> That surprises me, given the time and effort they spend mitigating fraud and abuse
What time? What mitigations?
Cloudflare will proxy anything and then tell you "we're just a proxy, so we wont do anything lol" when you report anything other than cf pages. Doesn't matter if it's terror groups, animal torture, piracy, doxing, far right groups, etc.
I have personally submitted abuse reports and seen that absolutely nothing happens.
Oh and also the amount of abuse I see from people using Cloudflare Warp is also very high.
Depends on what you're trying to achieve, I think.
Cloudflare's policy is that if there's ToU-violating content being served through a Cloudflare-proxied domain, you can report it to request de-anonymization of the domain, so that you can then reach out to the actual host.
I've reported Cloudflare-proxied phishing-site clones of my company's website to Cloudflare, and they've usually come back to me with a pointer to the upstream-origin's ASN/ISP to reach out to within a few hours.
> the amount of abuse I see from people using Cloudflare Warp is also very high.
More so than from "traditional" VPNs (i.e. the ones claiming to keep "no logs and never selling your data")?
That's quite surprising, since Cloudflare makes no such promises and markets Warp as a security/performance improvement tool, not an anonymity-providing one. I think at least for a while, Cloudflare-hosted sites would even bypass it entirely and they'd get the real underlying client IP.
> More so than from "traditional" VPNs (i.e. the ones claiming to keep "no logs and never selling your data")?
Yes, because it is a free service, an easy and free way to just hide your ip address. You don't even need an account.
> I think at least for a while, Cloudflare-hosted sites would even bypass it entirely and they'd get the real underlying client IP.
Correct, this used to be the case, but no longer is as far as I can tell. But even with that, it was an issue for non-Cloudflare websites and services that are being attacked that aren't HTTP(S) (e.g. SSH)
Are they responsive at all to abuse notifications about their VPN users? Presumably the only thing they could even do is to block an upstream IP address, given that it doesn't require an account.
Yeah, because of the pressure after it all blew up. They even said in their own blog post that it was an "extraordinary" decision and did not believe terminating them was appropriate.
Kiwi Farms used their services for at least 6 years before anything happened.
I was thinking particularly about the DDoS protections they advertise (and explain in lovely technical posts on this site). So you're saying that they protect their network from others, whilst disregarding harms their clients cause to others. That was something I was missing, so I thank you.
Before cloudflare, it was difficult to run a DDoS-for-hire service because competing services would all DDoS each others' websites. Back when CDNs were all "call for pricing" affairs.
Cloudflare had the insight that the more DDoS-for-hire services there were out there, the greater the demand for their services. Offering free DDoS protection to DDoS-for-hire services helps keep customers coming back for more.
> Before cloudflare, it was difficult to run a DDoS-for-hire service because competing services would all DDoS each others' websites.
I mean, you don't need websites to advertise. Most DDoS-for-hire services back before 2009 advertised on IRC, NNTP, via ads in .NFO files found in warez releases found on Kazaa and BitTorrent, and so forth. (Some of the very tech-headed ones ones had Freenet sites.)
What time? What mitigations?
Cloudflare will proxy anything and then tell you "we're just a proxy, so we wont do anything lol" when you report anything other than cf pages. Doesn't matter if it's terror groups, animal torture, piracy, doxing, far right groups, etc.
I have personally submitted abuse reports and seen that absolutely nothing happens.
Oh and also the amount of abuse I see from people using Cloudflare Warp is also very high.