of information the internet has seen before equifax... ... is run by a CEO that then blamed the slowness of the cleanup on Google and outright lied about Google's competitors' progress in cleaning up.

    I'm sorry but fuck Cloudflare and Matthew Prince.

  • That's what this is..
  • If I was a cloudflare customer I would be looking at apossible transition to its competitors and planning said move right now. I am not sure if their marketing team is retarded or just plain clueless but they have invited wide scale attacks and NO they cannot mitigate well crafted large scale attacks and everyone hosted by cloudflare will be affected.
    • Why do you think they can't mitigate well crafted large scale attacks? Some of the things they do only balance the asymmetry of an attack, so that the resources used on the remote machine is comparable to the resources required on the host.

      I am honestly curious what happens when average residential connections are gigabit, but I am sure they are planning for that.

      • there is only so much you can mitigate, we are already at a stage where home connections are at the scale when aggregated together that they can drown even the insane bandwidth levels that cloudflare have and if you design your attack that it mimics normal web site traffic it can be extremely difficult to handle.
  • They'll be saying things like "remember that massive DDOS attack last year? That one's going in the history books too"

  • Only when they disconnect all those compromised Windows desktops out there on the Internet.
  • The ship was unsinkable they said.

  • This reads like one big challenge.

    Why announce it like this? It's just like announcing you've made an un-crackable DRM; you're awaking the kraken.

The flow chart is a most thoroughly oversold piece of program documentation. -- Frederick Brooks, "The Mythical Man Month"

Working...