 Well, good morning. Thank you for getting up to listen to me speak. It's very nice to be here. How many people here have heard of Cloudflare? How many people use Cloudflare? OK, great. So I'll do tech support after this for the people who use Cloudflare. What I thought I'd talk about in what I was asked to talk about was DDoS attacks, which Cloudflare sees quite a lot of because of our customers. And I thought I'd take you through what's happening up to date with DDoS because it does change over time and give you some ideas about the things you can do to protect yourself. Who here has actually experienced a DDoS attack on their service? OK, a few people. It's surprising how many people get DDoS. We tend to think of it as political organizations or large companies, things like that. We see a tremendous variety of people get attacked. The funniest one or the saddest one for me is people who sell flowers, florists, just before February the 14th, so just before Valentine's Day. And that's because so much of their business happens at that time of year. If you can DDoS your competitor, you make money. And so even little florists DDoS each other because you can do it. The other one that I know of is in the Netherlands. If you're doing a technical degree, you have to do part of it online on a specific day. And there was a student who hadn't studied. And so he DDoS'd the server that did the exam so that no one could take it. And so he got more time to study. So everyone gets DDoS'd. I'm going to tell you very little about Cloudflare just because this is not a corporate pitch. But Cloudflare operates a very large network around the world, about 118 data centers around the world where we do CDN, DDoS protection, and the rest of our services. We do have a data center in Barcelona. And we also have one in Spain in Madrid. And you'll see all over the world. So the goal of Cloudflare is to be within about 10 milliseconds of the population that's online, want to be as close as possible to everybody. So wherever there's a large number of people or a large intersection of internet, that's where we'll be. So here we are in Barcelona. So before I talk to you about DDoS, I want to ask you a question. And you've never thought about this question, I'm sure. How many electric motors do you have in your home? How many do you think you have in your house? I went around my house with my wife wondering what the hell I was doing and counted them. I think in my home there's about 40 electric motors. They're in things, right? They're in the dishwasher and fans. I have a backup server in my bedroom. It's the safest place for it. And you never think about electric motors. And the reason you don't is they're small and cheap and they're everywhere. If you go back 100 years to the amazon.com of the day in the US, which is Sears, big catalog provided in 1918, they would sell you a motor. And it was expensive. It was $8.75, which is about $154 today. And the reason they sold you a motor is that was really a high-tech piece of equipment which you could attach to your sewing machine or you could add a fan to it or you could churn butter with it and mix things, a buffer and a grinder. You could add all these attachments to it and it actually got sold like this. And it said it comes with all these accessories, cords and it works with different power. The equivalent of the electric motor today is a computer. And the equivalent of all those attachments is software. Today we buy an expensive thing, perhaps from Amazon, and we attach software to it to do all these other things. And what's happening right now is this weird thing called the Internet of Things. And the Internet of Things is like the electric motor. It's just about hiding computers everywhere. Even today it's starting to get hard to count the number of computers in your home because they're hidden in things. And this is great. There are computers attached to all sorts of things. Some of them are silly but some of them aren't. But the problem is that when you add a computer to something, you bring all of computers and computing's problems with it. So what people don't realise about the Internet of Things is it's just a computer attached to something. And all the problems you had with computers have come along. And so, for example, if you're reprocessing nuclear fuel in Iran and you have these centrifuges with electric motors with computers attached to them, well, guess what? They can get infected with viruses and they can stop working properly. And this is what happened with Stuxnet. And so you have to think about all these IoT things as just computers. And all the things we did to protect computers we now need to do to protect things like toasters, which I have no idea why you want an Internet toaster, but this is a real product. The sorts of problems you have are obsolescence. Whatever's in that toaster is the protocols are going to get old and it's going to be not connected to the Internet properly. How are you going to update security, update this thing? Because it's going to have vulnerabilities, people are going to find them. And it's going to end up being incompatible with the rest