Re: EVERYTHING about Booters (and CloudFlare)
On Fri, Jul 29, 2016 at 08:58:23PM +0700, Roland Dobbins wrote: > The AUP, the TOS, and the RFP are the most powerful security tools any > network operator has at their disposal - assuming they've invested some time > and effort in crafting them, and in ensuring they can be enforced. This. A hundred times this. And keep in mind that these tools are not just to protect your operation; they're to protect the Internet *from* your operation. ---rsk
Re: EVERYTHING about Booters (and CloudFlare)
On 29 Jul 2016, at 20:34, J. Oquendo wrote: Because someone breaking AUPs and TOS is not enough. The AUP, the TOS, and the RFP are the most powerful security tools any network operator has at their disposal - assuming they've invested some time and effort in crafting them, and in ensuring they can be enforced. --- Roland Dobbins
Re: EVERYTHING about Booters (and CloudFlare)
On Fri, 29 Jul 2016, Naslund, Steve wrote: > What he said. If I am given a court order and follow it, I can't get sued > when I knock you off the Internet. > > Steven Naslund Because someone breaking AUPs and TOS is not enough. "Hey I know you broke every rule in the book. Forget that for now I am not a judge, feel free to DDoS, steal someone's life savings with your malware/phishing. You're fine by me until a judge tells me otherwise." -- Smart answer -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
RE: EVERYTHING about Booters (and CloudFlare)
What he said. If I am given a court order and follow it, I can't get sued when I knock you off the Internet. Steven Naslund >-Original Message- >From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Randy Bush >Sent: Friday, July 29, 2016 8:04 AM >To: chris >Cc: North American Network Operators' Group >Subject: Re: EVERYTHING about Booters (and CloudFlare) > great quote from the reporter "why do you need a court order to do the > right thing?" >because i am not judge and jury. we leave that to network technicians. >randy
Re: EVERYTHING about Booters (and CloudFlare)
> great quote from the reporter "why do you need a court order to do the > right thing?" because i am not judge and jury. we leave that to network technicians. randy
Re: EVERYTHING about Booters (and CloudFlare)
On 28 July 2016 at 19:27, chris wrote: > They don't discriminate, anyone can be a customer > https://www.youtube.com/watch?v=T4GfoSZ_sDc > > great quote from the reporter "why do you need a court order to do the > right thing?" Only failure here is accepting interview request from FOX. Who obvious just want to be sensational rather than have an actual discussion. -- ++ytti
Re: EVERYTHING about Booters (and CloudFlare)
>> They don't discriminate, anyone can be a customer >> https://www.youtube.com/watch?v=T4GfoSZ_sDc > > Holy crap that girl was painful to listen to! missed the girl. all i saw was prince and a fox 'news' woman. it was pretty much like reading nanog. randy
Re: EVERYTHING about Booters (and CloudFlare)
--- tknch...@gmail.com wrote: They don't discriminate, anyone can be a customer https://www.youtube.com/watch?v=T4GfoSZ_sDc great quote from the reporter "why do you need a court order to do the right thing?" -- Holy crap that girl was painful to listen to! scott
RE: EVERYTHING about Booters (and CloudFlare)
The difference between everyone posting here and for example the intellectual property folks like RIAA is the latter has organization and money. As I said earlier one thing that organization and money has done is defined, with some precision, where the boundaries are. It's a moving target but that's a lot better than nothing. And money for lobbyists etc to go to govts and courts to impress them with their point of view and even get it written into law and precedents. It's not perfect, nothing is, but when someone puts up a music sharing service with a million recordings none authorized in Lower Slobbovia they usually manage to get it shut down (that happens, ok not Lower Slobbovia exactly.) Something else they get is budget assigned to law enforcement agencies to pursue those commercial violations. I remember speaking early on to someone in an FBI office about spam and related, this was probably ca 2000, and he completely sympathized but said sorry, the FBI has no budget to pursue such things. Like many very nice people you think LEAs pursue crimes merely because they are crimes. That the money to do so just appears on demand because IT'S A CRIME! Book 'em Dan-o! Hah! I'll repeat that. Hah! These are commercial crimes not terrorism or kidnapping or murder or tearing those labels off mattresses. Much more difficult to get on LEAs radar. On the darker side be careful what you wish for. You won't personally be defining these boundaries. People like lobbyists and policy wonks and legislators will. People this hypothetical organization hires and those influenced by those hires. People who can spend full time wordsmithing all this and getting attention. It takes very active involvement to steer good intentions to good results and not just end up with scattershot gibberish or worse overbearing laws which do more harm than good. And that all takes organization and money and involvement not postings on NANOG except inasmuch as they might lead to organization and money etc. It's possible and maybe even desirable but what I see here ain't it. -- -Barry Shein Software Tool & Die| b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
Re: EVERYTHING about Booters (and CloudFlare)
>> Actually, as someone pointed out, it might well be conspiracy - which >> is criminal. > looking forward to the court case, if it's really important it'll > happen shortly, right? we don't need no flippin' court. we can lynch 'em right here.
Re: EVERYTHING about Booters (and CloudFlare)
On 7/28/16 11:56 AM, Niels Bakker wrote: * mfidel...@meetinghouse.net (Miles Fidelman) [Thu 28 Jul 2016, 17:42 CEST]: [...] Now if Cloudflare were to actively suggest that folks use vBooter to test systems, as a way to boost sales for Cloudflare - that would certainly be an interesting test case for RICO CloudFlare is doing nothing of the sort, and it's kind of vile for you to suggest otherwise, even ostensibly by way of floating it as a hypothetical. Well, I don't know - if I were in the business of selling security services, I'd probably suggest that potential customers do some penetration and stress testing of their systems. And that seems pretty legitimate. For that matter - "here are some tools you can use to test your systems" also strikes me as pretty legitimate. On the other hand - one might argue that publishing something like "How to Launch a 65Gbps DDoS, and How to Stop One" https://blog.cloudflare.com/65gbps-ddos-no-problem/ - pushes the limits a bit - depending on how much detailed "how-to" information one provides, and how much one presents oneself as the solution. Granted, that there's a lot of value in education - I certainly want to know the various ways folks might attack our systems, and the various ways we might defend ourselves. But there are limits - not just legal ones, but, as others have pointed out, ethical ones and ones of good taste. The CERT draws its lines one place; on the other hand, Symantec publishes white papers that give some rather in depth analyses of specific viruses - there for the googling. Cloudflare certainly comes closer to one line than the other. Opinions vary as to the ethics, taste, and legality of publishing detailed how-to information - there's certainly enough out there from sources with ill intent (including rather nasty libraries and tools that require little technical expertise to utilize) - so I tend to favor more details. When one directly ties detailed how-to information, with product/service sales - now that strikes me as begging to be the target of some interesting test cases. In Cloudflare's case - telling people how to attack a site, hosting free & openly available tools that can support such an attack, and selling services to mitigate the attack - now that's a test case just waiting to happen. "How to Launch a 65Gbps DDoS, and How to Stop One" seems like an open invitation to ambulance chasers and aggressive prosecutors. Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
RE: EVERYTHING about Booters (and CloudFlare)
The best analogy to real world would be to look at CloudFare as an arms dealer. They don't start the war but they sure enable it. The governments probably don't care who you sell arms to until their goat gets gored and then they are coming for you. Believe me they have more than enough laws on the books to find one that applies to just about any circumstance they want. In that world, legal and illegal don’t matter as much as who likes you and who doesn't. Steven Naslund Chicago IL
RE: EVERYTHING about Booters (and CloudFlare)
No, as I said earlier, I am of the opinion that these networks get swept up once they go too big and hit something that law enforcement really cares about (read: embarrassed by). At that point they get everyone. You and I and our customers can't do much of anything until that point unless the service provider community gets aggravated enough to go to war with them. Thing is no one knows who is Senator Xs friend or has someone with enough pull to get a response. Eventually they all trip over one of those mines. Steven Naslund Chicago IL >-Original Message- >From: Phil Rosenthal [mailto:p...@isprime.com] >Sent: Thursday, July 28, 2016 11:57 AM >To: Naslund, Steve >Cc: nanog@nanog.org >Subject: Re: EVERYTHING about Booters (and CloudFlare) > >Are you of the opinion that the victim of a DDoS attack who is not a >multi-billion-dollar corporation would actually receive help from the FBI as a >result of a DDoS attack? >In the past, I have been told that the dollar-threshold for the FBI to even >consider looking at a case was at least $2M in damages. This was 10 years ago, >and I can't imagine the threshold has gone down. > >-Phil
