CloudFlare Speaks Out About Their Experience Hosting LulzSec


“You have my permission. — Jack Sparrow”

That’s what a representative of LulzSec told CloudFlare CEO Matthew Prince when he asked permission to tell the tale of rough water and a siege on the cyberseas that resulted from his company protecting the website of the now-infamous hacker group.

In June 2010, during the heyday of these Internet hackers and malicious pranksters, LulzSec used CloudFlare’s free Internet service to protect their leaks website from prying eyes and attempted DDoS attacks. Prince’s company provides a free, cloud-based solution that enhances the stability of websites by caching the pages across multiple servers spread out over the Internet that accelerates the load times, reduces latency, makes them more difficult to wash away with DDoS attacks, and even obfuscates the original server (enhancing site privacy)—all using cloud-based technology and DNS records.

When LulzSec took advantage of this service, CloudFlare came under intense scrutiny from the public for “protecting a notorious hacker group” and also massive cyberattack from other hackers who disliked what LulzSec were up to. Prince and CloudFlare stood up to all the criticism and refused to disconnect LulzSec as they had not broken the company’s terms of service and, as Prince noted, CloudFlare is not in the censorship business.

Prince is cited in an article on for a talk he gave at the RSA Conference, Tuesday, February 28th 2012, where he spoke about the experience of protecting LulzSec with their service,

“Every type of hacker was trying to find out where LulzSec was posted and how they can knock them offline,” Prince explained in a RSA Conference talk on Tuesday in which he detailed the story.

During the time CloudFlare provided services to LulzSec, they saw a myriad of attacks from all over the globe that ranged from Layer Seven attacks that Prince described as “harmless,” to one he termed as “clever” — an IP scan and attack on CloudFlare’s router interfaces. None were successful in taking down LulzSec.

The peak day, according to Prince, was on June 16th when they saw 21 gigabytes of attack traffic. It was shortly after LulzSec had taken down several popular gaming sites, including Minecraft.

“You can’t pay for pen testing like this. Once we realized we were going to survive, it was actually kind of a fun experience for us,” said Prince.

In every statement about allowing LulzSec to use their free service, CloudFlare has been pointed about mentioning that while they had received queries from law enforcement—they had never been asked by any authority to terminate service. Of course, the company had very little information to provide about their free client because all that’s needed to sign up is an e-mail address, a username, and a password.

Prince describes the experience as causing several existential crises for his colleagues, after all, who wants to be described as the person who provided anonymity to a group of hackers? Still, in the end, they decided that it was not their job to act as censors when housing information on hacking subjects itself is not illegal.

He went on that CloudFlare does act in cases of people distributing malware, conduct phishing, or hosting child pornography—all of which are horribly illegal and immoral. However, beyond that, his company takes little heed to the content of the sites that they protect.

In recent history, CloudFlare also joined in with the protest against the censorship bills SOPA and PIPA by providing their clients the ability to “self-censor” their websites with an app that provided information about the bills.