of the world. So you have to think of that toaster as a computer, not as a toaster. And the relevance of this is that over the last year we've seen some quite large DDoS attacks caused by Internet of Things and everyone gets excited about Internet of Things as a DDoS vector. But the reality is they're just computers. The problem is we haven't got used to updating and protecting them. You've probably got used to taking your phone and when there's an update doing an update. Maybe not immediately but fairly quickly. I guarantee you are not used to updating your toaster. And that's where the IoT think problems happen. So let's just talk a little bit about what's happening in 2017. And because there are some slight changes in what we're seeing from a DDoS perspective. So we used to think about DDoS and talk about it in gigabits per second. You know, the press stories of like 200 gigabits per second, 400 gigabits per second, a terabit per second, or in millions of packets per second. I got hit by four million packets per second, 100 million packets per second. And those are quite scary things. I mean, those are huge volumes of traffic to absorb. But there's been a bit of a switch over the last year or so I would say as people have, I think, what's happened is the attackers have realized that there are quite a lot of good DDoS defenses at the network level. And they've started to go up the stack. So this is full stack DDoS. So what they've decided to do instead of throwing traffic at the network level, they've gone for requests per second. So we're seeing people, instead of doing the dumb, high volume attacks, going for millions of requests per second at the HTTP level. And that's where things are starting to really hurt. Now, I'll take you through a bit about that. So last year, you may remember this, Akamai had a customer called Brian Krebs who has, he's a journalist who does investigations of cyber crime. And he got hit by 620 gigabits per second and they threw him off. Now, what was significant about this was he, that was a very large number, it can be defended against as a large number, but a lot of that was HTTP level. But a lot of it was actually HTTP requests. And a month later, Dyn, the DNS provider, got knocked offline, taking off, taking out a huge number of services. Again, a lot of this was happening at a higher level, not just at a low network level. So to give you a sense of this, I have a bunch of graphs from Cloudflare. So I'm gonna give you, this is a real, what I call a small attack that happened coming from Internet of Things devices. So it was back in October, it was two gigabits per second. So a good internet connection was taken on a server, or taken two gigabits per second, but it was two million HTTP requests per second. So if you think about your web server infrastructure, that's a lot for it to be handling. And that lasted for a good, well, a good hour, I mean, the peak of it was about 30 minutes. So you're talking about close to two million HTTP requests per second for an hour. And it pretty much came from all over the world. 52,000 devices were used. So they used, in this case, 52,000 cameras to perform this attack, fairly evenly distributed. The largest peak, these are our data centers, the largest peak there was in Hong Kong. It happened that this particular product had been widely sold in Hong Kong and was widely hacked there. So let's talk about a large IoT. So this one was kind of interesting. This one did the following. This is the actual payload. It sent a GET request to your server with 800K of content in the GET. And people forget that a GET can actually have a body. And so it sent a GET, this was the actual body, it just repeated like that forever. And this is quite scary, there's the size of it, it's scary. Also, all that form processing for whatever's doing form processing in your server application is now dealing with 800K of stuff to deal with. And this, because of the size of this, was quite large. This was HTTP and it was 360 gigabits per second. So on the network level, this was large. But because of the size of the requests, it was only 200,000 requests per second. But it lasted a pretty long time, well over an hour. So you had 360 gigabits per second for an hour hitting you. So this is a slightly different size. This is what in the past might have been called a large attack because of the gigabits per second is actually fairly small in terms of requests per second. This was also cameras, there's 128,000 of them. The top data center there was again Hong Kong after that, San Jose, Prague, all over the place. And so I think when we start to think about DDoS now, we have to think about two different worlds. There's sort of, in the old world, used to have not very many requests per second, maybe none, because it might have been all the network level. And it was painful as the bits per second went up. But now we kind of moved into a world where we've got requests per second, and that can be painful, even if the bits per second are low because the server can hurt. And then if they do this, well, everything hurts, right? So, and that can happen there as well, right? You get