Re: EVERYTHING about Booters (and CloudFlare)
Are you of the opinion that the victim of a DDoS attack who is not a multi-billion-dollar corporation would actually receive help from the FBI as a result of a DDoS attack? In the past, I have been told that the dollar-threshold for the FBI to even consider looking at a case was at least $2M in damages. This was 10 years ago, and I can't imagine the threshold has gone down. -Phil > On Jul 28, 2016, at 12:51 PM, Naslund, Steve wrote: > > It is not beyond the realm of law enforcement to run down the entire chain of > events all the way back to the “whodunit” and “howdunit”. It is pretty > amazing what they can figure out when they put their minds to it and don’t > underestimate what they can learn by getting someone in the hot seat under > the bare light bulb. They also have lots of informants. > > Victim complaints don’t matter a bit to these guys, it will take the guys in > the windbreakers kicking in the doors one of these days. > > Steven Naslund > Chicago IL > >> On Thu, Jul 28, 2016 at 12:20 PM, Phil Rosenthal >> mailto:p...@isprime.com>> wrote: >> Keep in mind also, the victims of these DDoS attacks do not know which >> "booter" service was paid to attack them. The packets do not have "Stress >> test provided by vBooter" in them. The attack packets do not ?>come from the >> booter's or Cloudflare's IP addresses, they come from secondary victims -- >> compromised servers, PC's infected with malware, and abused DNS/NTP [and a >> few other protocols] reflectors. >> >> It is impossible for a victim to submit a complaint to Cloudflare stating "I >> was attacked by someone paying vBooter", because they do not know which of >> the numerous "booter" services was responsible. >> >> -Phil
RE: EVERYTHING about Booters (and CloudFlare)
It is not beyond the realm of law enforcement to run down the entire chain of events all the way back to the “whodunit” and “howdunit”. It is pretty amazing what they can figure out when they put their minds to it and don’t underestimate what they can learn by getting someone in the hot seat under the bare light bulb. They also have lots of informants. Victim complaints don’t matter a bit to these guys, it will take the guys in the windbreakers kicking in the doors one of these days. Steven Naslund Chicago IL >On Thu, Jul 28, 2016 at 12:20 PM, Phil Rosenthal >mailto:p...@isprime.com>> wrote: >Keep in mind also, the victims of these DDoS attacks do not know which >"booter" service was paid to attack them. The packets do not have "Stress test >provided by vBooter" in them. The attack packets do not ?>come from the >booter's or Cloudflare's IP addresses, they come from secondary victims -- >compromised servers, PC's infected with malware, and abused DNS/NTP [and a few >other protocols] reflectors. > >It is impossible for a victim to submit a complaint to Cloudflare stating "I >was attacked by someone paying vBooter", because they do not know which of the >numerous "booter" services was responsible. > >-Phil
Re: EVERYTHING about Booters (and CloudFlare)
They don't discriminate, anyone can be a customer https://www.youtube.com/watch?v=T4GfoSZ_sDc great quote from the reporter "why do you need a court order to do the right thing?" On Thu, Jul 28, 2016 at 12:20 PM, Phil Rosenthal wrote: > Keep in mind also, the victims of these DDoS attacks do not know which > "booter" service was paid to attack them. The packets do not have "Stress > test provided by vBooter" in them. The attack packets do not come from the > booter's or Cloudflare's IP addresses, they come from secondary victims -- > compromised servers, PC's infected with malware, and abused DNS/NTP [and a > few other protocols] reflectors. > > It is impossible for a victim to submit a complaint to Cloudflare stating > "I was attacked by someone paying vBooter", because they do not know which > of the numerous "booter" services was responsible. > > -Phil > > On Jul 28, 2016, at 12:12 PM, Naslund, Steve > wrote: > > > > Miles is right. Their thinly veiled "stress tester" thing is not going > to be much of a defense. They must not have very good legal counsel. Here > is the issue. Stress testing is perfectly legal as long as I am: > > > > a) Stress testing my own stuff > > b) Stress testing your stuff WITH YOUR CONSENT > > > > Selling a product or service that is unsafe can lead to serious civil > consequences. For example, I sell you roach killer and don't warn you that > it will also kill every other living thing in your home, I am going to get > sued and lose badly. > > > > Let's say I am running a demolition company that offers to knock down > any house for a price. Don't you think I have a responsibility to verify > that you own the house you just asked me to knock down? (by the way, this > has happened in the real world -wrong address on paperwork- and the > demolition company was held liable) Obviously I have that responsibility > and obviously the same rules would apply to any service that can > potentially damage someone's property. > > > > Steven Naslund > > Chicago IL > > > >> Let's see: > >> > >> Vbooter (on their home page) claims: > >> "#1 FREE WEBBASED SERVER STRESSER" > >> "Using vBooter you can take down home internet connections, websites > and game servers such us Minecraft, XBOX Live, PSN and many more." > >> "You don't have to pay anything in order to use this stresser! In > addition there are NO limits if you are a free user." > > > >> So they're advertising a free service that explicitly offers DDoS > capabilities. > > > >> Now - with the caveat that I'm not a lawyer, and I'm talking from a US > perspective only - as a sometimes hosting provider who pays attention to > our legal liabilities, and >who's had one of our boxes compromised and used > to vector a DDoS against a gaming site > > > >> 1. DDoS is clearly illegal under multiple statutes - most notably the > Computer Fraud and Abuse Act - see > https://www.justice.gov/sites/default/files/criminal- > >ccips/legacy/2015/01/14/ccmanual.pdf > >> - for a Justice Dept. memo on "Prosecuting Computer Crimes." When > coupled with threats, requests for payoffs, etc. - it expands into lots of > other crimes (e.g., >extortion). And that's before one starts attacking > Government-owned computer systems. > >> > >> 2. One might infer that, while "stress testing" is a legitimate and > useful service - under specific circumstances, vBooter's tools might also > fall under laws regarding >being an accomplice to a criminal act, aiding & > abetting, "burglar's tools," etc., and more generally "creating a public > nuisance." > >> > >> 3. There are also various (mostly state) laws against the sale of > burglar's tools (e.g., sale of a lockpick to someone who's not a > professional locksmith). I expect some >of those laws might apply. > >> > >> 4. All of those certainly could be applied to vBooter.org. Whether > Cloudflare is liable for anything would seem to depend on whether > Cloudflare is complicit in the use >of vBooter's use for criminal purposes, > or promoting it's use therefore. Hosting would certainly fall into that > category - and while, I have no direct knowledge that >Cloudflare hosts > vBooter, they do provide nameservice, and their web server's IP address is > in a network block registered to Cloudflare - that would seem to establish > >complicity. Now if Cloudflare were to actively suggest that folks use > vBooter to test systems, as a way to boost sales for Cloudflare - that > would certainly be an >interesting test case for RICO (akin to McAfee > encouraging folks to write and release viruses). > >> > >> As to whether "Nothing is going to happen" - I expect something WILL > happen, when somebody big, with a good legal department, gets hit by a > really damaging DDoS attack, >and starts looking for some deep pockets to > sue. Or, if somebody attacks the wrong Government computer and the FBI, or > DoD, or DHS get ticked off. > >> > >> It will make for very good theater - at least for anyone not direc
Re: EVERYTHING about Booters (and CloudFlare)
Keep in mind also, the victims of these DDoS attacks do not know which "booter" service was paid to attack them. The packets do not have "Stress test provided by vBooter" in them. The attack packets do not come from the booter's or Cloudflare's IP addresses, they come from secondary victims -- compromised servers, PC's infected with malware, and abused DNS/NTP [and a few other protocols] reflectors. It is impossible for a victim to submit a complaint to Cloudflare stating "I was attacked by someone paying vBooter", because they do not know which of the numerous "booter" services was responsible. -Phil > On Jul 28, 2016, at 12:12 PM, Naslund, Steve wrote: > > Miles is right. Their thinly veiled "stress tester" thing is not going to be > much of a defense. They must not have very good legal counsel. Here is the > issue. Stress testing is perfectly legal as long as I am: > > a) Stress testing my own stuff > b) Stress testing your stuff WITH YOUR CONSENT > > Selling a product or service that is unsafe can lead to serious civil > consequences. For example, I sell you roach killer and don't warn you that > it will also kill every other living thing in your home, I am going to get > sued and lose badly. > > Let's say I am running a demolition company that offers to knock down any > house for a price. Don't you think I have a responsibility to verify that > you own the house you just asked me to knock down? (by the way, this has > happened in the real world -wrong address on paperwork- and the demolition > company was held liable) Obviously I have that responsibility and obviously > the same rules would apply to any service that