nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: EVERYTHING about Booters (and CloudFlare)

From: Miles Fidelman <mfidelman () meetinghouse net>
Date: Thu, 28 Jul 2016 13:15:58 -0400
On 7/28/16 11:56 AM, Niels Bakker wrote:
* mfidelman () meetinghouse net (Miles Fidelman) [Thu 28 Jul 2016, 17:42 CEST]: 
[...]
Now if Cloudflare were to actively suggest that folks use vBooter to test systems, as a way to boost sales for Cloudflare - that would certainly be an interesting test case for RICO
CloudFlare is doing nothing of the sort, and it's kind of vile for you to suggest otherwise, even ostensibly by way of floating it as a hypothetical.
Well, I don't know - if I were in the business of selling security services, I'd probably suggest that potential customers do some penetration and stress testing of their systems. And that seems pretty legitimate.
For that matter - "here are some tools you can use to test your systems" also strikes me as pretty legitimate.
On the other hand - one might argue that publishing something like "How to Launch a 65Gbps DDoS, and How to Stop One" https://blog.cloudflare.com/65gbps-ddos-no-problem/ - pushes the limits a bit - depending on how much detailed "how-to" information one provides, and how much one presents oneself as the solution.
Granted, that there's a lot of value in education - I certainly want to know the various ways folks might attack our systems, and the various ways we might defend ourselves. But there are limits - not just legal ones, but, as others have pointed out, ethical ones and ones of good taste. The CERT draws its lines one place; on the other hand, Symantec publishes white papers that give some rather in depth analyses of specific viruses - there for the googling. Cloudflare certainly comes closer to one line than the other.
Opinions vary as to the ethics, taste, and legality of publishing detailed how-to information - there's certainly enough out there from sources with ill intent (including rather nasty libraries and tools that require little technical expertise to utilize) - so I tend to favor more details.
When one directly ties detailed how-to information, with product/service sales - now that strikes me as begging to be the target of some interesting test cases. In Cloudflare's case - telling people how to attack a site, hosting free & openly available tools that can support such an attack, and selling services to mitigate the attack - now that's a test case just waiting to happen. "How to Launch a 65Gbps DDoS, and How to Stop One" seems like an open invitation to ambulance chasers and aggressive prosecutors. 

Miles Fidelman

--
In theory, there is no difference between theory and practice.
In practice, there is.  .... Yogi Berra
Previous By Date Next
Previous By Thread Next

Current thread: