It would follow that Cloudflare is tacitly admitting they have been / are hosting a large number of domains used for fraud and abuse. That surprises me, given the time and effort they spend mitigating fraud and abuse. Anyone care to explain what I'm missing?
> That surprises me, given the time and effort they spend mitigating fraud and abuse
What time? What mitigations?
Cloudflare will proxy anything and then tell you "we're just a proxy, so we wont do anything lol" when you report anything other than cf pages. Doesn't matter if it's terror groups, animal torture, piracy, doxing, far right groups, etc.
I have personally submitted abuse reports and seen that absolutely nothing happens.
Oh and also the amount of abuse I see from people using Cloudflare Warp is also very high.
Depends on what you're trying to achieve, I think.
Cloudflare's policy is that if there's ToU-violating content being served through a Cloudflare-proxied domain, you can report it to request de-anonymization of the domain, so that you can then reach out to the actual host.
I've reported Cloudflare-proxied phishing-site clones of my company's website to Cloudflare, and they've usually come back to me with a pointer to the upstream-origin's ASN/ISP to reach out to within a few hours.
> the amount of abuse I see from people using Cloudflare Warp is also very high.
More so than from "traditional" VPNs (i.e. the ones claiming to keep "no logs and never selling your data")?
That's quite surprising, since Cloudflare makes no such promises and markets Warp as a security/performance improvement tool, not an anonymity-providing one. I think at least for a while, Cloudflare-hosted sites would even bypass it entirely and they'd get the real underlying client IP.
> More so than from "traditional" VPNs (i.e. the ones claiming to keep "no logs and never selling your data")?
Yes, because it is a free service, an easy and free way to just hide your ip address. You don't even need an account.
> I think at least for a while, Cloudflare-hosted sites would even bypass it entirely and they'd get the real underlying client IP.
Correct, this used to be the case, but no longer is as far as I can tell. But even with that, it was an issue for non-Cloudflare websites and services that are being attacked that aren't HTTP(S) (e.g. SSH)
Are they responsive at all to abuse notifications about their VPN users? Presumably the only thing they could even do is to block an upstream IP address, given that it doesn't require an account.
Yeah, because of the pressure after it all blew up. They even said in their own blog post that it was an "extraordinary" decision and did not believe terminating them was appropriate.
Kiwi Farms used their services for at least 6 years before anything happened.
I was thinking particularly about the DDoS protections they advertise (and explain in lovely technical posts on this site). So you're saying that they protect their network from others, whilst disregarding harms their clients cause to others. That was something I was missing, so I thank you.
Before cloudflare, it was difficult to run a DDoS-for-hire service because competing services would all DDoS each others' websites. Back when CDNs were all "call for pricing" affairs.
Cloudflare had the insight that the more DDoS-for-hire services there were out there, the greater the demand for their services. Offering free DDoS protection to DDoS-for-hire services helps keep customers coming back for more.
> Before cloudflare, it was difficult to run a DDoS-for-hire service because competing services would all DDoS each others' websites.
I mean, you don't need websites to advertise. Most DDoS-for-hire services back before 2009 advertised on IRC, NNTP, via ads in .NFO files found in warez releases found on Kazaa and BitTorrent, and so forth. (Some of the very tech-headed ones ones had Freenet sites.)
Shouldn't be a surprise, there is a tight relationship between Cloudflare and the booter community. I remember every booter site or similar was always behind Cloudflare, I think it was a common practice because it didn't seem like Cloudflare cared about these abusive sites.
It seems at least plausible to me that either there would be even more fraud and abuse than there already is without the time and effort to mitigate it, or that maybe their mitigation is not as effective as they'd like. This isn't meant to contradict the other theories being posted here; I don't really have any experience specific to this area, so it's possible I'm just being naive.
Yeah, I find this whole thread a bit odd. Cloudflare has been a highly regarded service for years, and suddenly people are blaming them of running a protection racket, without providing a single source or piece of evidence (or a presumably more ethical alternative, for that matter)?
As they say, extraordinary claims require extraordinary evidence…
> admitting they have been / are hosting a large number of domains used for fraud and abuse
Only if the abuse happened through them. Perhaps they were just hosting holding pages, and the traffic was pushed elsewhere when active scams were running?
> surprises me, given the time and effort they spend mitigating fraud and abuse
They mitigate it incoming as one of their features for their customers. That doesn't mean they are going to mitigate it outgoing quite as fiercely. Though I'd assume they'd made some effort at least to maintain a reasonable reputation for their IP ranges.
I've heard people bring up that problem before. On one hand they protect sites from DDOS attacks and bad actors, but on the other hand they help keep the bad actors online.
If there's no abuse, nobody will pay their protection money.
I believe their primary focus is protecting the customers / proxied web servers, not the clients of said site. I suspect if one day the free accounts on CF went away there again we would lose a lot of scam sites assuming they don't accept Monero or similar and like .tk we would also lose some cool sites.
