Cloudflare has been in front of _every_ phishing site targeting my org for the past year. Their response to reports is always "we're just a pass through, not our problem". The attackers know that CF won't take action against them, and that using CF will slow down any response or takedown request.
Unless CF is actually hosting the site, which is rare, the most they can do is no longer act as pass through. In which case, your problem isn't actually solved, they just move to another provider who offers similar.
You instead want to be talking to browser and search engine providers and reporting there, as well as your government for illegal activities.
They aren't a passthrough, though. That wouldn't be a valuable service. They're providing a service to criminals that assists them in fraud, and refusing to take any action when notified. It adds hours or days to a takedown process. It's like they're standing outside the mall handing the bike thieves branded hacksaws.
We've had better luck getting random Moldovan ISPs to shut down service than we've had in getting CloudFlare to give a damn.
They are quite literally a MITM passthrough. The example you used doesn't make any sense either, it would be more like them handing everyone hacksaws and you getting mad at them over the fact some people are using them for bad things.
Again, get a court order and they'll take action. They are legally required to. Random Moldovan ISPs don't operate at the scale CF does, no wonder they were faster. Probably also easier to bribe as well ;)
> Unless CF is actually hosting the site, which is rare, the most they can do is no longer act as pass through. In which case, your problem isn't actually solved, they just move to another provider who offers similar.
Well, if at least the Big Five (CF, Akamai, AWS, GCP, Azure) could get their shit together and cooperate against the bad actors, using netblocks against hostile IP ranges (both egress and ingress) could start making sense again.
I find that the domain registrar takes action more often than not (I guess because they're bound to ICANN's regulations), then the moment the domain is stopped Cloudflare sends an automated e-mail saying that they don't host the website because the DNS records stopped resolving.
Legit load testing services like loader.io require you to prove you own the site you are targeting, yes. "Stressers" let you point their orbital laser at whatever you want, they might say it's only meant for use against your own servers but that's just an ass-covering pretense.
DDoS providers and other for-profit miscreants are incentivized to DDoS each other into oblivion, and Cloudflare is the only one of the giant mitigation providers who are willing to protect them from their competition. There are bulletproof alternatives like DDoSGuard but their network is absolutely nowhere near as expansive as CFs is, nor is it free to use, nor do they have enough legit customers to rule out blocking their entire ASN in a corporate filewall to stop phishing attacks. CFs share of the blame is for making bad actors lives much easier than it should be.
so report them? this is like complaining that their domains are registered by GoDaddy, or their packets are delivered through the Internet by hurricane electric, or their local power company keeps their lights on
From what I've heard, if you send an abuse report to Cloudflare they just forward it to the owner of the service you are reporting, without redacting any personal information you provided, opening you up to reprisal. They won't actually do anything unless legally mandated to.
>They won't actually do anything unless legally mandated to.
This is a good thing, and pretty refreshing compared to the kafka-esque scenarios that Google and others offer when shutting down entire businesses based on the whims of some blackbox AI detection system or fraudulent DMCA notice.
