44 replies to this topic

[Jay12]

alan_oldstudent, on 13 April 2012 - 02:28 PM, said:

As far as I know, our ISP does not use CloudFlare, so I'm really puzzled.


Regards,
Alan OldStudent

I read this and assumed he meant that his hosting was not usinfg cloudflare.

[alan_oldstudent]

Jay12, on 13 April 2012 - 02:37 PM, said:

With the greatest of respect this thread is for reporting cloudflare related issues.

If you have issues that are not cloudflare related as yours appear not to be, then maybe you should start a new thread.

I appreciate your concern and dislike off-topic posts as much as you do too. Perhaps I did not express myself as clearly as I could have.

My point was that the reference to CloudFlare mystified me as I think it is not being used by either of our ISPs. So why would MWB throw up a warning about CloudFlare when one goes to my site?

Regards,
Alan OldStudent

[tomoz]

MysteryFCM, on 13 April 2012 - 02:47 PM, said:

Yep, basically, as far as they're concerned, they're not the host so aren't responsible for whatever their "customers" get up to (the argument being it just pushes the problem to someone else's lap). However, it is their service being mis-used, which whether they like it or not, makes them responsible too, and means they need to enforce their AUP/ToS. Put simply, unless their attitude towards abuse changes, it is highly unlikely they'll be unblocked any time soon.

I understand your position but I wonder what the consequence is for the end-user? In my case I notice these alerts primarily when I go to my banking site and ignore it. However if the impression is that these alerts can pop up "nilly-willy" affecting bad sites as well as good sites, then how much am I supposed to value them? It seems to me that not due to Malwarebytes fault, the module may not be as useful or usable as originally planned. In a way it is like blocking all US sites by domain because a lot of bad sites are hosted in the US - I think that approach would not fly.

[MysteryFCM]

Whilst I appreciate the problem, I'm actually a little concerned that a bank would be calling a site that is using CloudFlare to begin with, as this isn't something a bank should be doing.

The problem here is one of risk factors, and the risk of leaving it unblocked is far higher than the potential inconveniences of blocking it. I realize this sounds harsh, and blocking CDNs is not something I do lightly, but CloudFlare were given many chances prior to the block being put in place - alot more than I'd normally give.

[tomoz]

Interesting - so do I take it that irrespective of the lack of cooperation in this case you do not "believe" in their marketing that they are actually providing security apart from speed enhancements?

https://www.cloudfla...atures-security

I am not savvy enough to judge this but I know if I started to talk to my bank about this issue, I would get nowhere.

[MysteryFCM]

The security they provide isn't actually what it seems, all they do is provide a layer between the server and the visitor/attacker, and a savvy attacker can bypass that completely if they wish, by going directly to the server itself. In this respect, CloudFlare have more in common with a simple DNS provider, than an actual CDN. However, as soon as they start ignoring abuse by their own customers, they must be held accountable, regardless of what they provide, just as we hold hosting companies responsible.

[tomoz]

Thanks Steven for this explanation

[MysteryFCM]

No problem at all.

[karmad]

Quote

Interesting - so do I take it that irrespective of the lack of cooperation in this case you do not "believe" in their marketing that they are actually providing security apart from speed enhancements?

Cloudflare does not provide protection for end users. They are not a service for end users. They are a service for website owners and they claim to provide a limited form of protection for website owners.

Quote

The security they provide isn't actually what it seems, all they do is provide a layer between the server and the visitor/attacker, and a savvy attacker can bypass that completely if they wish, by going directly to the server itself.

Cloudflare doesn't claim to offer a firewall against targeted attacks. It simply reduces the number of nasty bots draining resources, probing for security holes, and scraping e-mails. An attacker that is specifically targeting a website can bypass Cloudflare as you say, but 99% of unwanted bots and crawlers won't bother with that, so it is a useful service. It is also free and trivial to use. It has saved me considerable time compared to setting and maintaining similar protections manually. I know because I've manually setup automated rouge bot detection and blocking before. I only us Cloudflare on my smaller and less vital sites because it is too automagical for my most important ones.

While I appreciate your position on security, it seems to me that with all pros and cons totaled up, your all-or-nothing approach is on the wrong side of things. It is harming both innocent website owners and web users. What if we were talking about a larger CDN? How many CDN blocks will it take before the software starts to become unusable?

It also appear to me that you may be trying to bully Cloudflare into becoming a cyber police. They have a free and open service. That is asking for a lot. What next? Start blocking whole IP blocks, or entire hosting companies, or even countries, for failing to police their users to your satisfaction?