can potentially damage > someone's property. > > Steven Naslund > Chicago IL > >> Let's see: >> >> Vbooter (on their home page) claims: >> "#1 FREE WEBBASED SERVER STRESSER" >> "Using vBooter you can take down home internet connections, websites and >> game servers such us Minecraft, XBOX Live, PSN and many more." >> "You don't have to pay anything in order to use this stresser! In addition >> there are NO limits if you are a free user." > >> So they're advertising a free service that explicitly offers DDoS >> capabilities. > >> Now - with the caveat that I'm not a lawyer, and I'm talking from a US >> perspective only - as a sometimes hosting provider who pays attention to our >> legal liabilities, and >who's had one of our boxes compromised and used to >> vector a DDoS against a gaming site > >> 1. DDoS is clearly illegal under multiple statutes - most notably the >> Computer Fraud and Abuse Act - see >> https://www.justice.gov/sites/default/files/criminal->ccips/legacy/2015/01/14/ccmanual.pdf >> - for a Justice Dept. memo on "Prosecuting Computer Crimes." When coupled >> with threats, requests for payoffs, etc. - it expands into lots of other >> crimes (e.g., >extortion). And that's before one starts attacking >> Government-owned computer systems. >> >> 2. One might infer that, while "stress testing" is a legitimate and useful >> service - under specific circumstances, vBooter's tools might also fall >> under laws regarding >being an accomplice to a criminal act, aiding & >> abetting, "burglar's tools," etc., and more generally "creating a public >> nuisance." >> >> 3. There are also various (mostly state) laws against the sale of burglar's >> tools (e.g., sale of a lockpick to someone who's not a professional >> locksmith). I expect some >of those laws might apply. >> >> 4. All of those certainly could be applied to vBooter.org. Whether >> Cloudflare is liable for anything would seem to depend on whether Cloudflare >> is complicit in the use >of vBooter's use for criminal purposes, or >> promoting it's use therefore. Hosting would certainly fall into that >> category - and while, I have no direct knowledge that >Cloudflare hosts >> vBooter, they do provide nameservice, and their web server's IP address is >> in a network block registered to Cloudflare - that would seem to establish >> >complicity. Now if Cloudflare were to actively suggest that folks use >> vBooter to test systems, as a way to boost sales for Cloudflare - that would >> certainly be an >interesting test case for RICO (akin to McAfee encouraging >> folks to write and release viruses). >> >> As to whether "Nothing is going to happen" - I expect something WILL happen, >> when somebody big, with a good legal department, gets hit by a really >> damaging DDoS attack, >and starts looking for some deep pockets to sue. Or, >> if somebody attacks the wrong Government computer and the FBI, or DoD, or >> DHS get ticked off. >> >> It will make for very good theater - at least for anyone not directly in the >> cross-hairs. >> >> Miles Fidelman >
RE: EVERYTHING about Booters (and CloudFlare)
Miles is right. Their thinly veiled "stress tester" thing is not going to be much of a defense. They must not have very good legal counsel. Here is the issue. Stress testing is perfectly legal as long as I am: a) Stress testing my own stuff b) Stress testing your stuff WITH YOUR CONSENT Selling a product or service that is unsafe can lead to serious civil consequences. For example, I sell you roach killer and don't warn you that it will also kill every other living thing in your home, I am going to get sued and lose badly. Let's say I am running a demolition company that offers to knock down any house for a price. Don't you think I have a responsibility to verify that you own the house you just asked me to knock down? (by the way, this has happened in the real world -wrong address on paperwork- and the demolition company was held liable) Obviously I have that responsibility and obviously the same rules would apply to any service that can potentially damage someone's property. Steven Naslund Chicago IL >Let's see: > >Vbooter (on their home page) claims: >"#1 FREE WEBBASED SERVER STRESSER" >"Using vBooter you can take down home internet connections, websites and game >servers such us Minecraft, XBOX Live, PSN and many more." >"You don't have to pay anything in order to use this stresser! In addition >there are NO limits if you are a free user." >So they're advertising a free service that explicitly offers DDoS capabilities. >Now - with the caveat that I'm not a lawyer, and I'm talking from a US >perspective only - as a sometimes hosting provider who pays attention to our >legal liabilities, and >who's had one of our boxes compromised and used to >vector a DDoS against a gaming site >1. DDoS is clearly illegal under multiple statutes - most notably the >Computer Fraud and Abuse Act - see >https://www.justice.gov/sites/default/files/criminal->ccips/legacy/2015/01/14/ccmanual.pdf >- for a Justice Dept. memo on "Prosecuting Computer Crimes." When coupled >with threats, requests for payoffs, etc. - it expands into lots of other >crimes (e.g., >extortion). And that's before one starts attacking >Government-owned computer systems. > >2. One might infer that, while "stress testing" is a legitimate and useful >service - under specific circumstances, vBooter's tools might also fall under >laws regarding >being an accomplice to a criminal act, aiding & abetting, >"burglar's tools," etc., and more generally "creating a public nuisance." > >3. There are also various (mostly state) laws against the sale of burglar's >tools (e.g., sale of a lockpick to someone who's not a professional >locksmith). I expect some >of those laws might apply. > >4. All of those certainly could be applied to vBooter.org. Whether Cloudflare >is liable for anything would seem to depend on whether Cloudflare is complicit >in the use >of vBooter's use for criminal purposes, or promoting it's use >therefore. Hosting would certainly fall into that category - and while, I >have no direct knowledge that >Cloudflare hosts vBooter, they do provide >nameservice, and their web server's IP address is in a network block >registered to Cloudflare - that would seem to establish >complicity. Now if >Cloudflare were to actively suggest that folks use vBooter to test systems, as >a way to boost sales for Cloudflare - that would certainly be an >interesting >test case for RICO (akin to McAfee encouraging folks to write and release >viruses). > >As to whether "Nothing is going to happen" - I expect something WILL happen, >when somebody big, with a good legal department, gets hit by a really damaging >DDoS attack, >and starts looking for some deep pockets to sue. Or, if >somebody attacks the wrong Government computer and the FBI, or DoD, or DHS get >ticked off. > >It will make for very good theater - at least for anyone not directly in the >cross-hairs. > >Miles Fidelman
RE: EVERYTHING about Booters (and CloudFlare)
There are not international cyber crime laws because there is no international law enforcement agency with the reach to enforce them and because most countries like things like sovereignty. There is also an inherent conflict between private citizen hacking and state sponsored hacking and the line is sometimes blurry. If a state sponsor is using a private DDoS network, what are the chances they are going to allow an investigation/arrest in that case? There are already enough laws on the books in most cases to handle this stuff, there just isn't the law enforcement resources/interest to pursue this. Companies like CloudFare generally end up in one of two states given my experience since the first public Internet became available. 1. Various service providers get screwed with enough and eventually retaliate by messing with CloudFare's connectivity/peering/availability to the point that CloudFare becomes an unviable platform for the nefarious services. This happened in the original spam wars with regularity. As soon as CloudFare becomes inconvenient or too visible to law enforcement, they move on to the next provider and enough legit business is scared away that CloudFare dies on the vine. 2. Eventually one of the nefarious services messes around with something large enough to create big law enforcement interest (a successful hit on a critical national resource) at which point they cut all the intergovernmental red tape and take out everyone including the hacker, the server farm, the hosting company, and anyone else involved. Remember that they don't necessarily have to prove a criminal case to shut your business down. All they really have to do is get a judge to order a seizure of enough of your gear to shut you down for a period of time that sends all your other business out the door. Note that I don't support/not support that tactic but it's a fact that it works. Sure, you can try to defend yourself but how deep are your legal pockets? The US Justice Department has shown time and again that they can wipe out large swaths of nefarious operators when they care enough to do so. They have also shown the ability to cross international border to do so. They put some serious dents in Pirate Bay and Anonymous. They don't kill them permanently but it doesn't matter to the guys sitting in prison for years. Steven Naslund Chicago IL
Re: EVERYTHING about Booters (and CloudFlare)
* mfidel...@meetinghouse.net (Miles Fidelman) [Thu 28 Jul 2016, 17:42 CEST]: [...] Now if Cloudflare were to actively suggest that folks use vBooter to test systems, as a way to boost sales for Cloudflare - that would certainly be an interesting test case for RICO CloudFlare is doing nothing of the sort, and it's kind of vile for you to suggest otherwise, even ostensibly by way of floating it as a hypothetical. -- Niels.