a lot of requests and a lot of network. So the big change that's happening is a move away from the kind of lower level network type DDoS to trying to hurt applications. And to give you a sense of how smart people can be, we saw a DDoS where the attacker realized that the application couldn't be slowed down. It was working well, it had good rate limiting and other features. And so they looked to see, because it was all done over HTTPS, which cryptographic algorithm was the slowest on the server? And they told their attack tool to use that cryptographic algorithm. So when it connected, you have a choice of algorithms, and they said, oh, we'll use that one, that's gonna consume the most server resources. So some of these attackers are pretty smart if they hate you. Now, of course, since this is layer seven, the IoT attacks, we know the IP address, unlike in the old type, where it was all spoof traffic coming from anywhere. We know it, so we can connect back to things. So we did that, we connected back to some of these IPs. And they all give you a login like this. This is basically either DVRs or webcams that are just open on the internet. Even better, they all have Telnet open on port 23. So you can tell, and that's how they got infected. It's trivial to do, there's nothing exciting or clever, and they look like this, and they look like this, depending on which language they got set up. So that's really what's kind of happening with DDoS right now. Now, it's still the case that the old techniques, these old volumetric techniques are still out there and still work. There have been some news stories about DDoS is getting less this year. In fact, DDoS is switching more up to the app. The old techniques are basically IP spoofing. So because in TCPIP, you can just lie about where you're coming from. You just say, well, you know, someone sent, you know, a real request comes from Google's request versus a spoofed request. You just make it up and say, hi, I'm this guy. You can, I can send a packet pretending to be any victim I want in the world and get someone else to send a message to it. And the classic way you do this, which is actually dying out a little bit, is you send a DNS request to some DNS resolver saying, oh, I'm actually victim IP address. And the resolver says, okay, here's your response and sends it to the victim. And that's trivial to do. It's very easy. And that way we call this a reflection. So what happens is the attacker finds some servers out there on the internet, pretty much anything that'll respond on UDP. So there's lots of services that run over UDP, DNS, NTP, SSDP. There's a whole list of them. You send a spoofed request, say, hey, I'm from victim IP address. Will you give me this information? And the server says, yeah, sure, here you go. And sends it back to the victim. I call this a reflection. And the really cool thing about this, if you're an attacker, is that you can generate a huge amount of traffic because, for example, with DNS, you send a little response. Where is fullstackfest.com? There might be a few bytes. And the server says, oh, here's all the information you asked for, sends back a lot more bytes. So then we call this amplification. So you can send a small amount of traffic to a DNS server, for example, or to an SSDP server, and get a huge response sent to your victim. And no one knows where you are because all of the attack traffic seems to be coming from the resolver or the server that you've attacked. So one thing we do is we like to look at where attacks come from. You may have seen this XKCD slide, which shows the internet. Basically what it's showing is all of the networks in IPv4 starting with zero dot in the corner. And then it's laid out in such a way that if you have a continuous set of IPs, they'll be all together. So in the top, you've got local IPs, you've got the multicast area, you've got things that are in Europe. So you've got essentially the map of how the IPs are allocated in the internet. And we like to use these sometimes to draw maps of attacks to try and understand where they're coming from. So this is a map of a real attack. So you can see the shaded areas, you should never get traffic from the shaded areas. That's local network, multicast addresses, things like that. And here we sure enough, we've got some attack traffic. Now this, because of its pattern, doesn't look like it was spooked. It's like it came from real machines. It might've come from a set of DNS resolvers or other servers on the internet. You can see it kind of spread about. This is all the IPs inside China. So I just go back, sort of similar. Now what's interesting about this is so we know that this attack came from China. Now here's a word of caution. That sounds, you know, China, scary. But actually, if you think about the number of internet users there are in China, which is huge, about one third of people on the internet. If you go and hack a bunch of machines in China, you've got yourself a huge botnet you can work with. So a lot of attacks that come from China do come from there physically, but nothing to do with the Chinese. They're just being misused. So you have to watch out