Jay12

My site using cloudflare is being blocked

45 posts in this topic

The security they provide isn't actually what it seems, all they do is provide a layer between the server and the visitor/attacker, and a savvy attacker can bypass that completely if they wish, by going directly to the server itself. In this respect, CloudFlare have more in common with a simple DNS provider, than an actual CDN. However, as soon as they start ignoring abuse by their own customers, they must be held accountable, regardless of what they provide, just as we hold hosting companies responsible.

Share this post


Link to post
Share on other sites
Interesting - so do I take it that irrespective of the lack of cooperation in this case you do not "believe" in their marketing that they are actually providing security apart from speed enhancements?

Cloudflare does not provide protection for end users. They are not a service for end users. They are a service for website owners and they claim to provide a limited form of protection for website owners.

The security they provide isn't actually what it seems, all they do is provide a layer between the server and the visitor/attacker, and a savvy attacker can bypass that completely if they wish, by going directly to the server itself.

Cloudflare doesn't claim to offer a firewall against targeted attacks. It simply reduces the number of nasty bots draining resources, probing for security holes, and scraping e-mails. An attacker that is specifically targeting a website can bypass Cloudflare as you say, but 99% of unwanted bots and crawlers won't bother with that, so it is a useful service. It is also free and trivial to use. It has saved me considerable time compared to setting and maintaining similar protections manually. I know because I've manually setup automated rouge bot detection and blocking before. I only us Cloudflare on my smaller and less vital sites because it is too automagical for my most important ones.

While I appreciate your position on security, it seems to me that with all pros and cons totaled up, your all-or-nothing approach is on the wrong side of things. It is harming both innocent website owners and web users. What if we were talking about a larger CDN? How many CDN blocks will it take before the software starts to become unusable?

It also appear to me that you may be trying to bully Cloudflare into becoming a cyber police. They have a free and open service. That is asking for a lot. What next? Start blocking whole IP blocks, or entire hosting companies, or even countries, for failing to police their users to your satisfaction?

Perhaps there is an intermediate level of warning that can be provided, informing the user that the current web address is not known to host malicious content but it's IP address is associated with other sites that do, so extra caution should be exercised.

Share this post


Link to post
Share on other sites

Cloudflare doesn't claim to offer a firewall against targeted attacks. It simply reduces the number of nasty bots draining resources, probing for security holes, and scraping e-mails.

I know, that's pretty much what I said.

While I appreciate your position on security, it seems to me that with all pros and cons totaled up, your all-or-nothing approach is on the wrong side of things. It is harming both innocent website owners and web users. What if we were talking about a larger CDN? How many CDN blocks will it take before the software starts to become unusable?

If we were talking about a larger company and they were willingly refusing to put a stop to abuse they were notified of, then it would be the same discussion and the position would be the same - but we're not, so that's irrelevant.

It also appear to me that you may be trying to bully Cloudflare into becoming a cyber police. They have a free and open service. That is asking for a lot. What next? Start blocking whole IP blocks, or entire hosting companies, or even countries, for failing to police their users to your satisfaction?

Not trying to bully them at all, simply trying to get them to do their job and enforce their AUP, just as is required for all other service providers. I don't believe that is asking alot, quite the opposite. Indeed, by finding this stuff, we already do part of their job for them (they should already be monitoring those using their service, for signs of abuse). The fact they're providing a free service means we shouldn't ask them to look after it?

Perhaps there is an intermediate level of warning that can be provided, informing the user that the current web address is not known to host malicious content but it's IP address is associated with other sites that do, so extra caution should be exercised.

Not sure how that would be much different, if users are notified of potential abuse, but the program doesn't stop it when it knows there's a risk - who are they then going to complain to? (I already know the answer, so no need to answer this).

Share this post


Link to post
Share on other sites

I have been following this thread and the abuse requests submitted by Malwarebyes. CloudFlare is committed to ensuring that malware is not distributed through our network. We appreciate when organizations like Malwarebytes reports sites on our network that are being used to infect systems. When we receive such reports, we currently remove the sites from our network. That's somewhat unsatisfying since, as a pass-through network as opposed to a host, just eliminating the site from our network doesn't actually block the malware distribution.

Going forward, we are working with organizations such as StopBadware to implement a way to block the requests for infected pages and other resources and replace those requests with information for the visitor on the threat of malware and what they can do to protect themselves. We're excited to work with responsible malware reporting companies in order to help both limit malware distribution and inform web surfers of the risk. We're finishing up the final tests of the new system and will have it online in the coming weeks.

Unfortunately, the new system is unlikely to resolve the current controversy which is more political than technical in nature. The current controversy involving Malwarebytes blocking CloudFlare IPs is centered around one site. To be clear, this site does not distribute malware itself and visiting it will not infect your computer. It does, however, provide information on how to create malware. Philosophically, we believe there is a difference between distributing malware -- which we will prohibit through our network -- and distributing information about malware. We do not believe our role is to play censor to any information on the Internet, even information we find disturbing. Publishing the Anarchists Cookbook does not make you a terrorist. Blocking sites based on the information they contain, as opposed to the actual harm they do, takes a step down a slippery slope I find deeply troubling.