Re: EVERYTHING about Booters (and CloudFlare)
On 7/28/16 11:04 AM, Paras Jha wrote: Nothing is going to happen. Cloudflare will continue to turn a blind eye towards abusive customers, and even downright allow customers to HTTP scan from their network without batting an eyelash. The mere act of scanning isn't illegal, but it shows the kind of mindset that they have. Let's see: Vbooter (on their home page) claims: "#1 FREE WEBBASED SERVER STRESSER" "Using vBooter you can take down home internet connections, websites and game servers such us Minecraft, XBOX Live, PSN and many more." "You don't have to pay anything in order to use this stresser! In addition there are NO limits if you are a free user." So they're advertising a free service that explicitly offers DDoS capabilities. Now - with the caveat that I'm not a lawyer, and I'm talking from a US perspective only - as a sometimes hosting provider who pays attention to our legal liabilities, and who's had one of our boxes compromised and used to vector a DDoS against a gaming site 1. DDoS is clearly illegal under multiple statutes - most notably the Computer Fraud and Abuse Act - see https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ccmanual.pdf - for a Justice Dept. memo on "Prosecuting Computer Crimes." When coupled with threats, requests for payoffs, etc. - it expands into lots of other crimes (e.g., extortion). And that's before one starts attacking Government-owned computer systems. 2. One might infer that, while "stress testing" is a legitimate and useful service - under specific circumstances, vBooter's tools might also fall under laws regarding being an accomplice to a criminal act, aiding & abetting, "burglar's tools," etc., and more generally "creating a public nuisance." 3. There are also various (mostly state) laws against the sale of burglar's tools (e.g., sale of a lockpick to someone who's not a professional locksmith). I expect some of those laws might apply. 4. All of those certainly could be applied to vBooter.org. Whether Cloudflare is liable for anything would seem to depend on whether Cloudflare is complicit in the use of vBooter's use for criminal purposes, or promoting it's use therefore. Hosting would certainly fall into that category - and while, I have no direct knowledge that Cloudflare hosts vBooter, they do provide nameservice, and their web server's IP address is in a network block registered to Cloudflare - that would seem to establish complicity. Now if Cloudflare were to actively suggest that folks use vBooter to test systems, as a way to boost sales for Cloudflare - that would certainly be an interesting test case for RICO (akin to McAfee encouraging folks to write and release viruses). As to whether "Nothing is going to happen" - I expect something WILL happen, when somebody big, with a good legal department, gets hit by a really damaging DDoS attack, and starts looking for some deep pockets to sue. Or, if somebody attacks the wrong Government computer and the FBI, or DoD, or DHS get ticked off. It will make for very good theater - at least for anyone not directly in the cross-hairs. Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re: EVERYTHING about Booters (and CloudFlare)
Sigh, another long thread that goes nowhere in the end and simply dies a dull dead. So let's add my 2ct donation into it. First of all, CF like any other carrier/provider/hoster/whatever only cares about the bucks, nothing else, you all do to, so that should be clear enough. Them actually booting customers just because some other instance (except through govermential powers) wants them to is not done, as it would decrease the income. Period. Same goes for ISP's blocking access to resources. They will simply switch to another provider and or try to find workarounds for it (see pirate bay and the alikes). Thats like mopping the floor while the fire sprinklers are still on. Second, CF indeed offers DDoS mitigation, but only on their heavy paid plans, if you also want the netflow logs of the attacks etc, it will cost you extra. If you are on a free plan, and your assigned gw gets ddossed, and they figure out you are the target, they drop the 'protection' by simply changing dns to it's real values and letting the attacker know: don't dos us if you want to hit that site, use the real endpoint IP instead and you will hit them directly. (Been there with DroneBL, and as soon as I figured out they do that, dropped them immediately). In the end, you are better off at hosters like OVH/Foonet and such as they learned from the IRC age where it was common to nuke clients/bnc's in order to hijack nicknames/channels when the network didn't have channel/nick services. Third, for those who do not know it yet, CF only acts as an intermediate RELAY that provides a method of attempting to identify bad asses, nothing more. And the badasses they also relay for? Testpigs and informational source! (Keep your friends close, your enemies closer?). Hell, aren't some of the best security advisors former hackers? At least the ones I know used to be. And I rather have some decent hacker in my team, keeping me updated with the stuff thats going on in the scene, then some million dollar company trying to sell you crap that is always behind the facts. Oh, and I am talking about real hackers, not those scriptkiddies using ready made tools thinking they are god. Fourth, and I see it in this mail as well and a lot of others: The Jurisdictional issues. Why aren't there any international Cyber Crime laws yet? We all do need to enforce crap like DMCA (which the music/entertainment industry is responsible for), EU Cookie Law (which should have been handled through the browsers and not force it upon the websites) and it's inbread stupid derivates, but everyone, despite acting out international by it's presence on a global spanning network, is still hiding behind his/her's organizations local law. Kinda stupid, don't you agree ? Kind regards, Alexander Maassen Maintainer DroneBL On Thu, July 28, 2016 4:41 pm, Paul WALL wrote: > I'm sorry, but this entire discussion is predicated on half-truths and nonsense spewing out of the CF team. It's a shame too, as they're usually great community minded folks who are well respected around here. > > No matter how you define the CloudFlare service, that they can claim ignorance due to "common carrier" passthrough is preposterous, > especially given their purported knowledge of what's going on. > Likewise if the booter sites were connected to any other CDN, > WAF/proxy, public cloud provider, etc. Call it what you want, but at the end of the day, they're providing connectivity and keeping the storefront online. Want the problem stopped? Easy, stop it at the source by denying them service. Every service provider (or its > upstream at some point) has an AUP which prevents the service from being used for illegal purposes. Telling NANOG members that they don't understand the nature of the CF service, and that they should somehow get a pass, is dishonest. > > That they're keeping these criminals online at the requirement of the FBI? Anyone who's actually worked with law enforcement can tell you that the first rule of fight club is to NOT talk about it, especially if you're under gag order. A more likely story is they're just doing this for the attention, and basking in it, kind of like a certain blog post suggesting they pioneered the practice of configuring hosts with LACP for throughput and HA. > > If Justin/Matthew/Martin/etc. are listening, I implore you to do the right thing and stop providing service to criminals. Full stop, without caving in to your very talented marketing department. And to everyone else, I'd ask you to do what you think is right, and treat CloudFlare's anycasted IP blocks as you would any other network > harboring criminal activity and security risk to the detriment of your customers. (Is Team CYMRU listening?) Much like the original spam problem in the 90s, the collateral damage might be annoying at first, but the end will justify the means. > > Drive Slow (like a souped up Supra), > Paul Wall > > On Wed, Jul 27, 2016 at 10:48 PM, Randy Bush wrote: >>> They just lost al
Re: EVERYTHING about Booters (and CloudFlare)
On Wednesday 27 July 2016 07:58:49 Paras Jha wrote: > Hi Justin, > > I have submitted abuse reports in the past, maybe from 2014 - 2015, but I > gave up after I consistently did not even get replies and saw no action > being taken. It is the same behavior with other providers who host malware > knowingly. I appreciate you coming out onto the list though, it's nice to > see that CF does maintain a presence here. > I am not seeing Justin's replies hitting my mailbox, only snipets of quotes and replies... but my experience to date with CloudFlare has been exactly the same, no response or action of any kind to abuse reports. ...Searching... here is an example. Banco do Brasil "you must update your details" phishing fraud using compromised hosts. Example email and for details neccessary to confirm sent to ab...@cloudflare.com on 7/17. Ten days later and the compromised CloudFlare-fronted site is still up and still running. Would there be any confusion if the following abuse report (plus attached original email) arrived in your mailbox? Phishing / Fraud / Compromised server Phishing URL: http://www.rua.edu.kh/joomla/tecno/porta-bb2.com.jpg/ Redirects to: http://fonecomercial.com.br/admin/wip.php/index.php Redirects to: http://app.flipedition.com/css/www2.bb.com.br.jpg/ Compromised server: www.rua.edu.kh - 203.189.134.18 fonecomercial.com.br - 104.27.148.36 104.27.149.36 app.flipedition.com - 62.75.219.22 Any guesses who 104.27.148.36 104.27.149.36 is? PlusServer.de (62.75.219.22) terminated the final destination compromised pages within 12 hours... The others are still up. Some providers actively monitor and take control of reported abuses. Some providers actively ignore reported abuses.