when the press tells you that China is terrifying. Sometimes it is. This is another attack. Now this is real. This is fairly distributed across the internet. This is actually one where there were a large number of NTP network time servers across the internet responding. So someone spoofed traffic, asked a whole load of servers for the time, all the servers returned the time to Cloudflare, which I hadn't asked for. It's fairly well distributed. There are certain areas where there's a bit more than elsewhere. And this is what someone who's making stuff up looks like. So this person has literally generated random IP addresses and sent data to Cloudflare. And of course this is complete nonsense because there are areas that should be no traffic coming from multicast addresses at the top that they didn't realize that they shouldn't be doing that. So this is very easy to filter because it's like, why? For example, you could just in the middle there, there's 127.0.0.0. We shouldn't be getting traffic from local host on the internet. So this person was smarter. So this person randomly did stuff across the internet but they excluded the regions they shouldn't get stuff from. But when you see a uniform pattern like this, this doesn't look like real traffic. Now no one sends you lots of traffic from every single place on the planet. This is kind of interesting. We speculate that the person here might be using an unsigned char because they've only got seven bits or something. Because how did they generate these IP addresses? If anyone has a good explanation, I'd love to know what it is. But what's interesting about this is you can kind of fingerprint the tool people are using because you'll get this kind of pattern. And also what's this little bit in the middle here? They kind of added in some extra addresses. And yeah, I mean, what's this? I mean, why did they choose this bit of the internet to come from? They've kind of excluded Europe and North America and had a bit over here. So one of the things that we do is we look at these patterns to see where stuff comes from. And we see an attack about every 40 minutes, continuously for the last six months at this, using these old-fashioned techniques. So if you look at it, still super popular at the top is NTP, which is network time protocol. It's the most popular thing. There are lots of time servers on the internet that will give you the time for free. In fact, they'll give you lots of information so they're very popular. The newcomer is really SSDP. This is a part of Universal Plug and Play, which I'll talk about in a minute. And DNS is kind of dying out. And then people try everything. I mean, people try at all ports. So to give you the idea of these old-style attacks, NTP, six to 64 gigabits per second of traffic. And some of these are 11 minutes. If it's 11 minutes, often we'll see stuff around a very, very fixed length of time. That's because someone paid for a DDoS and they pay by the minute. And so there are services you can use to do that. Give me a 15-minute block. So sometimes you'll see these attacks. You know the person paid for that period. 22 hours, that's professional work. The largest one was this guy. It lasted 20 minutes. These lines are data centers around the world, so it stacked up. So it was fairly widely distributed around the world. Lots of data centers got hit. And 20 million packets per second. So this is classic kind of DDoS stuff. The new kid on the block is SSTP. SSTP is part of Universal Plug and Play, probably one of the most terrifying technologies out there from a DDoS perspective. One of the things that Universal Plug and Play does is it allows devices in your home to talk to your firewall and say, hey, open this port. And you don't have any idea it's doing that. It's like, yeah, you want this device to work. I'll open a port for you. An interesting fact is that, so Universal Plug and Play, this works on port 1900 and on port 1900, it will respond to requests for, hey, what sort of device are you? Tell me about yourself. And SSTP is UDP, there's no authentication. You can just say, hey, who are you? And funnily enough, this is meant to happen only in the local network, except there's nothing in the standard that says that. So lots of people have port 1900 open to the internet and you can go query their home router. Hey, what devices have you got? And you get a big response. We have a little Python thing which sends this SSTP colon all that's the message. That means tell me everything about and it will respond with a huge amount of data. For example, this is an actual thing. We sent 88 bytes and it sent back eight packets of about 300 bytes. So if you're an attacker, you find someone's home router with port and you send 88 bytes saying, hey, what's on that network? You don't care what the answer is because you've spoofed the victim. And it replies to the victim, hey, I've got a printer and a camera and all this stuff. Look, it's great, isn't it? No, it's not because you get someone like this. This is almost an hour, 30 million packets per second. This was a couple of months ago, 80 gigabytes per second. I think they had tea. That's about