[190865] in North American Network Operators' Group
Re: Cloudflare, dirty networks and politricks
daemon@ATHENA.MIT.EDU (Ca By)
Thu Jul 28 23:21:00 2016
X-Original-To: nanog@nanog.org
In-Reply-To: <300752684-1469755760-cardhu_decombobulator_blackberry.rim.net-1819398455-@b16.c1.bise6.blackberry>
From: Ca By <cb.list6@gmail.com>
Date: Thu, 28 Jul 2016 20:20:54 -0700
To: "dovid@telecurve.com" <dovid@telecurve.com>
Cc: NANOG <nanog-bounces@nanog.org>, "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Thursday, July 28, 2016, Dovid Bender <dovid@telecurve.com> wrote:
> The issue is that cloudfare in a way is generating their own market. If
> the ddos sites weren't protected by cloudfare they would eat each other
> alive. It's in their interest that their sites stay up so there is a need
> for their service. When GoDaddy hosts a bad site they aren't causing
> customer to sign up for the exact service for the protection they need fr=
om
> the bad site.
>
>
>
I feel the same way about all the ddos protection rackets. But i genuinely
feel Cloudflare is just a cdn that got good at fending off ddos just to
stay alive.
And they do a lot of good things with IPv6, dnssec, TLS 1.2++ , and open
source. It is not fair to blame them for our (network operators)
negligent open udp ampliers.
We are the real problems.
If Cloudflare did not host them, someone else would.
Perhaps only on tor.
But once you remove the open dns amplifiers, or put up the appropriate acls
(bcp38 + blocks obviously abused ssdp, dns, ntp to the extent you can) ,
then you have really taking ddos capacity offline
> Regards,
>
> Dovid
>
> -----Original Message-----
> From: TR Shaw <tshaw@oitc.com <javascript:;>>
> Sender: "NANOG" <nanog-bounces@nanog.org <javascript:;>>Date: Thu, 28 Jul
> 2016 19:45:14
> To: Donn Lasher<D.Lasher@f5.com <javascript:;>>
> Cc: nanog@nanog.org <javascript:;><nanog@nanog.org <javascript:;>>
> Subject: Re: Cloudflare, dirty networks and politricks
>
>
> > On Jul 28, 2016, at 7:30 PM, Donn Lasher via NANOG <nanog@nanog.org
> <javascript:;>> wrote:
> >
> > On 7/28/16, 10:17 AM, "NANOG on behalf of J. Oquendo" <
> nanog-bounces@nanog.org <javascript:;> on behalf of joquendo@e-fensive.ne=
t
> <javascript:;>> wrote:
> >
> >
> >> While many are chanting: #NetworkLivesMatter, I have yet
> >> to see, read, or hear about any network provider being
> >> the first to set precedence by either de-peering, or
> >> blocking traffic from Cloudflare. There is a lot of
> >> keyboard posturing: "I am mad and I am not going to take
> >> it anymore" hooplah but no one is lifting a finger to
> >> do anything other than regurgitate "I am mad... This is
> >> criminal."
> >
> > (long discussion, was waiting for a place to jump in..)
> >
> > If we want to be accurate about it, Cloudflare doesn=E2=80=99t host the=
DDoS,
> they protect the website of seller of the product. We shouldn=E2=80=99t b=
e
> de-peering Cloud Flare over sites they protect any more than we would
> de-peer GoDaddy over sites they host, some of which, no doubt, sell
> gray/black market/illegal items/services.
> >
> > If, on the other hand, you can find a specific network actually
> generating the volumes of DDoS, you should have a conversation about
> de-peering=E2=80=A6.
> >
> > $0.02=E2=80=A6
> >
>
> It would be nice however if Cloudflare would announce there =E2=80=9Cfree=
bie=E2=80=9D
> ciders and the IP block that host their paying customers. Most of the abu=
se
> centers on the free clients.
>
>