Perhaps there is an intermediate level of warning that can be provided, informing the user that the current web address is not known to host malicious content but it's IP address is associated with other sites that do, so extra caution should be exercised.

[MysteryFCM]

karmad, on 14 April 2012 - 10:34 PM, said:

Cloudflare doesn't claim to offer a firewall against targeted attacks. It simply reduces the number of nasty bots draining resources, probing for security holes, and scraping e-mails.

I know, that's pretty much what I said.

karmad, on 14 April 2012 - 10:34 PM, said:

While I appreciate your position on security, it seems to me that with all pros and cons totaled up, your all-or-nothing approach is on the wrong side of things. It is harming both innocent website owners and web users. What if we were talking about a larger CDN? How many CDN blocks will it take before the software starts to become unusable?

If we were talking about a larger company and they were willingly refusing to put a stop to abuse they were notified of, then it would be the same discussion and the position would be the same - but we're not, so that's irrelevant.

karmad, on 14 April 2012 - 10:34 PM, said:

It also appear to me that you may be trying to bully Cloudflare into becoming a cyber police. They have a free and open service. That is asking for a lot. What next? Start blocking whole IP blocks, or entire hosting companies, or even countries, for failing to police their users to your satisfaction?

Not trying to bully them at all, simply trying to get them to do their job and enforce their AUP, just as is required for all other service providers. I don't believe that is asking alot, quite the opposite. Indeed, by finding this stuff, we already do part of their job for them (they should already be monitoring those using their service, for signs of abuse). The fact they're providing a free service means we shouldn't ask them to look after it?

karmad, on 14 April 2012 - 10:34 PM, said:

Perhaps there is an intermediate level of warning that can be provided, informing the user that the current web address is not known to host malicious content but it's IP address is associated with other sites that do, so extra caution should be exercised.

Not sure how that would be much different, if users are notified of potential abuse, but the program doesn't stop it when it knows there's a risk - who are they then going to complain to? (I already know the answer, so no need to answer this).

[mprince]

I have been following this thread and the abuse requests submitted by Malwarebyes. CloudFlare is committed to ensuring that malware is not distributed through our network. We appreciate when organizations like Malwarebytes reports sites on our network that are being used to infect systems. When we receive such reports, we currently remove the sites from our network. That's somewhat unsatisfying since, as a pass-through network as opposed to a host, just eliminating the site from our network doesn't actually block the malware distribution.

Going forward, we are working with organizations such as StopBadware to implement a way to block the requests for infected pages and other resources and replace those requests with information for the visitor on the threat of malware and what they can do to protect themselves. We're excited to work with responsible malware reporting companies in order to help both limit malware distribution and inform web surfers of the risk. We're finishing up the final tests of the new system and will have it online in the coming weeks.

Unfortunately, the new system is unlikely to resolve the current controversy which is more political than technical in nature. The current controversy involving Malwarebytes blocking CloudFlare IPs is centered around one site. To be clear, this site does not distribute malware itself and visiting it will not infect your computer. It does, however, provide information on how to create malware. Philosophically, we believe there is a difference between distributing malware -- which we will prohibit through our network -- and distributing information about malware. We do not believe our role is to play censor to any information on the Internet, even information we find disturbing. Publishing the Anarchists Cookbook does not make you a terrorist. Blocking sites based on the information they contain, as opposed to the actual harm they do, takes a step down a slippery slope I find deeply troubling.


Do note that Malwarebytes could provide a mode for its customers to block sites that have information the company objects to. If they wanted to do so, the responsible method would be to block based on the site's domain. This would accomplish Malwarebyte's political goal of removing access to the information without causing false positives.

We will welcome and promptly respond to reports of actual malware being distributed through our network from Malwarebytes or other organizations. On the other hand, we will not remove sites merely because someone objects to the information they contain. That is not our role, and we don't believe it is the role most customers have hired Malwarebytes for either.

Sincerely,
Matthew Prince
Co-founder & CEO, CloudFlare, Inc.
@eastdakota (Twitter)

[MysteryFCM]

It's not centered around one site at all, the block stemmed due to a refusal to suspend sites involved in drive-by's (indeed, I specifically asked if the stance had changed prior to implementing the block, and only got a different answer after the block was in place, and even then, it included a refusal to suspend the sites involved - despite evidence being provided).

This is also not political at all - it's about your company not enforcing its AUP (the fact your company partners with known criminal hosts (i.e. quite a few of those "partners" you've got listed in your site, are well known blackhat hosts from the likes of hackforums.net)), just makes it worse).

It also has nothing to do with a site "providing information" - one of the sites involved is dedicated to Java drive-by's, and doesn't just "provide information" on such - as you'd have seen had you looked at the evidence sent (i.e. the pcap). This sites services is something you're fully aware of, given I've mentioned the site in question on previous occasions.

