Cloudflare's stand on free speech is really impressive. I just wish more companies would have such a strong position on that issue. They deserver all the marketing/pr they can get, but first signs are already showing that they not just making friends with their position: http://www.cloudflare-watch.org/
If the FBI comes knocking down your door and ask your to stop helping Wikileaks, I think we'll have confirmation of who's been doing this to Wikileaks.
Now that I think of it, this is a great job creation program. Pay people to attack wikileaks and wikileaks pays people to defend them. Sort of like breaking windows and then someone has to fix them.
You best set up a page that just says, "as long as this page is up, we have NOT been served a National Security Letter from the FBI".
Because it's going to contain a gag-order that prevents you from even talking to your lawyer. So probably want to ask them ahead of time what to do when you get the letter.
> The Patriot Reauthorization Act of 2005 modified some of the gag order provisions. An NSL recipient may now disclose the fact that they received an NSL in connection with seeking legal advice or complying with the NSL. NSL recipients were also given the ability to challenge, in federal court, compliance with the NSL and the gag order provisions.
That's a good idea. But seriously, you can't even tell your lawyer to defend yourself against something like that? How is that even remotely constitutional? Does the US Congress pass laws that violate the Constitution on purpose these days?
ACLU challenged it in two cases and that aspect was ruled unconstitutional in both. The law was changed in 2005 to explicitly state that the gag order does not stop you from talking to lawyers about the NSL.
One important conclusion is that it's very hard to identify the source for most DDoS attacks because the IP address is either forged, or innocent. Identifying the true source would mean getting into the CnC of the botnet being used. Our business isn't about tracking down who, but simply stopping attacks.
thanks for accepting them as customers. i hope that it works out (i imagine a larger test will be when something with less popular support - neo nazis or child porn or whatever - becomes a client). free speech matters. and controlling speech should be - in the end - something that is done through a visible, accountable process.
[edited to change "taking a stand" to something less objectionable(?). but contrast this with the payment service providers.]
It's worth noting that CloudFlare is not 'taking a stand' on this. Wikileaks approached us about becoming a customer and as they are a high traffic site they had to go through manual sign up. Once that was done they are live.
"You have made the choice not to enforce your own terms of service."
Not really. They've just made a choice not to enforce Section 11, which they state, in Section 11, that they can do.
In the first sentence of Section 11 it says "in the sole judgment of CloudFlare", doesn't that mean that they get to make the choice of whether or not a site violates anything in Section 11?
Are there any lawsuits from any government or official channel that successfully went after WikiLeaks for violations that CloudFlare needs to comply with?
In this case I think it's for CloudFlare to decide, they state this in Section 11 and they've made their choice.
My point is they are aware of what Wikileaks is, and they are making a conscious decision to not enforce the terms (which is as you point out, at their discretion).
Regardless of your feelings on the matter, Wikileaks does admit they do not have the permission of the rights holders to be releasing documents.
I've been behind a large often-targeted service for the last 10 years or so, and most of the large attacks we get are pretty easily filtered as our service is TCP (like CloudFlare), and most of the attacks we get are either ping or UDP floods, which we drop at the boundary.
a little harder is the SYN flood with spoofed addresses, how on earth can you filter those?
Aren't SYN-cookies [0] the traditional defence against SYN floods? The proxy, or a device in front of it, could take care of that. Only connections that complete the 3 way handshake would take up any room in the connection table.
I don't understand. Why is it simple to filter UDP but not simple to filter based on a cookie? Is the validation cpu-expensive in bulk? Do you not have the capability to filter that way at the boundary?
Unlikely. This stuff is our bread and butter. We are under DDoS attack 40% of the time 24/7 (see: http://blog.cloudflare.com/the-wednesday-witching-hour-cloud...). A 10Gbps attack is not unusual for us and we've seen much higher. We have a lot of experience dealing with DDoS attacks.
What does wildcard dns have to do with wordpress sites, I have 5 wordpress sites with subdomains all pointing to one single server but protected behind cloudflare. All sites have their own domain with their own subdomins, like mobile.domain.com or whatever, but has nothing to do with wordpress or cloudflare support, just create new records.
> On Friday Wikileaks complained on Twitter that CloudFlare had preemptively blocked the organization from signing up.
I wonder what the actual error message is. Wikileaks actually had to complain on Twitter before finding out they weren't actually blocked, just that there was a special signup process for high-volume accounts.
If there are high-volume site operators who didn't want to tweet CloudFlare for whatever reason, I wonder who else they could list as customers by now.
I'm not clear on how this works... Doesn't cloudflare just replace the domain's DNS record to point to their own servers? So an attack on the original wikileaks IPs would still be fairly effective. Maybe less effective because CF delivers cached content to normal users, but it would keep WL from delivering large files to the CF servers to begin with.