Do note that Malwarebytes could provide a mode for its customers to block sites that have information the company objects to. If they wanted to do so, the responsible method would be to block based on the site's domain. This would accomplish Malwarebyte's political goal of removing access to the information without causing false positives.

We will welcome and promptly respond to reports of actual malware being distributed through our network from Malwarebytes or other organizations. On the other hand, we will not remove sites merely because someone objects to the information they contain. That is not our role, and we don't believe it is the role most customers have hired Malwarebytes for either.

Sincerely,

Matthew Prince

Co-founder & CEO, CloudFlare, Inc.

@eastdakota (Twitter)

Share this post


Link to post
Share on other sites

It's not centered around one site at all, the block stemmed due to a refusal to suspend sites involved in drive-by's (indeed, I specifically asked if the stance had changed prior to implementing the block, and only got a different answer after the block was in place, and even then, it included a refusal to suspend the sites involved - despite evidence being provided).

This is also not political at all - it's about your company not enforcing its AUP (the fact your company partners with known criminal hosts (i.e. quite a few of those "partners" you've got listed in your site, are well known blackhat hosts from the likes of hackforums.net)), just makes it worse).

It also has nothing to do with a site "providing information" - one of the sites involved is dedicated to Java drive-by's, and doesn't just "provide information" on such - as you'd have seen had you looked at the evidence sent (i.e. the pcap). This sites services is something you're fully aware of, given I've mentioned the site in question on previous occasions.

As for this;

When we receive such reports, we currently remove the sites from our network. That's somewhat unsatisfying since, as a pass-through network as opposed to a host, just eliminating the site from our network doesn't actually block the malware distribution.

1. No, you don't - you've refused to suspend the sites accounts. All you've done is block a few URLs (which you were warned, wouldn't work - they'd just switch to new ones - something they did a couple days later).

2.I don't care if you consider suspending your clients, "unsatisfying". Suspending their accounts blocks access at least until they change their NS, which is far better than leaving it live, and your attempt to use that argument is absolutely abhorrent. Should we also not ask hosts/registrars to terminate accounts, simply because they can just move it elsewhere?

Share this post


Link to post
Share on other sites

I have posted on another thread that I am also having problems with accessing cloudflare IPs:

173.245.60.137 restyletimeline.com (173.245.60.52 also comes up when I try to access this web site).

After reading the (other) thread about freewaregenius.com (173.245.60.118) I also tried that link and it is still being blocked.

Share this post


Link to post
Share on other sites

There are better ways to deal with this problem.

I recommended Malwarebytes to multiple users of my website, which happens to utilize Cloudflare for load-balancing, (some) spam protection and resource caching. They liked it so much that they bought it, enabling the protection and blacklist module.

Now, I have received reports from those multiple people that my site was inaccessible.

Possible solutions:

1) Disable CF on my website (hurtful to me)

2) Get my users to disable MBAM (hurtful to them)

The longer that this predicament exists, the longer that both companies look unprofessional.

Perhaps there are better blacklisting techniques that could be utilized by MBAM, like hostname bans alongside the usual IP bans instead of just IP bans. Blacklisting a whole CDN is a bad idea. It's like blacklisting Facebook just because a few bad apples used it to spread malware. Sure, you're solving the malware problem, but how many other problems are you creating in the process?

Regards,

Tom

Share this post


Link to post
Share on other sites

Possible solutions:

1) Disable CF on my website (hurtful to me)

2) Get my users to disable MBAM (hurtful to them)

The other option of course, is to right-click on the MBAM icon in the systray and select "Add to ignore list".

However, I agree with you comments about the problems that this black listing creates. It needs to be solves and I hope Malwarebytes will act quickly on this.

Share this post


Link to post
Share on other sites

That could be the case also, but your average user couldn't be bothered to add an exception - they'd just disable it globally, which is a horrible idea, but that's what most would do. Mind you, since CF has multiple nodes, they'd have to do this almost every time they re-visit the site (see: round-robin DNS).

Some users even thought I was distributing malware on my site because it was blocked. Likewise, this will only make all parties involved look bad. I can only hope that both companies reach a consensus on this issue, or I'm afraid I'll have to bring my business elsewhere.

Share this post


Link to post
Share on other sites

Personally I trust mbam judgement on this issue I'd rather have a clean pc then an infected one. So even though these blocks are effecting one of the sites I visit ( won't visit it till this issue is fixed), even though the site loads and runs fine I'd rather be safe then sorry

Share this post


Link to post
Share on other sites

Personally I trust mbam judgement on this issue I'd rather have a clean pc then an infected one. So even though these blocks are effecting one of the sites I visit ( won't visit it till this issue is fixed), even though the site loads and runs fine I'd rather be safe then sorry

Unfortunantly your attitude is that of the masses. Its exactly what most people will do , and its sites like mine that feel the pinch becuase of this.

