When it comes to customer case studies, CloudFlare has one of the most unusual and dramatic I’ve ever heard.
Last summer, the LulzSec hacking group signed up its website for CloudFlare, drawing the website security service and accelerator company into one of the biggest cyber battles ever, as LulzSec created mayhem on the Internet while rivals and others tried to knock it offline. CloudFlare’s CEO and Co-founder Matthew Prince detailed the attacks in a presentation at RSA Conference 2012; I wasn’t able to attend, but he filled me in during a briefing at the show last week.
LulzSec registered for CloudFlare on June 2, 2011 after it a substantial DoS attack knocked its newly launched site — LulzSecurity.com — offline for 45 minutes, Prince said. “We had no idea who LulzSec was,” he said. As it turns out, the group had just published information it had allegedly stolen from Sony.
For the next 22 days, LulzSec waged battle on the Web as rivals and white hat hackers launched a volley of attacks against the group’s site. “It was like a gunfight and we were sitting in the middle of it,” Prince said.
The battle proved a mighty test for Palo Alto, Calif.-based CloudFlare, which protects websites against threats like DDoS, XSS and SQL injection attacks while also boosting site performance. “It was the most massive pen test ever,” Prince said. “We learned a ton from the fact that LulzSec was with us.”
He explained that CloudFlare’s system automatically looks for anomalies to detect attacks and once it does, adds protection for all the websites it protects. More than 250,000 websites, from Fortune 500 companies to individual blogs, use CloudFlare. Using the service doesn’t require any hardware installation, only a change to network settings to allow site traffic to pass through CloudFlare, which operates 14 data centers around the world.
“We’re like a smart, skilled router on your network,” Prince said.
The fact that LulzSec stayed online for the 22 days it was with CloudFlare illustrates the company’s core value proposition, Prince said. “Because we saw these threats our network got smarter,” he added.
Prince said CloudFlare never got a request from law enforcement to take LulzSec offline, but quickly added that it has no mechanism to do that anyway. He noted that CloudFlare wasn’t LulzSec’s hosting provider.
As to whether CloudFlare considered shutting off service for LulzSec – a group linked to a number of attacks on corporate government sites – Prince said his company’s role isn’t that of an Internet censor.
“There are tens of thousands of websites currently using CloudFlare’s network,” he said in a blog post last summer. “Some of them contain information I find troubling. Such is the nature of a free and open network and, as an organization that aims to make the whole Internet faster and safer, such inherently will be our ongoing struggle. While we will respect the laws of the jurisdictions in which we operate, we do not believe it is our decision to determine what content may and may not be published. That is a slippery slope down which we will not tread.”