RSA 2012: LulzSec As a CloudFlare Customer

The CloudFlare team was surprised when cyber-pranksters LulzSecurity signed up to take advantage of its services last year, Matthew Prince, CEO of CloudFlare said Feb. 28 at the RSA Conference in San Francisco. With LulzSec as a customer, CloudFlare had a unique insight into the group’s activities and also the opportunity to discover the security resilience of its infrastructure and operations, Prince said.

For a three-week period between May and June, CloudFlare’s infrastructure was under heavy bombardment by several groups and individual cyber-attackers intent on knocking LulzSec offline with their own distributed denial of service attacks, Prince said. The attacks included Layer 7 and Layer 3 /4 DdoS attacks, reflection attacks and IP scans. Some attackers figured out what switching and routing infrastructure was being used by CloudFlare and launched vendor-specific attacks on the router interfaces, according to Prince. Attack traffic peaked at 21 gigabytes on June 16, shortly after LulzSec had attacked several popular online gaming sites, including Minecraft, Prince said.

CloudFlare treated the experience, not as a nightmare, but as a learning experience, Prince said.

“You can’t pay for penetration testing like this,” Prince told attendees. “It was interesting.”

CloudFlare is a content delivery provider, much like the bigger and better known Akamai. The company operates 14 data centers worldwide and handles 30 million page views a month. LulzSec signed up for the free version of the service June 2.

LulzSec had gained notoriety less than a month previously with frequent and audacious attacks against high-profile targets that caused a lot of embarrassment for parties involved. The group was not out for financial gain and was launching attacks for entertainment. LulzSec ceased operations June 25.

Immediately after joining the network, the group began launching DdoS attacks against other sites, including Sony Pictures and the Central Intelligence Agency, Prince said. None of the actual hacking activity occurred within CloudFlare’s network, nor was any illegal content hosted on its sites.

With LulzSec as a customer, law enforcement agencies came knocking.

Prince declined to share specifics on the kind of information CloudFlare handed over, but said it complied with “valid subpoenas.”

After careful contemplation, CloudFlare chose not to cancel the group’s account. The company generally works with law enforcement if a botnet command and control server is identified within its distributed network environment but generally doesn’t terminate any accounts unless there is clear criminal activity such as distributing malware or offensive content, Prince said. Law enforcement also did not ask CloudFlare to stop doing business with LulzSec, according to Prince.

While users on the free service are required to provide only a valid email address, username and password, CloudFlare collects and stores limited amounts of information for each customer, Prince said. LulzSec used the same username on CloudFlare as the one used on Internet Relay Chat and once forgot to use multiple proxies to hide the IP address before logging in, he said.

CloudFlare privacy policies dictated Prince ask LulzSec permission to use the data gathered from the LulzSec account for his RSA discussion. “You have my permission – signed, Jack Sparrow,” read the response to Prince’s query.