Im basically getting penalised because im using cloudflare. I choose to use cloudflare for a number of reasons, none of them malice.

Since Malware Bytes has blocked the ip`s i listed traffic to my site has dropped considerably and people assume my site is unsafe.

Innocent webmasters are being penalised due to a standoff as far as i can make out.

Share this post


Link to post
Share on other sites

Oh I understand where your coming from and I can simpathise but at the same time considering some of the nasty infections out their. Its better to be safe then sorry

And all we can do is hope that the issues at habd are fixed and resolved

Share this post


Link to post
Share on other sites

The standoff is affecting our customer's experience as well because we do use cloudflare as a CDN. They *do* function as a CDN btw, "security" aside... they have a rather large number of edge servers that can simply host content more close to the requestor than we can.

I can absolutely understand how non-compliance can cause a standoff like this. I can also see how this could affect amazon's EC2 or S3 instances as well, but perhaps you've whitelisted those already.

Unfortunately our help desk is currently giving the instruction 'disable malware bytes' :( I love your software, though, and don't want users to lose out on it!

Thanks for considering whitelisting cloudflare's IPs so users can experience fast/secure content with a solid malware scanning tool.

Share this post


Link to post
Share on other sites

Amazon aren't whitelisted, but unlike this case, they actually deal with abuse and suspend the clients responsible.

Instead of disabling Malwarebytes, a better solution if access is required, is to have the users add the IP to the ignore list (right click the tray icon when the block occurs, and select "Add to ignore list").

Share this post


Link to post
Share on other sites

Amazon aren't whitelisted, but unlike this case, they actually deal with abuse and suspend the clients responsible.

Instead of disabling Malwarebytes, a better solution if access is required, is to have the users add the IP to the ignore list (right click the tray icon when the block occurs, and select "Add to ignore list").

I actually think the better solution would be to reach a solution without end users having to worry.

Share this post


Link to post
Share on other sites

Unless CloudFlare change their position, there isn't a better solution that isn't potentially going to adversely affect users unfortunately.

Share this post


Link to post
Share on other sites

Hey guys, I just wanted to step in here for a second and kind of summarize things so far, as well as give you guys an idea of what's going on behind the scenes.

This is a very, very tough situation. On the one hand we have a a group of websites, hosted through CloudFlare, that are actively pushing drive by exploits. What this means is that people who go to those sites are getting exploited and potentially have no idea of knowing this. On the other hand we have a lot of innocent websites which are doing nothing wrong, but are caught in the cross fire.

This is a situation we have some experience with. We at Malwarebytes use Edgecast for content delivery- a service somewhat similar to CloudFlare, in that they distribute our main page to various nodes all over the world for easier delivery. We also use a multitude of other CDNs for delving updates- and sometimes they get blocked and we're caught in the crossfire as well. Its a sucky situation.

Of course, we're also on the other side of this- we do the blocking when we need to. What most people don't see is the huge amount of effort we do to keep people from being blocked. The vast majority of people pushing malware out do so without knowing or intending to- something as simple as an outdated wordpress install can be the vector which an innocent site gets used to push malware. We also know that a lot of people use CDN's or shared hosts, so blocking one site could mean blocking far more.

We work with a lot of CDN's and webhosts to keep them off blacklists- and we always email the abuse teams before adding them. Nine times our of ten the malware gets removed within hours or our email, and no blacklisting is required. Unfortunately there are cases were simply removing the malware isn't enough- not all websites are innocent. Some people are actually pushing the malware on purpose, so when the third party host (such as the CDN or shared web host) remove the offending URL, the people running the site simply change the URL being used. In this case we try to work with the providers to fix the issue, but if it is unable to happen we blacklist the URL.

Now, I want to be very clear about something- we do not blacklist information. We are not censors- knowing how to make malware is not in itself a bad thing. If it wasn't for people learning these skills, we wouldn't have researchers protecting our users. We will not block someone just for posting information. We won't even block people for hosting malware if they're doing it safely. The thing we block is people hosting active exploits or active malware that will infect users without their knowledge.

Unfortunately this CloudFlare situation has escalated further than I think anyone intended. We have a lot of respect for CloudFlare- I met Matt at DefCon last year, where he gave a fantastic talk about dealing with the Slowloris attack, as well as the challenges of hosting an activist group like Lulsec. I feel a lot of what's going on right now is more miscommunication than anything, but from my understanding Marcin and Matt are now in direct contact and this should be resolved soon.

I know this is not an ideal situation, but I assure you everyone involved is doing what they feel is right to protect their users and there is no malicious intent here. We're working as quickly as we can to get this current issue resolved, and I'm hoping this will be a learning experience for future issues. We'll have an update as with more information soon.

Share this post


Link to post
Share on other sites

Glad to hear this is being worked on and we are going to get an answer sooon

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.