RSA 2012: Cloud Service Provider Gets Caught In LulzSec Crossfire


CloudFlare, a provider of content delivery and security services, was thrust into the spotlight last June after the shadowy hacktivist group Lulz Security signed up for its service and used it to wreak havoc on several corporations and government agencies.

For a three-week period, CloudFlare's infrastructure was targeted by hackers of various stripes looking to knock LulzSec offline. Nightmarish though this experience may sound, it actually gave CloudFlare valuable insight into the security resiliency of its infrastructure and operations, according to Matthew Prince, CEO of San Francisco-based CloudFlare.

"It was interesting … you can't pay for penetration testing like this," Prince said Tuesday in a presentation at RSA 2012 in San Francisco. "It was a motivating experience because you had white hats and penetration testers trying to find vulnerabilities in our network. We treated it as a learning experience."

CloudFlare runs a distributed content delivery network which uses 14 data centers worldwide and handles some 30 billion page views a month. LulzSec signed up for service June 2 and immediately began launching distributed denial of service attacks (DDoS) on other Web sites, including Sony Pictures and the CIA, finally stopping its campaign on June 25.

While most of the hacker attacks against CloudFlare used run of the mill tactics, there was evidence that someone figured what switching and routing infrastructure CloudFlare uses, and launched vendor-specific attacks on its router interfaces, Prince said.

LulzSec didn't launch its attacks through CloudFlare's network, and instead used seven different hosts over the 23 days, including hosts in Malaysia, Canada, the U.S. and Germany. Still, after the attack that took down the CIA's Web site, Prince acknowledged that frustrated authorities quickly came looking for answers.

CloudFlare, after careful contemplation of the LulzSec situation, decided not to cancel the hacktivist group's account. "This was a little bit of an existential crisis for us," Prince said. "We wondered, 'Is this who we want to have on our network?'"

While CloudFlare doesn't host anything directly, if a botnet command-and-control server is identified on its network, the company works with law enforcement and other organizations to prevent pages with malicious or illegal content from being distributed, Prince said. Yet in some cases, he said, terminating a client actually diminishes CloudFlare's ability to control how their pages flow through its network.

In fact, unless a user is running a phishing operation or distributing malware or child pornography, CloudFlare won’t kick them off the network, said Prince.

Ironically, because of CloudFlare's privacy policy, Prince had to ask LulzSec for permission to use the data his company gathered in the wake of the 23-day campaign for his presentation at RSA. After sending an e-mail to the address listed on the LulzSec account, Prince received the following reply:

"You have my permission - signed, Jack Sparrow."