Re: EVERYTHING about Booters (and CloudFlare)
On Wed, Jul 27, 2016 at 03:09:51PM +, Steve Mikulasik wrote: > I am sure a lawyer would see it very differently, [...] For what it's worth I agree, but I'm not an attorney (and neither are most of us), so I'll write from the perspective of an operator. The healthy functioning of the Internet community relies on mutual cooperation. It always has. Part of that cooperation is ensuring that one's own operation, whether it's a single server or a worldwide collection of data centers, is not an operational hazard to the rest of the Internet. That is our first, our primary, our over-arching responsibility at all times. Understanding it, embracing it, and practicing it is something required of all of us. This isn't a question of what's legal and what's not -- after all, that varies by jurisdiction and it's a moving target and the machinery of jurisprudence moves a few orders of magnitude more slowly than does Internet technology. It's a question of what's right. We should all know that hosting spammers or phishers, DoS-attackers or carders, or anyone/anything like that is wrong. (Yes, there are gray areas where reasonable people can differ about what's right/wrong. But these are not among them.) We should all be doing everything we can to avoid giving them services, and if we fail in that, if they get by our screening, we should be cutting them off the moment we're aware of their presence, and banning them permanently, AND informing other operators in order to forestall their relocation. This doesn't require legal involvement: it requires ToS that stipulate it, and if, in 2016, any service *doesn't* have ToS that stipulate these things: you need to get new attorneys and fix that today. It also requires having a functioning abuse@ address (per RFC 2142 and decades of best practices) that connects to a functioning abuse department that is empowered to investigate and act on everything that shows up there. In a better world, this wouldn't be necessary: abuse sources/sinks/facilitators would already know of their own involvement and nobody would need to tell them. But we don't live in that world and in some cases, it's arguably difficult to tell even for very diligent operators. So if third parties are doing you the incredibly gracious favor of reporting abuse to you, thus making *your* job easier despite the fact that *your* operation is making their job harder...you should listen. You should investigate. You should say thank you. You should report the outcome. This isn't hard. It's really not. (And to those who say "we get too many abuse complaints", there is a very simple fix for that: stop facilitating so much abuse. The complaints will drop proportionately.) The alternative to this is an Internet of escalating attacks and abuse -- which is where we find ourselves after a few decades of incompetence and negligence (those who can't be bothered) and deliberate support (those who choose to take dirty money and cash in on abuse). It's already pretty bad, which is why there are now entire sectors built on mitigating it. We can either continue to light stacks of money on fire (and that's one of the smaller costs of this) trying to stave this off or we can do what we should have been doing all along: be *personally* responsible for what our technology is doing. No excuses. No stonewalling. No blowoffs with a nod to the legal department. Just step up and do the right thing for the good of the community -- because without that community, even the biggest, richest operation is of no importance and value whatsoever. ---rsk
Re: EVERYTHING about Booters (and CloudFlare)
Nothing is going to happen. Cloudflare will continue to turn a blind eye towards abusive customers, and even downright allow customers to HTTP scan from their network without batting an eyelash. The mere act of scanning isn't illegal, but it shows the kind of mindset that they have.
Re: EVERYTHING about Booters (and CloudFlare)
I'm sorry, but this entire discussion is predicated on half-truths and nonsense spewing out of the CF team. It's a shame too, as they're usually great community minded folks who are well respected around here. No matter how you define the CloudFlare service, that they can claim ignorance due to "common carrier" passthrough is preposterous, especially given their purported knowledge of what's going on. Likewise if the booter sites were connected to any other CDN, WAF/proxy, public cloud provider, etc. Call it what you want, but at the end of the day, they're providing connectivity and keeping the storefront online. Want the problem stopped? Easy, stop it at the source by denying them service. Every service provider (or its upstream at some point) has an AUP which prevents the service from being used for illegal purposes. Telling NANOG members that they don't understand the nature of the CF service, and that they should somehow get a pass, is dishonest. That they're keeping these criminals online at the requirement of the FBI? Anyone who's actually worked with law enforcement can tell you that the first rule of fight club is to NOT talk about it, especially if you're under gag order. A more likely story is they're just doing this for the attention, and basking in it, kind of like a certain blog post suggesting they pioneered the practice of configuring hosts with LACP for throughput and HA. If Justin/Matthew/Martin/etc. are listening, I implore you to do the right thing and stop providing service to criminals. Full stop, without caving in to your very talented marketing department. And to everyone else, I'd ask you to do what you think is right, and treat CloudFlare's anycasted IP blocks as you would any other network harboring criminal activity and security risk to the detriment of your customers. (Is Team CYMRU listening?) Much like the original spam problem in the 90s, the collateral damage might be annoying at first, but the end will justify the means. Drive Slow (like a souped up Supra), Paul Wall On Wed, Jul 27, 2016 at 10:48 PM, Randy Bush wrote: >> They just lost all respect from here. Would someone from USA please >> report these guys to the feds? What they are doing is outright >> criminal. > > hyperbole. it is not criminal. you just don't happen to like it.
Re: EVERYTHING about Booters (and CloudFlare)
If you believe someone is doing something illegal than you should report it to law enforcement. Their job is to investigate and bring charges if they feel they are warranted. You do not have to be from the USA to report a crime in the USA. Here is a list with contact info for the FBI's field offices: https://www.fbi.gov/contact-us/field-offices FBI Headquarters: https://www.fbi.gov/contact-us/fbi-headquarters List of overseas offices for those of you not in the US that want to talk to someone local: https://www.fbi.gov/contact-us/legal-attache-offices Most network operators are not law enforcement or lawyers. Aaron On 7/28/2016 8:45 AM, Naslund, Steve wrote: A DDoS attack is illegal. In the United States it is considered as theft of service. The legal construct used is that the DDoS attack is a theft of CPU cycles, compute resources, and power by other than the rightful owner for its intended purposes. Steven Naslund Chicago IL -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of valdis.kletni...@vt.edu Sent: Thursday, July 28, 2016 4:30 AM To: Miles Fidelman Cc: nanog@nanog.org Subject: Re: EVERYTHING about Booters (and CloudFlare) On Wed, 27 Jul 2016 22:55:54 -0400, Miles Fidelman said: On 7/27/16 10:48 PM, Randy Bush wrote: They just lost all respect from here. Would someone from USA please report these guys to the feds? What they are doing is outright criminal. hyperbole. it is not criminal. you just don't happen to like it. Actually, as someone pointed out, it might well be conspiracy - which is criminal. In general, the conspiracy isn't criminal if the conspired act isn't criminal. If you're trying to make a criminal conspiracy out of non-criminal acts, your best bet is probably finding a new way to abuse the RICO statutes. -- Aaron Wendel Chief Technical Officer Wholesale Internet, Inc. (AS 32097) (816)550-9030 http://www.wholesaleinternet.com
RE: EVERYTHING about Booters (and CloudFlare)
A DDoS attack is illegal. In the United States it is considered as theft of service. The legal construct used is that the DDoS attack is a theft of CPU cycles, compute resources, and power by other than the rightful owner for its intended purposes. Steven Naslund Chicago IL -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of valdis.kletni...@vt.edu Sent: Thursday, July 28, 2016 4:30 AM To: Miles Fidelman Cc: nanog@nanog.org Subject: Re: EVERYTHING about Booters (and CloudFlare) On Wed, 27 Jul 2016 22:55:54 -0400, Miles Fidelman said: > On 7/27/16 10:48 PM, Randy Bush wrote: > >> They just lost all respect from here. Would someone from USA please > >> report these guys to the feds? What they are doing is outright > >> criminal. > > hyperbole. it is not criminal. you just don't happen to like it. > > Actually, as someone pointed out, it might well be conspiracy - which > is criminal. In general, the conspiracy isn't criminal if the conspired act isn't criminal. If you're trying to make a criminal conspiracy out of non-criminal acts, your best bet is probably finding a new way to abuse the RICO statutes.
