Cloud Security, Network Security, Network Security, Threat Management

RSA Conference 2012: CloudFlare’s three weeks with LulzSec


The approximately 25 days during which a San Francisco security company counted hacktivist collective Lulz Security as a customer proved to be an unexpected litmus test for the then-less-than-one-year-old start-up.

Matthew Prince, CEO of CloudFlare, a cloud-based vendor that helps protect websites against distributed denial-of-service (DDoS) attacks, offered a candid glimpse Tuesday into his company's involvement last June with LulzSec.

During a talk at the RSA Conference in San Francisco, Prince said that when LulzSec signed up for the free version of CloudFlare on June 2, he didn't know anything about the group, which by that time, had compromised television network PBS only days earlier and over the next several days, would target Sony Pictures and the FBI's InfraGard. The group's website, which featured details about its hacks, became incredibly popular, generating millions of page views per day.

But Prince said it also became an attractive target for ethical hackers, often referred to as white-hats, and also competing criminal groups. Prince said his service was hit with an array of attacks designed to knock offline, which is no longer operational. That included Layer 7 and Layer 3/4 DDoS attacks, reflection attacks, and IP scans and attacks on router interfaces.

In short, Prince said, external parties were searching for any weakness or vulnerability in CloudFlare, and thanks to its 14 global data centers, the company was, for the most part, able to respond without any disruptions in service.

"You couldn't pay for pen testing like this," said Prince, a former ski instructor and lawyer who also co-created Project Honey Pot, an open-source project designed to identify spammers and spambots. "It was a learning experience."

But it wasn't just digital attackers with whom he had to deal. Providing services for an organization like LulzSec also netted law enforcement interest.

"We made lots of friends with some three-letter agencies during this time," Prince said laughing.

He was tight-lipped about exactly which information it provided to authorities, saying the company complies with "valid subpoenas."

But he did say that CloudFlare collects and stores limited amounts of information from its customers. When they sign up, users only are asked to provide an email address, username and password. And LulzSec never used the site's premium service, so no money ever changed hands.

However, during its interaction with CloudFlare, LulzSec appears to have tripped up and provided some help to law enforcement trying to hunt them down, Prince said. For one, the username it provided when signing up was the same as an username being used in an internet relay chat (IRC) room that authorities had been monitoring. Also, the group typically logged in from IP addresses that were routed through other countries, but in one case, the sign-on came from a DSL modem based in the U.K.

Roughly a month after LulzSec ceased operations, a key member of the group, known as Topiary, was arrested in the Shetland Islands, off the northeast coast of Scotland.

To this day, Prince said CloudFlare's dealings with LulzSec made his company more secure, and he has no regrets about LulzSec being a customer. He said wasn't distributing malware, phishing scams or child pornography -- which CloudFlare has strict policies against.

"We don't play censor," he said, adding that at no time did law enforcement ask CloudFlare to stop doing business with LulzSec.

"I'm not sure what we would've done in that case," he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.