Cloudflare, a major internet security firm, is on a mission to render distributed denial-of-service (DDoS) attacks useless. The company announced Monday that every customer—including those who only use its free services—will receive a new feature called Unmetered Mitigation, which protects against every DDoS attack, regardless of its size.
Cloudflare believes the move is set to level the internet security playing field: Now every website will be able to fight back against DDoS attacks for free. But the illegal practice has been a hallmark of digital activism since the 1990s. What will happen to it now?
Videos by VICE
Previously, customers who purchased less expensive plans from Cloudflare (or another security firm) were still vulnerable to larger scale DDoS attacks. Now, Cloudflare will utilize its resources to help everyone fight an attack, regardless of how much they pay.
DDoS attacks work by flooding a website with an overwhelming amount of internet traffic (often using a bot network), which knocks it offline. Security companies are capable of mitigating those attacks, but at a cost.
“The standard practice in the industry for some time has been to charge more if you come under attack,” Matthew Prince, the CEO of Cloudflare, told me on a phone call last week. Firms often “fire you as a customer if you’re not sort of paying enough and you get a large attack,” he explained. “That’s kind of gross.”
Though illegal, groups like Anonymous and other hacktivists have argued DDoS attacks are a form of digital protest. Flooding a site with internet traffic, to them, is like filling a town square with people, or holding a sit-in. Knocking a website offline is seen as akin to physically preventing people from entering a building. DDoS attacks have been used to protest everything from a country’s nuclear policy to the Church of Scientology.
Prince agreed that Unmetered Mitigation has the power to render DDoS an activist tool of the past. It “will make DDoSing people not an effective protest mechanism,” he told me. “The best way to counter speech is with more speech not with silencing or censoring someone.”
Of course, DDoS attacks have also been used to advance far less sympathetic causes. Last year for example, an incredibly powerful DDoS attack took down the website of Brian Krebs, a cybersecurity journalist. Opponents of DDoS attacks say they’re not a tool for protest—they’re a weapon for silencing speech. Governments have largely agreed, and have thrown hackers behind DDoS attacks in prison.
Prince sees the playing field of DDoS attacks as fundamentally uneven. “We should not create a system of vigilante justice where a single individual—because they are upset with someone—can shut them down,” he said. “What we are trying to do is say ‘regardless of what your resources are, we will keep you online.’”
He has a point: Most corporate giants like Facebook have invested enough in security that they are unlikely to be affected by a DDoS attack. Smaller organizations and individuals have historically been far more at risk.
Free speech and a focus on neutrality have always been at the core of Cloudflare’s vision since the company was founded seven years ago—but that ethos has garnered criticism from journalists and activist groups. The firm has come under fire continuing to offer its services to racist websites, a practice which critics perceive as immoral.
“I think at last count we were up to 3,500 different organizations that various people had insisted we fire as customers,” Prince told me. He said they range from far-left and far-right organizations to “things that are just gross.” Cloudflare has even protected the websites of DDoS perpetrators, while selling services to mitigate them.
In the past, Prince has largely disregarded concerns over what websites his company has chosen to serve. He refuted critics by explaining that Cloudflare is a security firm, not a hosting service, and therefore shouldn’t be responsible for what content its clients choose to publish. Following another controversy last month however, in which Cloudflare did drop a customer specifically for its editorial decisions, Prince is feeling more introspective.
In the wake of a violent white supremacist march in Charlottesville, Virginia, Cloudflare (along with other tech organizations) dropped the Daily Stormer, a neo-Nazi website, as a customer. Both Prince and advocates of free speech online, like the Electronic Frontier Foundation, saw the move as setting a dangerous precedent for how the internet should be moderated. “This was my decision, I don’t think it’s CloudFlare’s policy and I think it’s an extremely dangerous decision in a lot of ways,” Prince told the Verge at the time.
Prince told me that his company hasn’t yet worked out a policy to handle customers like the Daily Stormer in the future, but he did say Cloudflare is still committed to neutrality.
“Based on where we are and based on ideas of due process it still makes sense for us to be sort of a neutral platform,” he said. Allowing anyone to fight DDoS attacks, Prince thinks, is part of that vision.
“We can now absorb anything that the internet throws at us,” he said. DDoS attacks are going to become “something you only read about in the history books.”