Re: EVERYTHING about Booters (and CloudFlare)
Well, I do not think feeding the trolls is a good exercise for a representative of any company that is taking this subject seriously. Don't you think? - Alain Hebertaheb...@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.netFax: 514-990-9443 On 07/28/16 09:07, Justin Paine via NANOG wrote: > @Baldur > > "They just lost all respect from here. Would someone from USA please report > these guys to the feds? What they are doing is outright criminal." > > I'm happy to put you in touch with an FBI agent if you have questions > or concerns you'd like to discuss. > > > Justin Paine > Head of Trust & Safety > CloudFlare Inc. > PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D > > > On Thu, Jul 28, 2016 at 4:01 AM, wrote: >> On Thu, 28 Jul 2016 12:00:00 +0200, Baldur Norddahl said: >> >>> DDoS attacks using stolen resources and fake identities is not legal >> Are you making a blanket statement that covers all jurisdictions on >> the planet? >> >> For bonus points - is it more like "illegal as in murder", or "illegal >> as in jaywalking"? (Hint - which one will you get a DA to actually >> press a case that almost certainly crosses jurisdictions, and may involve >> extradition proceedings?) >> >>
Re: EVERYTHING about Booters (and CloudFlare)
@Baldur "They just lost all respect from here. Would someone from USA please report these guys to the feds? What they are doing is outright criminal." I'm happy to put you in touch with an FBI agent if you have questions or concerns you'd like to discuss. Justin Paine Head of Trust & Safety CloudFlare Inc. PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D On Thu, Jul 28, 2016 at 4:01 AM, wrote: > On Thu, 28 Jul 2016 12:00:00 +0200, Baldur Norddahl said: > >> DDoS attacks using stolen resources and fake identities is not legal > > Are you making a blanket statement that covers all jurisdictions on > the planet? > > For bonus points - is it more like "illegal as in murder", or "illegal > as in jaywalking"? (Hint - which one will you get a DA to actually > press a case that almost certainly crosses jurisdictions, and may involve > extradition proceedings?) > >
Re: EVERYTHING about Booters (and CloudFlare)
On Thu, 28 Jul 2016 12:00:00 +0200, Baldur Norddahl said: > DDoS attacks using stolen resources and fake identities is not legal Are you making a blanket statement that covers all jurisdictions on the planet? For bonus points - is it more like "illegal as in murder", or "illegal as in jaywalking"? (Hint - which one will you get a DA to actually press a case that almost certainly crosses jurisdictions, and may involve extradition proceedings?) pgp5bfulqWiij.pgp Description: PGP signature
Re: EVERYTHING about Booters (and CloudFlare)
On 28 July 2016 at 11:30, wrote: > In general, the conspiracy isn't criminal if the conspired act isn't > criminal. > If you're trying to make a criminal conspiracy out of non-criminal acts, > your best bet is probably finding a new way to abuse the RICO statutes. > DDoS attacks using stolen resources and fake identities is not legal and it is not free speech. Moreover it is illegal just as it is illegal for me to smash your car. Cloudflare are saying they are not smashing any cars. Cloudflare will however act as couriers, provide anonymity and protect anyone that does smash cars. Also Cloudflare sells "protection" against car smashing. But all this is just free speech - sorry no, this is not any better than what the mafia guys are doing in bad parts of the town. Regards, Baldur
Re: EVERYTHING about Booters (and CloudFlare)
On Wed, 27 Jul 2016 22:55:54 -0400, Miles Fidelman said: > On 7/27/16 10:48 PM, Randy Bush wrote: > >> They just lost all respect from here. Would someone from USA please > >> report these guys to the feds? What they are doing is outright > >> criminal. > > hyperbole. it is not criminal. you just don't happen to like it. > > Actually, as someone pointed out, it might well be conspiracy - which is > criminal. In general, the conspiracy isn't criminal if the conspired act isn't criminal. If you're trying to make a criminal conspiracy out of non-criminal acts, your best bet is probably finding a new way to abuse the RICO statutes. pgp2kiYIWckmL.pgp Description: PGP signature
Re: EVERYTHING about Booters (and CloudFlare)
On Thu, Jul 28, 2016 at 3:55 AM, Miles Fidelman wrote: > > > On 7/27/16 10:48 PM, Randy Bush wrote: > >> They just lost all respect from here. Would someone from USA please >>> report these guys to the feds? What they are doing is outright >>> criminal. >>> >> hyperbole. it is not criminal. you just don't happen to like it. >> > > Actually, as someone pointed out, it might well be conspiracy - which is > criminal. looking forward to the court case, if it's really important it'll happen shortly, right?
Re: EVERYTHING about Booters (and CloudFlare)
On 7/27/16 10:48 PM, Randy Bush wrote: They just lost all respect from here. Would someone from USA please report these guys to the feds? What they are doing is outright criminal. hyperbole. it is not criminal. you just don't happen to like it. Actually, as someone pointed out, it might well be conspiracy - which is criminal. Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re: EVERYTHING about Booters (and CloudFlare)
> They just lost all respect from here. Would someone from USA please > report these guys to the feds? What they are doing is outright > criminal. hyperbole. it is not criminal. you just don't happen to like it.
Re: EVERYTHING about Booters (and CloudFlare)
I am not a lawyer and I don't pretend to be, but I believe > the gamer who ticked off another gamer and got DDoSed doesn't > have the knowledge, time, or resources to file a claim that will actually > accomplish anything, and nobody else can file the claim on their behalf. I believe a class action lawsuit would sidestep this. Don't quote me on that though, I may be wrong. On Wed, Jul 27, 2016 at 10:04 PM, Paras Jha wrote: > He's right, conspiracy to commit X is a valid criminal charge, at least in > the US. Conspiracy to commit fraud, theft, murder, racketeering, etc are > all "sister charges" of charges of ones actually carried out. > -- Regards, Paras President ProTraf Solutions, LLC Enterprise DDoS Mitigation
Re: EVERYTHING about Booters (and CloudFlare)
He's right, conspiracy to commit X is a valid criminal charge, at least in the US. Conspiracy to commit fraud, theft, murder, racketeering, etc are all "sister charges" of charges of ones actually carried out.
Re: EVERYTHING about Booters (and CloudFlare)
In message <31450.1469667...@turing-police.cc.vt.edu>, valdis.kletni...@vt.edu writes: > On Thu, 28 Jul 2016 10:48:47 +1000, Mark Andrews said: > > > As soon as a transaction takes place, conspiricy to harm by > > . If the DoS actually occurs you can add additional charges for > > the actual actions. > > If the claim is that a law has been broken, you have to show that is > actually a crime in the jurisdiction involved. If it's a civil claim, in > general only will have standing to actually file suit. That's a big chun > k > of the problem - the gamer who ticked off another gamer and got DDoSed doesn' > t > have the knowledge, time, or resources to file a claim that will actually > accomplish anything, and nobody else can file the claim on their behalf. There have always been plenty of laws to cover DoS attacks. You don't need "with a computer" in the law. You just need to apply existing laws. > > This is no different conceptually to hiring a thug to take a baseball > > bat to a place. You can be charged for consipiricy to commit a > > crime even if the crime does not occur. > > Bringing a baseball bat to a place isn't usually in and of itself > illegal. Thug A may bring a bat to someplace, but absent evidence that > Thug B will then use said bat for nefarious purposes, you're still left > with nothing. You have to draw *all* the dots, Mark. :) It's the hiring that triggers the conspircy. The crime has been committed the moment there is agreement to perform the act. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: EVERYTHING about Booters (and CloudFlare)
On Thu, 28 Jul 2016 10:48:47 +1000, Mark Andrews said: > As soon as a transaction takes place, conspiricy to harm by > . If the DoS actually occurs you can add additional charges for > the actual actions. If the claim is that a law has been broken, you have to show that is actually a crime in the jurisdiction involved. If it's a civil claim, in general only will have standing to actually file suit. That's a big chunk of the problem - the gamer who ticked off another gamer and got DDoSed doesn't have the knowledge, time, or resources to file a claim that will actually accomplish anything, and nobody else can file the claim on their behalf. > This is no different conceptually to hiring a thug to take a baseball > bat to a place. You can be charged for consipiricy to commit a > crime even if the crime does not occur. Bringing a baseball bat to a place isn't usually in and of itself illegal. Thug A may bring a bat to someplace, but absent evidence that Thug B will then use said bat for nefarious purposes, you're still left with nothing. You have to draw *all* the dots, Mark. :) pgpsM_PSac81b.pgp Description: PGP signature
Re: EVERYTHING about Booters (and CloudFlare)
In message <23235.1469666...@turing-police.cc.vt.edu>, valdis.kletni...@vt.edu writes: > On Wed, 27 Jul 2016 11:21:02 -0700, Dan Hollis said: > > On Wed, 27 Jul 2016, b...@theworld.com wrote: > > > There isn't even general agreement on whether (or what!) Cloudfare is > > > doing is a problem. > > > > aiding and abetting. at the very least willful negligence. > > aiding and abetting of what, *exactly*? You can't accuse somebody of > it until (as Barry Shein pointed out) you have a workable definition of > what exactly you're talking about. Similarly, "willful negligence" in most > places requires you to draw a dotted line between the alleged negligent > action, and some claimed damage or loss on your part - of a form that > a court can provide a remedy for. As soon as a transaction takes place, conspiricy to harm by . If the DoS actually occurs you can add additional charges for the actual actions. This is no different conceptually to hiring a thug to take a baseball bat to a place. You can be charged for consipiricy to commit a crime even if the crime does not occur. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: EVERYTHING about Booters (and CloudFlare)
On Wed, 27 Jul 2016 11:21:02 -0700, Dan Hollis said: > On Wed, 27 Jul 2016, b...@theworld.com wrote: > > There isn't even general agreement on whether (or what!) Cloudfare is > > doing is a problem. > > aiding and abetting. at the very least willful negligence. aiding and abetting of what, *exactly*? You can't accuse somebody of it until (as Barry Shein pointed out) you have a workable definition of what exactly you're talking about. Similarly, "willful negligence" in most places requires you to draw a dotted line between the alleged negligent action, and some claimed damage or loss on your part - of a form that a court can provide a remedy for. pgpr0W03uaLdW.pgp Description: PGP signature
Re: EVERYTHING about Booters (and CloudFlare)
>From our side: abuse@ reports generates an auto reply indicating where our reporting form is located. Reports at our reporting form generate an auto reply confirming we received the report. All reports filed via the form are reviewed by a human and at a minimum passed on to the responsible hosting provider so they are aware and they can follow their policies to address with their customer. Justin Paine Head of Trust & Safety CloudFlare Inc. PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D On Wed, Jul 27, 2016 at 10:35 AM, Christopher Morrow wrote: > > On Wed, Jul 27, 2016 at 10:58 AM, Paras Jha > wrote: >> >> I consistently did not even get replies > > > This is a common 'complaint' point for abuse senders. I often wonder why. > What is a reply supposed to do or tell you?