tea time in England, right there. A little bit there. And I thought this was large and in fact, people were saying this was large. And then just the other day, we had this happen. So we had someone generated 112 gigabytes per second using people's home devices. We know that they sent about, so they had control of five gigabytes per second. So if you think about this, the attacker probably had one machine on a good internet connection, right? They probably rented a connection. Or maybe they had five with one gigabit, but they launched it from a very small place. They hit almost a million people's home routers and generated 112 gigabits per second. So they got a 22 times amplification for their work. So, you know, good business. And this is what it looked like. 40 minutes of over 40 million packets per second and 112 gigabytes per second. And that was the packet per second. This was the gigabits per second. The funny thing is about this is this is trivial to mitigate. You can just do this, right? I don't want anything that comes from port 1900, thanks. If your pipe is, there's nothing complicated about this, right? You probably don't need SSDP on your server or your service. And you could just use IP tables. And actually, Cloudflare does this as, this is one of the things we do. We do this kind of just, hey, we don't need that. Of course, you have to have a pipe that's big enough to absorb 112 gigabits per second. And one last kind of funny one, which is are there people who have DDoS as a job? And I think the answer is yes. I'll tell you why. Thanksgiving last year. So November the 23rd last year, the day before Thanksgiving. This happened against a customer. 400 gigabits per second, TCP SIN packets. Just started at about 1830 UTC. So daytime in the US lasted about eight hours, stopped. Just continuous, 400 gigabits per second, just thrown at you. Next day, same time, same thing. This is the day of Thanksgiving. Next day, same time, same thing. So this is Wednesday, Thursday, Friday of Thanksgiving. And then we looked at it like this. That's interesting, right? It's like pretty much the same thing every day. And it kept on for over a week. Every day, somebody got up, turned on their DDoS machine, ran it for about eight hours, nine hours of work, and stopped. This is clearly someone's job, right? I mean, I mean, computer. Are they typing it in? Why do they need to do this? Why didn't they let it run? I mean, it's like, why do they stop at night? So, anyway, they did this through the, and then after about a week, they seemed to get very frustrated. As you can see the end here, they just started getting mad, and they tried doing it at night. And after that, they gave up. So I think there are probably people out there whose, you know, DDoS is their job. All right, how can you prepare for this stuff? It depends what you're preparing for. So, I think one big thing is, if you have your app hosted somewhere, Amazon hosting provider somewhere, wherever it is, you better talk to them about what they'll do if you get DDoSed, because it depends on the provider. So, for example, OVH is fairly well known for having a superb DDoS mitigation system. If you're there, they will help you. There are others that will just simply shut you off. They'll say there's too much traffic going to this IP address, shut it off. If you don't have a provider like that, maybe you're hosting it yourself, please put something in front of it. There are lots of free services that you can use for that. Do something that does HTTP rate limiting. As the attackers have moved up the stack, they're gonna go after your app. You're probably not gonna manage to optimize your app to cope with a million requests per second, because attackers will find whatever the toughest part is. There are things, I'll give you an example. Nginx has this rate limiting module. It's like five lines of code to turn it on. It does work very well. If you're doing it yourself, three large things, three things, right? HTTP rate limiting, you definitely wanna do a big pipe to the internet. And if you don't have a big enough pipe, put something like Cloudflare, there are other services in front of it. And just block everything that's not essential. I mean, basically, if you plug in an internet connection, and it's worth trying this one day, just bring an IP address up on the internet and TCP dump it. There is like this background radiation of noise that just comes at you. You think it'd be quiet, but I don't know, you're there and you're getting stuff thrown at you. So just block everything you possibly can. And we open sourced our DDoS tools. So you can take, this is the blog, I'll give people it, you can take all the tools. So if you wanna run what we run to do filtering on your server, go ahead, it's all open source. All right, perhaps you'd like to know about this. We protected a bunch of these folks. We didn't protect the woman who lost. I'm not saying there's any correlation, but I'm just saying that. I'm just saying that we didn't. So what was, just to tell you a little bit about this, just to give you an idea of like a real DDoS. So we get widely used by all sorts of