Behind the scenes at LulzSec: no laughing matter
Imagine you’re the CEO of an Internet security start-up. Now imagine one of the world’s most notorious hacker groups signs up for your service, to help protect their own website from attacks. What do you do?
That’s exactly the dilemma Matthew Prince, CEO and founder of CloudFlare, faced in June 2011. LulzSec — short for Lulz Security — was a hacker collective formed in May 2011 which quickly achieved infamy by hacking the Fox Network and PBS and publishing portions of their private data.
When LulzSec launched its own site in June, it was immediately attacked in retaliation and brought down within 45 minutes by a distributed denial-of-service attack (DDoS). The hackers signed up for CloudFlare — which specialises in deflecting these kinds of attacks — and their site was quickly back online.
“The only time they were offline after that point was when they supplied us with an invalid Internet Protocol address,” explains Prince with a wry smile, speaking at this year’s South by South West (SXSW) Interactive festival.
For the next 23 days, everyone from government agencies to “white-hat” hackers deluged the site, trying to figure out where LulzSec was hosting its content — which by now included millions of user records stolen from the Sony.com site. “We literally sat in the crossfire of that,” says Prince.
For CloudFlare, the experience was both a blessing and a curse. Its basic service, which LulzSec used, is entirely free. “LulzSec didn’t pay us a cent, but they gave us a lot of pain,” quips Prince, getting a hearty laugh from his audience.
Lulzsec did, in fact, offer to pay for CloudFlare’s services via Twitter, asking for a premium membership “in return for rum“. “It depends on what kind of rum, and how much,” responded Prince. “I have since been advised by council to delete that tweet,” he says with an impish grin.
Despite the pain caused by the experience, which included many sleepless nights for his small team, Prince still sees it as a positive experience. “This turned out to be the kind of pentesting (penetration testing) that money can’t buy. We generated over a million new rules based on these attacks.” These rules now help CloudFlare fight off similar attacks on other sites it services.
If you think a security company working for hackers is bizarre, the on-the-job training it did in unwitting preparation for the LulzSec incident was even more wacky. Soon after it launched in June 2009, CloudFlare started to get lots of sign-ups from Turkish escort agencies.
Prince explains that they soon learnt the reason for this unexpected trend. “While Turkey’s government is secular and tolerant, many people in Turkey are not, and they see these escort agencies as emblematic of everything that’s wrong in their society. So the sites were frequently attacked and brought down. That’s where we came in.”
So, in essence, LulzSec benefited directly from efforts by conservative Turks to stop their louche countrymen from visiting escorts. And that, for Prince, is the beauty of CloudFlare’s model. By sharing the lessons learnt from one attack with the entire network, everyone can benefit and be better protected.
How does CloudFlare work? At the simplest level it’s a “reverse proxy” — all traffic to your sites is routed via their systems, which allows the company to see attacks coming and mitigate against them. This “light touch” model allows it to process huge amounts of traffic — 80bn page impressions per month or 1bn per employee. Prince estimates that 25% of all Web traffic travels through CloudFlare at some point.
But why is Prince daring to reveal these secrets, and possibly bring the wrath of the hacker community down on CloudFlare? He asked them first, of course, and eventually received a laconic e-mail: “You have my permission. — Jack Sparrow.”
On the topic of whether CloudFlare should have blocked LulzSec from using its services, Prince is quite philosophical. “We’re not going to play the censor — it’s not our role.” For Prince that kind of thing represents a “slippery slope” that he feels services like CloudFlare should avoid at all costs.
And what of LulzSec? The hacker collective dissolved just as quickly as it formed, announcing on 26 June 2011 that it was ceasing operations. For Prince the turning point was obvious “when LulzSec knocked Minecraft offline, public sentiment turned against them. Don’t mess with the gamers.” — Alistair Fairweather, TechCentral