Re: EVERYTHING about Booters (and CloudFlare)
Law enforcement (US or international) knows how to contact us if they have an inquiry to make. We also publish a Transparency Report that covers those legal inquiries: https://www.cloudflare.com/transparency/ Justin Paine Head of Trust & Safety CloudFlare Inc. PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D On Wed, Jul 27, 2016 at 9:32 AM, Steve Atkins wrote: > >> On Jul 27, 2016, at 9:17 AM, Baldur Norddahl >> wrote: >> >> Den 27. jul. 2016 17.12 skrev "Steve Mikulasik" : >>> >>> Disclaimer: I have a ton of respect for Clouldflare and what they do on >> the internet. >> >> They just lost all respect from here. Would someone from USA please report >> these guys to the feds? What they are doing is outright criminal. > > They can monitor (passively or actively) all access to the sites they host, > even > the ones that use SSL, and they often use their close working relationship > with > law enforcement to explain why they don't terminate bad actors on their > network. > > You can probably assume that "the feds" are intimately aware of what they're > doing. > > Cheers, > Steve >
Re: EVERYTHING about Booters (and CloudFlare)
Hi Paras, I covered the booter topic in a previous reply on a different (though basically the same) thread. By "non-existent" you mean we are processing thousands of reports per week. If you have something to report you can certainly do so at cloudflare.com/abuse. We'd be more than happy to process your report also. Thanks, Justin Justin Paine Head of Trust & Safety CloudFlare Inc. PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D On Wed, Jul 27, 2016 at 7:37 AM, Paras Jha wrote: > Hi Jair, > > This list is really interesting. > > From just a preliminary test, more than half of these domains are hiding > behind Cloudflare, and OVH has a sizable fraction too. I suppose it's > inevitable, given that both are known for having non-existent abuse > departments. > > Regards > > On Wed, Jul 27, 2016 at 9:49 AM, Jair Santanna > wrote: > >> Hi folks, >> >> A friend forward me your topic about Booters and CloudFlare. Then I >> decided to join the NANOG list. The *answer* for the first question about >> CloudFlare and Booters is at: https://www.youtube.com/watch?v=wW5vJyI_HcU >> (minute 45:55) given by the _CloudFlare CEO_ in the blackhat2013. >> >> I investigate Booters since 2013 and I know many (if not all) the possible >> aspects about this DDoS-as-a-Service phenomenon. A summary of my entire >> research (or large part of that) can be watched at >> https://tnc16.geant.org/web/media/archive/3A (from minute 22:53). On top >> of that, I developed an algorithm to find Booters and publicly share such >> list (http://booterblacklist.com/). My main goal with this initiative is >> to convince people to blacklist and keep on track the users that access >> Booters (that potentially perform attacks) >> >> If you have any question about any aspect of the entire phenomenon don't >> hesitate to contact me. By the way, I want to help deploy the booters >> blacklist worldwide and help prosecutors to shutdown this bastards. I have >> many evidences! >> >> Cheers, >> >> Jair Santanna >> jairsantanna.com >> >> >> >> > > > -- > Regards, > Paras > > President > ProTraf Solutions, LLC > Enterprise DDoS Mitigation
Re: EVERYTHING about Booters (and CloudFlare)
* goe...@sasami.anime.net (Dan Hollis) [Wed 27 Jul 2016, 20:21 CEST]: On Wed, 27 Jul 2016, b...@theworld.com wrote: There isn't even general agreement on whether (or what!) Cloudfare is doing is a problem. aiding and abetting. at the very least willful negligence. I hope the armchairs y'all are lawyering from are comfortable -- Niels.
Re: EVERYTHING about Booters (and CloudFlare)
On Wed, 27 Jul 2016, b...@theworld.com wrote: There isn't even general agreement on whether (or what!) Cloudfare is doing is a problem. aiding and abetting. at the very least willful negligence. -Dan
Re: EVERYTHING about Booters (and CloudFlare)
This is why policy, as painful as it is to produce, is useful. There isn't even general agreement on whether (or what!) Cloudfare is doing is a problem. Which is why interested parties need to get together and agree on some sort of policy regarding this and similar things. Or not and just let it go. That policy could, at least in theory, be attached to peering agreements, BGP agreements, address allocations, etc as contracts as a means of enforcement. And if necessary presented to law enforcement or courts as clearly defined violations of GAAP. It may not be a law per se but it's the sort of thing a court case might use, say in a civil damages suit or even law enforcement action, to establish that defendant's behavior exhibited reckless disregard and so on. As an analogy you can't accuse someone of mayhem if no one can be bothered to write down what mayhem might be and why the defendant should have known their actions were mayhemic. -- -Barry Shein Software Tool & Die| b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
Re: EVERYTHING about Booters (and CloudFlare)
Because replying admits knowledge and creates a papertrail thereof. Esp. w.r.t. copyright infringement takedown notices etc. (or also because said providers are innundated with such requests because they don't actually care as it's all part of their profit centre.) /kc On Wed, Jul 27, 2016 at 01:35:09PM -0400, Christopher Morrow said: >On Wed, Jul 27, 2016 at 10:58 AM, Paras Jha >wrote: > >> I consistently did not even get replies > > >This is a common 'complaint' point for abuse senders. I often wonder why. >What is a reply supposed to do or tell you? -- Ken Chase - m...@sizone.org
Re: EVERYTHING about Booters (and CloudFlare)
On Wed, Jul 27, 2016 at 10:58 AM, Paras Jha wrote: > I consistently did not even get replies This is a common 'complaint' point for abuse senders. I often wonder why. What is a reply supposed to do or tell you?
Re: EVERYTHING about Booters (and CloudFlare)
On Wed, Jul 27, 2016 at 10:37:21AM -0400, Paras Jha wrote: > From just a preliminary test, more than half of these domains are hiding > behind Cloudflare, and OVH has a sizable fraction too. I suppose it's > inevitable, given that both are known for having non-existent abuse > departments. Here's the list sorted by DNS provider. (Of course the DNS provider isn't necessarily the hoster.) This list omits domains which don't seem to have NS records at the moment. above.com bootr.org above.com formalitystresser.com above.com masterboot.net above.com olympusstresser.org above.com renegade-products.net above.com royalbooter.de arubadns.cz hyperstresser.com arubadns.nethyperstresser.com axc.nl umbstresser.net bodis.com vbooter.com bookmyname.com evilbooter.net cloudflare.com alphastress.com cloudflare.com anonymous-stresser.net cloudflare.com aurastresser.com cloudflare.com beststresser.com cloudflare.com boot4free.com cloudflare.com booter.eu cloudflare.com booter.org cloudflare.com booter.xyz cloudflare.com bullstresser.com cloudflare.com buybooters.com cloudflare.com cnstresser.com cloudflare.com connectionstresser.com cloudflare.com crazyamp.me cloudflare.com critical-boot.com cloudflare.com cstress.net cloudflare.com cyberstresser.org cloudflare.com darkstresser.info cloudflare.com darkstresser.net cloudflare.com databooter.com cloudflare.com ddos-fighter.com cloudflare.com ddos-him.com cloudflare.com ddos.city cloudflare.com ddosbreak.com cloudflare.com ddosclub.com cloudflare.com ddostheworld.com cloudflare.com defcon.pro cloudflare.com destressbooter.com cloudflare.com destressnetworks.com cloudflare.com diamond-stresser.net cloudflare.com diebooter.com cloudflare.com diebooter.net cloudflare.com down-stresser.com cloudflare.com downthem.org cloudflare.com exitus.to cloudflare.com exostress.in cloudflare.com free-boot.xyz cloudflare.com freebooter4.me cloudflare.com freestresser.xyz cloudflare.com grimbooter.com cloudflare.com heavystresser.com cloudflare.com hornystress.me cloudflare.com iddos.net cloudflare.com inboot.me cloudflare.com instabooter.com cloudflare.com ipstresser.co cloudflare.com ipstresser.com cloudflare.com jitterstresser.com cloudflare.com k-stress.pw cloudflare.com layer-4.com cloudflare.com layer7.pw cloudflare.com legionboot.com cloudflare.com logicstresser.net cloudflare.com mercilesstresser.com cloudflare.com mystresser.com cloudflare.com netbreak.ec cloudflare.com netspoof.net cloudflare.com networkstresser.com cloudflare.com neverddos.com cloudflare.com nismitstresser.net cloudflare.com onestress.com cloudflare.com onestresser.net cloudflare.com parabooter.com cloudflare.com phoenixstresser.com cloudflare.com pineapple-stresser.com cloudflare.com powerstresser.com cloudflare.com privateroot.fr cloudflare.com purestress.net cloudflare.com quantumbooter.net cloudflare.com quezstresser.com cloudflare.com ragebooter.net cloudflare.com rawlayer.com cloudflare.com reafstresser.ga cloudflare.com restricted-stresser.info cloudflare.com routerslap.com cloudflare.com sharkstresser.com cloudflare.com signalstresser.com cloudflare.com silence-stresser.com cloudflare.com skidbooter.info cloudflare.com spboot.net cloudflare.com stormstresser.net cloudflare.com str3ssed.me cloudflare.com stressboss.net cloudflare.com stresser.club cloudflare.com stresser.in cloudflare.com stresser.network cloudflare.com stresser.ru cloudflare.com stresserit.com cloudflare.com synstress.net cloudflare.com titaniumbooter.net cloudflare.com titaniumstresser.net cloudflare.com topstressers.com cloudflare.com ts3booter.net cloudflare.com unseenbooter.com cloudflare.com vbooter.org cloudflare.com vdos-s.com cloudflare.com webbooter.com cloudflare.com webstresser.co cloudflare.com wifistruggles.com cloudflare.com xboot.net cloudflare.com xr8edstresser.com cloudflare.com xtreme.cc cloudflare.com youboot.net cloudns.net bemybooter.eu crazydomains.com
