A familiar debate is surrounding Cloudflare, a content delivery network that provides free services protecting websites from denial-of-service (DDoS) attacks by masking their hosts. The question is: Is Cloudflare a bastion of free speech or an enabler of spam, malware delivery, harassment, and the very DDoS attacks it claims to block?
Cloudflare has taken a hands-off approach to moderating the enormous traffic flowing through its infrastructure. With Cloudflare delivering 16% of global Internet traffic, processing 57 million web requests per second, and serving anywhere from 7.6 million to 15.7 million active websites, this decision has sparked intense disagreement.
Spamhaus, a nonprofit organization fighting spam, phishing, malware, and botnets, recently criticized Cloudflare for providing services to 10% of the domains listed in its domain block list, and serving sites with over 1,200 unresolved complaints regarding abuse. Spamhaus found it easy to find Cloudflare-protected websites openly advertising services like bulletproof hosting to cybercriminals.
Cloudflare maintains that it’s not responsible for moderating or policing the content or behavior of those using its “pass-through” services, which streamline delivery and prevent outages caused by DDoSes. Unlike web hosts, Cloudflare doesn’t host material, and unlike media sites and search engines, it shouldn’t be responsible for investigating reports of abuse.
Cloudflare’s abuse policy states that infrastructure services should generally be made available in a content-neutral way, especially those protecting users from cyber attacks. This has irked critics, who argue that this approach absolves Cloudflare of responsibility for making harmful content and services readily available.
Source: https://arstechnica.com/security/2024/07/cloudflare-once-again-comes-under-pressure-for-enabling-abusive-sites/