As for this;

Quote

When we receive such reports, we currently remove the sites from our network. That's somewhat unsatisfying since, as a pass-through network as opposed to a host, just eliminating the site from our network doesn't actually block the malware distribution.

1. No, you don't - you've refused to suspend the sites accounts. All you've done is block a few URLs (which you were warned, wouldn't work - they'd just switch to new ones - something they did a couple days later).

2.I don't care if you consider suspending your clients, "unsatisfying". Suspending their accounts blocks access at least until they change their NS, which is far better than leaving it live, and your attempt to use that argument is absolutely abhorrent. Should we also not ask hosts/registrars to terminate accounts, simply because they can just move it elsewhere?

[dazzagee]

I have posted on another thread that I am also having problems with accessing cloudflare IPs:

173.245.60.137 restyletimeline.com (173.245.60.52 also comes up when I try to access this web site).

After reading the (other) thread about freewaregenius.com (173.245.60.118) I also tried that link and it is still being blocked.

[EchoTom]

There are better ways to deal with this problem.

I recommended Malwarebytes to multiple users of my website, which happens to utilize Cloudflare for load-balancing, (some) spam protection and resource caching. They liked it so much that they bought it, enabling the protection and blacklist module.

Now, I have received reports from those multiple people that my site was inaccessible.

Possible solutions:

1) Disable CF on my website (hurtful to me)
2) Get my users to disable MBAM (hurtful to them)

The longer that this predicament exists, the longer that both companies look unprofessional.

Perhaps there are better blacklisting techniques that could be utilized by MBAM, like hostname bans alongside the usual IP bans instead of just IP bans. Blacklisting a whole CDN is a bad idea. It's like blacklisting Facebook just because a few bad apples used it to spread malware. Sure, you're solving the malware problem, but how many other problems are you creating in the process?

Regards,
Tom

[dazzagee]

EchoTom, on 15 April 2012 - 10:32 PM, said:

Possible solutions:

1) Disable CF on my website (hurtful to me)
2) Get my users to disable MBAM (hurtful to them)

The other option of course, is to right-click on the MBAM icon in the systray and select "Add to ignore list".

However, I agree with you comments about the problems that this black listing creates. It needs to be solves and I hope Malwarebytes will act quickly on this.

[EchoTom]

That could be the case also, but your average user couldn't be bothered to add an exception - they'd just disable it globally, which is a horrible idea, but that's what most would do. Mind you, since CF has multiple nodes, they'd have to do this almost every time they re-visit the site (see: round-robin DNS).

Some users even thought I was distributing malware on my site because it was blocked. Likewise, this will only make all parties involved look bad. I can only hope that both companies reach a consensus on this issue, or I'm afraid I'll have to bring my business elsewhere.

[fivealive]

Personally I trust mbam judgement on this issue I'd rather have a clean pc then an infected one. So even though these blocks are effecting one of the sites I visit ( won't visit it till this issue is fixed), even though the site loads and runs fine I'd rather be safe then sorry

[Jay12]

fivealive, on 16 April 2012 - 06:42 AM, said:

Personally I trust mbam judgement on this issue I'd rather have a clean pc then an infected one. So even though these blocks are effecting one of the sites I visit ( won't visit it till this issue is fixed), even though the site loads and runs fine I'd rather be safe then sorry

Unfortunantly your attitude is that of the masses. Its exactly what most people will do , and its sites like mine that feel the pinch becuase of this.
Im basically getting penalised because im using cloudflare. I choose to use cloudflare for a number of reasons, none of them malice.
Since Malware Bytes has blocked the ip`s i listed traffic to my site has dropped considerably and people assume my site is unsafe.

Innocent webmasters are being penalised due to a standoff as far as i can make out.

[fivealive]

Oh I understand where your coming from and I can simpathise but at the same time considering some of the nasty infections out their. Its better to be safe then sorry


And all we can do is hope that the issues at habd are fixed and resolved

[roeman]

The standoff is affecting our customer's experience as well because we do use cloudflare as a CDN. They *do* function as a CDN btw, "security" aside... they have a rather large number of edge servers that can simply host content more close to the requestor than we can.

I can absolutely understand how non-compliance can cause a standoff like this. I can also see how this could affect amazon's EC2 or S3 instances as well, but perhaps you've whitelisted those already.

Unfortunately our help desk is currently giving the instruction 'disable malware bytes' I love your software, though, and don't want users to lose out on it!

Thanks for considering whitelisting cloudflare's IPs so users can experience fast/secure content with a solid malware scanning tool.