Re: EVERYTHING about Booters (and CloudFlare)
> On Jul 27, 2016, at 9:17 AM, Baldur Norddahl > wrote: > > Den 27. jul. 2016 17.12 skrev "Steve Mikulasik" : >> >> Disclaimer: I have a ton of respect for Clouldflare and what they do on > the internet. > > They just lost all respect from here. Would someone from USA please report > these guys to the feds? What they are doing is outright criminal. They can monitor (passively or actively) all access to the sites they host, even the ones that use SSL, and they often use their close working relationship with law enforcement to explain why they don't terminate bad actors on their network. You can probably assume that "the feds" are intimately aware of what they're doing. Cheers, Steve
RE: EVERYTHING about Booters (and CloudFlare)
Den 27. jul. 2016 17.12 skrev "Steve Mikulasik" : > > Disclaimer: I have a ton of respect for Clouldflare and what they do on the internet. They just lost all respect from here. Would someone from USA please report these guys to the feds? What they are doing is outright criminal. Regards Baldur
Re: EVERYTHING about Booters (and CloudFlare)
As was mentioned in the BlackHat video the DDOS providers don't like competition and they try to take each other out which is they they nee to be on clouadfare. If they were all kicked off of Cloudfare then they would all take each other out leaving no need for clouydfare's DDOS sevices. So by hosting these companies they are ensuring that they will have business. (I have no evidence to this. Just a theory..) On Wed, Jul 27, 2016 at 11:09 AM, Steve Mikulasik wrote: > I am sure a lawyer would see it very differently, I could see someone > looking at this like racketeering. They get paid to provide a service to > defend against DDoS, well knowingly hosting people who conduct DDoS > attacks. Cloudflare profits from both the victims and the criminals. If > Cloudflare isn't acting in good faith to shut down these sites when they > receive evidence they are bad actors, they could find themselves in a bit > of trouble. > > At this point Cloudflare would know that these bad actors are hosted on > their service since we know many Cloudflare employees subscribe to the > NANOG list, and the list of bad actors would now show up in their email > server, ready for legal discovery. > > Disclaimer: I have a ton of respect for Clouldflare and what they do on > the internet. > > -Original Message- > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Randy Bush > Sent: Wednesday, July 27, 2016 8:56 AM > To: Paras Jha > Cc: NANOG list > Subject: Re: EVERYTHING about Booters (and CloudFlare) > > > I suppose it's inevitable, given that both are known for having > > non-existent abuse departments. > > as the OP made pretty clear, it's not a matter of an abuse contact. > it is the service not acting as a law enforcement agency and asking for a > court order. most large service providers operate in that way. > > randy > >
RE: EVERYTHING about Booters (and CloudFlare)
I am sure a lawyer would see it very differently, I could see someone looking at this like racketeering. They get paid to provide a service to defend against DDoS, well knowingly hosting people who conduct DDoS attacks. Cloudflare profits from both the victims and the criminals. If Cloudflare isn't acting in good faith to shut down these sites when they receive evidence they are bad actors, they could find themselves in a bit of trouble. At this point Cloudflare would know that these bad actors are hosted on their service since we know many Cloudflare employees subscribe to the NANOG list, and the list of bad actors would now show up in their email server, ready for legal discovery. Disclaimer: I have a ton of respect for Clouldflare and what they do on the internet. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Randy Bush Sent: Wednesday, July 27, 2016 8:56 AM To: Paras Jha Cc: NANOG list Subject: Re: EVERYTHING about Booters (and CloudFlare) > I suppose it's inevitable, given that both are known for having > non-existent abuse departments. as the OP made pretty clear, it's not a matter of an abuse contact. it is the service not acting as a law enforcement agency and asking for a court order. most large service providers operate in that way. randy
Re: EVERYTHING about Booters (and CloudFlare)
On Wed, 27 Jul 2016, Paras Jha wrote: > Hi Justin, > > I have submitted abuse reports in the past, maybe from 2014 - 2015, but I > gave up after I consistently did not even get replies and saw no action > being taken. It is the same behavior with other providers who host malware > knowingly. I appreciate you coming out onto the list though, it's nice to > see that CF does maintain a presence here. > I for one am glad providers are on the case tackling DoS, never ignoring abuse, and doing the best they can to prevent these things: https://www.linkedin.com/pulse/why-do-networking-providers-like-cybercriminals-so-much-j-oquendo -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Re: EVERYTHING about Booters (and CloudFlare)
Hi Randy, I've found the vast majority of large service providers to be very receptive to abuse reports when they contain evidence and valid information. Regards Paras
Re: EVERYTHING about Booters (and CloudFlare)
Hi Justin, I have submitted abuse reports in the past, maybe from 2014 - 2015, but I gave up after I consistently did not even get replies and saw no action being taken. It is the same behavior with other providers who host malware knowingly. I appreciate you coming out onto the list though, it's nice to see that CF does maintain a presence here. Regards Paras
Re: EVERYTHING about Booters (and CloudFlare)
> From just a preliminary test, more than half of these domains are > hiding behind Cloudflare, and OVH has a sizable fraction too. you mean are using cloudflare and ovh services. > I suppose it's inevitable, given that both are known for having > non-existent abuse departments. as the OP made pretty clear, it's not a matter of an abuse contact. it is the service not acting as a law enforcement agency and asking for a court order. most large service providers operate in that way. randy
Re: EVERYTHING about Booters (and CloudFlare)
Hi Jair, This list is really interesting. >From just a preliminary test, more than half of these domains are hiding behind Cloudflare, and OVH has a sizable fraction too. I suppose it's inevitable, given that both are known for having non-existent abuse departments. Regards On Wed, Jul 27, 2016 at 9:49 AM, Jair Santanna wrote: > Hi folks, > > A friend forward me your topic about Booters and CloudFlare. Then I > decided to join the NANOG list. The *answer* for the first question about > CloudFlare and Booters is at: https://www.youtube.com/watch?v=wW5vJyI_HcU > (minute 45:55) given by the _CloudFlare CEO_ in the blackhat2013. > > I investigate Booters since 2013 and I know many (if not all) the possible > aspects about this DDoS-as-a-Service phenomenon. A summary of my entire > research (or large part of that) can be watched at > https://tnc16.geant.org/web/media/archive/3A (from minute 22:53). On top > of that, I developed an algorithm to find Booters and publicly share such > list (http://booterblacklist.com/). My main goal with this initiative is > to convince people to blacklist and keep on track the users that access > Booters (that potentially perform attacks) > > If you have any question about any aspect of the entire phenomenon don't > hesitate to contact me. By the way, I want to help deploy the booters > blacklist worldwide and help prosecutors to shutdown this bastards. I have > many evidences! > > Cheers, > > Jair Santanna > jairsantanna.com > > > > -- Regards, Paras President ProTraf Solutions, LLC Enterprise DDoS Mitigation
EVERYTHING about Booters (and CloudFlare)
Hi folks, A friend forward me your topic about Booters and CloudFlare. Then I decided to join the NANOG list. The *answer* for the first question about CloudFlare and Booters is at: https://www.youtube.com/watch?v=wW5vJyI_HcU (minute 45:55) given by the _CloudFlare CEO_ in the blackhat2013. I investigate Booters since 2013 and I know many (if not all) the possible aspects about this DDoS-as-a-Service phenomenon. A summary of my entire research (or large part of that) can be watched at https://tnc16.geant.org/web/media/archive/3A (from minute 22:53). On top of that, I developed an algorithm to find Booters and publicly share such list (http://booterblacklist.com/). My main goal with this initiative is to convince people to blacklist and keep on track the users that access Booters (that potentially perform attacks) If you have any question about any aspect of the entire phenomenon don't hesitate to contact me. By the way, I want to help deploy the booters blacklist worldwide and help prosecutors to shutdown this bastards. I have many evidences! Cheers, Jair Santanna jairsantanna.com
