CloudFlare: How we got caught in LulzSec-CIA crossfire

Web resilience company CloudFlare, used by LulzSec to protect itself as it launched a series of high-profile attacks last year, has given details about how it was caught between the hacking group, counter-hackers and US intelligence agencies.

The attacks in June 2011 led to efforts by black-hat hackers to take down LulzSec's website for kudos, and by other hackers to go after it for what they said were ideological reasons, CloudFlare said on Tuesday.

The head of web-resilience firm CloudFlare has described how its work for LulzSec in summer 2011 put it in the 'crossfire' of hackers and the CIA. Image credit: LulzSec

"As you all know, [LulzSec] wreaked mayhem for 23 days," CloudFlare's chief executive Matthew Prince told an audience at the RSA Conference 2012. "They weren't attacking us, but it turned out everyone from three-letter agencies to white-hat hackers and black-hat hackers spent the next 23 days trying to discover where exactly was LulzSecurity hosted. And then, how can we knock them offline?"

"We literally sat in the crossfire of that," he said.

LulzSec attacked the CIA's website on 15 June, which led to a dialogue between US intelligence agencies and CloudFlare, according to Prince. "They caused a lot of problems. We made a lot of friends in intelligence agencies," he said. "When they took down the Central Intelligence Agency website, that was a difficult day for us to be us."

The intelligence agencies did not try to get the web traffic-streaming company to drop LulzSec as a customer during the attacks, Prince told ZDNet UK.

"We were never asked by anyone, by any law enforcement organisation, to stop providing services," he said. "It would have been an interesting question, had they [asked]."

CloudFlare had not revealed these events before Tuesday as divulging customer details would have been contrary to its privacy policy, he said. Prince said he did ask for permission to share the story at the DefCon security conference in August, but only got an email saying, "You have my permission — Jack Sparrow," after the deadline for DefCon submissions.

LulzSec becomes a target

LulzSec signed up for CloudFlare's services in June to protect its website from distributed denial-of-service (DDoS) attacks, according to Prince. The group used the site to publicise its hacks against Sony, the UK's Serious Organised Crime Agency and others, and to get Bitcoin donations.

When they took down the Central Intelligence Agency website, that was a difficult day for us to be us.

– Matthew Prince, CloudFlare

A white hat hacker called The Jester "spent the entire 23 days trying to track down what the actual hosting sites were of LulzSecurity network", Prince told the conference. However, the hacker failed to do so, even though he claimed to have taken out the LulzSec server, Prince added.

The Jester tried to find out the hosting network and the IP address of the server. On 25 June, he published two IP addresses: one was wrong and the other was 20 days out of date, according to Prince.

At one point during the attacks, LulzSec pointed web traffic to a fictitious IP address, 20.20.20.2., he added This effectively took the site offline, serving cached versions of the page instead.

LulzSec changed web hosts seven times during the attacks, he added. The group used hosting services with servers in Canada, the US and Europe: one in Montreal, several in the US, and the final hosting in Germany.

Fending off attacks

Prince described the experience of fending off multiple different types of attacks as "interesting". "Most of the attacks we saw were pretty poor and pretty traditional," he said.

CloudFlare repelled many of the attacks by spreading denial-of-service attack-traffic across 14 datacentres. Some attacks were "annoying", said Prince, including an attack on a vulnerability in one of the company's routers.

"What was interesting about the whole series was, you can't pay for pen testing like this," he noted. "You had a very motivated group of white hats and black hats and everyone just trying to find every vulnerability on our network."

LulzSec made mistakes that may have given law-enforcement official clues "when the three-letter agencies came knocking", he said. For example, the group's original username on CloudFlare service was the same as that of a known individual on an IRC chat group. That person was arrested, according to Prince.

CloudFlare tracked LulzSec logins onto its service via logs, and most of the time, the group used a proxy in Brazil or Eastern Europe. There was one login attempt from the UK, according to Prince.

Social co-ordination

In the main, the attacks launched by LulzSec and Anonymous do not show cutting-edge hacking skills, but social co-ordination, he added. "The real talent that these hacking groups have is not so much great hacking skills, it's the ability to control a lot of people to move in one direction," he said.

Imperva released a report into one of the summer 2011 attacks on Sunday. During this one attack, which reports say was against the Vatican, Anonymous used SQL injection and denial-of-service techniques.

"We found that Anonymous, although it has developed some custom attack tools, generally uses inexpensive, off-the-shelf tools as opposed to developing complex attacks," the security company said in a statement. "Our research further shows that Anonymous will try to steal data first and, if that fails, attempt a DDoS attack."