Cloudflare's market play has consistently reminded me of Facebook to Google's from the perspective of Googlers I know who moved to Facebook in early 2010s.
Let's do Akamai, but cheaper. Trying to stop everything bad is impossible anyway.
If you try to find evidence that Cloudflare mitigates fraud and abuse, you'll mostly find anecdotal evidence (sites that have been attacked and moved to Cloudflare, mostly) plus information and claims provided by Cloudflare, which is unverifiable. The problem is that nobody protects us, the Internet, from Cloudflare.
Cloudflare will happily take money from and host (yes, host - they host, in spite of their rather stupid and completely disingenuous assertions that they don't) spammers and scammers. They do all the time, and they have no intention of changing that any time soon.
If you forward phishing spam to abuse@cloudflare.com, guess what? Nothing happens. You get an automated response, but they do nothing about it. They expect you to visit a web page that has all sorts of intentional problems (intentional because they've been pointed out to Cloudflare and Cloudflare hasn't addressed them for years) that make the process arduous and time consuming. For one, they don't have "spam" as an abuse type. For another, even though they now literally host web content, and even though they're a domain registrar, if you don't paste in a URL pointing to a site hosted by their proxying product, then you can't submit your form. This means there's literally no way to complain to Cloudflare about domains for which Cloudflare is in WHOIS and SOA records, and for whom Cloudflare hosts DNS. The fields are limited to some particular size (2,000 characters? I forget exactly), and have issues where if you paste more than a certain amount of content but less than the hard limit, you can't submit the form. If you try to use the form more than once a minute or two, IT'S RATE LIMITED and you can't submit the form. Imagine that - they need to protect themselves from human-speed abuse reporting.
In other words, it's REALLY hard to use their site to report abuse to them, and they know this, and it's intentional, unless we want to believe that they just suck at understanding how to make a web page that works.
If they get enough complaints about a given phishing domain, they eventually take action, but it'd be after several days, which is more than the lifetime of a typical phishing campaign. In essence Cloudflare is one of the most popular phishing and spam-promoted hosting platforms because of Cloudflare's intentional foot dragging and claims to want to "protect free speech".
They got on my shit list years ago when they told me - not kidding - that they couldn't just take down a Bank of America phishing site when it was pointed out to them because of "free speech". In other words, they don't want to set a precedent where they can apply the tiniest modicum of common sense and take down phishing sites which any reasonable human on the planet can unambiguously recognize as fraud.
Bottom line: Cloudflare tells the world that there's SO much bad stuff out there, and you'll get in trouble if you don't use their products, and that's mostly true if you want to run phishing and spam-promoted web sites, so scammers and spammers use Cloudflare and are protected from those of us who would report those spammers and scammers.
For all the companies and individuals who use Cloudflare, many are fooled in to thinking they need Cloudflare when they don't and are just making their sites problematic for much of the non-western world while helping a wanna-be monopoly re-centralize the Internet around a for-profit company that has a history of profiting from scammers and spammers.
If anyone thinks Cloudflare legitimately protects the Internet by mitigating fraud and abuse, I'd be very interested to see evidence that doesn't come from Cloudflare that shows this.
1) not using DoS / DDoS protection, or using any number of hosting services that have this built in, or using a service that doesn't marginalize large parts of the world in the name of "security". DoS / DDoS attacks are not as common as Cloudflare would want you to believe.
2) use literally any other registrar / DNS service / hosting platform. You then won't need to worry about whether people all over the world will be getting CAPTCHAs on ever visit because of where they live or what browser they choose to use.
They don’t only offer DDoS protection, but also a WAF (Web Application Firewall), and if you run commodity software, attacks are very common.
I know this because I manage a WordPress site fronted by a different WAF, and I can see in the logs that malicious bots are trying to pwn the site basically 24/7.
(and before you say ‘patches’ – yes, but defense in depth is a thing, and you don’t always have the luxury of vendors with good security practices.)
Yes, Wordpress is attacked incessantly. It's designed to be actively hostile to security, so yes, a firewall that helps ameliorate is a good thing.
However, if you really care about Wordpress security, a WAF is just covering things up, and yes, you need to patch (but that's not really the fix). The proper fix is to reconfigure things to not follow Wordpress' absolutely ridiculous security. While patching depends on vendors, securing Wordpress from its own hubris doesn't depend on vendors.
But even where Cloudflare's products are arguably good, they still do too much in my opinion to marginalize non-mainstream visitors and to re-centralize the Internet around one big company. Every time they have issues, huge parts of the Internet are affected. If I wanted a WAF, I'd get it from elsewhere.
WP core isn’t bad, the problem is when you’re the ops guy and you get handed an installation with 30 plugins.
Anyway, WP was just an example. Are you 100% certain that all your software is 100% on the ball when it comes to modern security practices? We all know that not everyone takes security seriously.
> Every time they have issues, huge parts of the Internet are affected. If I wanted a WAF, I'd get it from elsewhere.
Which ‘elsewhere’ would you suggest? Every time AWS, Azure or GCP have issues, the internet is affected too.