things. And one of the things was Donald Trump's website. He got hit pretty hard. He got an average of half a million attacks. This is things that were blocked at the HTTP level. This is not DDoS, this is like, I'm trying to break into your website per day. And he was attacked, well, essentially 100% of the time. The worst day was this one where he got 15 million attempts to break into his website. So 15 million HTTP requests in a day, trying SQL injection and everything they possibly could. And if you look at this, this is everybody except Donald Trump getting attacked. So they got on the worst day, I don't know, 200,000 requests sent to them. This is Donald Trump. He got, well, 15 million on the worst day. And this is them together. So he kind of, you know, it was huge, right? What he did, huge, I mean, he's got these huge attacks. And you can correlate what happened to him with what he said. So the really big spike is he said, he proposed the temporary ban on Muslims entering the US. That caused an ongoing long period. The funny thing is at one point anonymous declared war on Donald Trump, which sounds scary. If I could just walk over here. This is anonymous. This is the war right here. It's this little, you see that? It's that little bump there. Don't know that anonymous DDoS attacks are not scary. One of the reasons is they often put in the DDoS attack, we are anonymous, we are legion, et cetera, which makes filtering it really easy. I mean, that's basically setting the evil bit on a packet, saying, hey, this is bad, delete me. And so, yeah, so that happens. And then, you know, DDoS attacks continued throughout the year. And after that big spike, once he became the nominee, he just got attacked all the time, basically right up until the day. And the funny thing is people threw everything they could at him. So the big blue thing here is they tried, every sort of exploit they could against WordPress. Trump doesn't use WordPress, but people tried anyway. And then they used all sorts of bots. They tried SQL injections and cross-site scripting and you name it to break into him. And so, you know, if you annoy people, you'll get a lot of data, a lot of stuff thrown at you. And the last slide is, well, this is just trump.com. This is his business website, similar thing. Again, he doesn't use WordPress, but people decided to attempt to break into his WordPress site, which is fairly easy to figure out, right? But, you know, the message here is attackers are not smart half the time. It's the tiny percentage at the end you need to worry about. Great, that's my 30 minutes. Thank you very much. That was really interesting, thank you. I was just curating questions, sorry. So we have some questions. If you have any more questions, feel free to jump on Slack quickly and send them to me. So, who's behind all of these things, really, is my first question. Is it the Chinese? It can be the Chinese, if you're clearly someone who's annoyed the Chinese. Yeah, absolutely. But it can be the Russians, it can be the British. How much of it is state sponsored and how much is this someone's pissed off at Donald Trump? So they try and take it down. That's actually very hard to answer, because one of the things I think we see is that this idea of state sponsored, you imagine this state DDoS Academy, which might have been that one where they worked at hourly was, but you also have the issue of people who are just sympathetic, right? So it's like a sort of guerrilla thing. You might be sympathetic to the aims of your government, so you might do something on behalf of your government. No one's ever asked you, but you're doing it because it makes you feel better about your country. So is that state sponsored? Unclear. Is there a way to trace or narrow down who that is coming from originally? Sometimes there is. So we have a team that works on botnet shutdowns on our service. And so sometimes there will be, quite often it's very, very hard, especially if they're using reflection. So they will set something off your, you're talking about going across multiple different countries trying to figure out where the source is and typically no. I mean, if it's anonymous, it's easy because they announce it, we're having a war. But others know it can be very, very hard. Building on that, someone says when they first heard of DDoS it was just something that people on 4chan did for fun. Or maybe as a political statement. From your point of view, understanding this, where is the biggest threat coming from in the future in terms of DDoS, both in terms of who is doing it and also the techniques and the devices and everything else? Okay, so it's certainly the case of lots of it's political. Cloudflare actually has this thing called Project Galileo where we protect various sort of like news, political, social websites for free. We can't give you a list because it's a secret list but people will come to us and it might be a blogger in an African country talking about LGBTQ rights where they're in danger, we protect them. So there's definitely that. But frankly, a lot of DDoS is economic. I'll give you an example of that. There were two large pornography sites in South America who were competitors. They were both using Cloudflare. They decided to attack each other because obviously they could, if one was offline, I know people aren't that smart sometimes but they failed, right? And then so one of them decided that what they would do is they would weaponize their own customers. So what they did was if you went to that site, they'd inject some JavaScript that sent thousands of requests to the competitor website. So they weaponized their own clients to try and knock the other person offline and of course we saw that and we're like, can you guys just knock it off? You're both on us, it's like, you know, if you don't stop, you know, we're gonna kick you off the service because this is crazy but so that's just economic, right? That's purely economic. So I think that's where I gave the example of people selling flowers at Valentine's Day. That's just an economic thing. So I think it's just a tool people use. How much of that is happening in browsers? How much of it is a bit of JavaScript that does this? Not as much as you might think, actually. Mostly because it's very, very observable, right? So the other day there was an attack on a Chinese language website using something that people called the Great Cannon and the Great Cannon is a thing in China supposedly. I mean, we've never seen it but it replaces a common analytics JavaScript. It's downloaded over HTTP, right? They inject their own one because they've got network control and that JavaScript will then hit this website they don't like with many, many thousands of requests and so that's using lots of different websites. If you go and stack overflow, you can actually search this and you'll find people saying, why is my browser doing, I went into the JavaScript console and there's thousands of requests coming out and that's why. There's a question, I guess, maybe more practical edge. Given that many people have ISP installed routers that have default settings that are easy to hack and I guess this massively expands with the IoT things you were talking about as well, how much of this responsibility actually has to lie with the device manufacturers with the ISPs is there a political pressure or business pressure that can be put on those companies to stop this? I think that's really starting. It's definitely starting in the US that there's, you know, we have regulations around like electrical safety, right? You can't sell a device that will electrocute you. This has been tested in some way and I think a similar thing is gonna happen with devices that are plugged into the internet. There's some level of minimum standard of, you know, it doesn't have all its ports open and a password, a password and, you know, is running a 15 year old version of Linux which is, you know, a real example. Following up on the South American porn sites, did they knock it off? They did, yeah, they did actually. We just wrote to them, I was like, can you just stop doing that like? Someone asked what the success rate is when you ask people, do a lot of people just hands up, stop doing it? Actually, most, I mean, we don't normally see examples like that where it's two customers attacking each other. Occasionally it happens, but, you know, mostly it's some external party is attacking a website, you know, they don't like for some reason. Well, just for the hell of it, frankly, I mean, the attacks that happen on Christmas day. Yeah. So often just like, it's vandalism, essentially. With your Cloudflare hat on, have you got any plans to release more automation tools for your infrastructure, maybe plugins for Terraform which we had a talk on yesterday, that sort of thing? So, yeah, I mean, if you look in general, Cloudflare open source is a lot of stuff. So definitely there's a lot, especially around the orchestration of our large network. We're quite heavy users of salt stack. And we also have a lot of network automation stuff we're doing as well, because as well as all of our servers, we have tens of thousands of servers, we also have thousands of network devices and they are heterogeneous. So we have like Juniper and Cisco and, you know, all these kind of different devices. And we've actually been working on automation tools for those as well. So that's all being open source. And in fact, if you go to, I guess it's cloudflare.github.io, it's all there, so yeah, definitely. And with your sort of business Cloudflare hat on, are you, notoriously is maybe the wrong word, but after Charlottesville you kicked daily storm off, which I know your CEO said was a tough decision because you don't want someone to be, you don't want to be policing the internet. Where do you draw those ethical lines? How do you as a business and how do you as an individual think that you should be drawing ethical lines as to which sites you actually choose to protect on the internet? When is it actually that the DDoSers are doing us all a favor? So what's the last part, when are the DDoS? When is it that the people who are doing the DDoS are doing us a favor by taking the daily stormer, for example, offline? When do you say, actually, we don't want to get in the way of these people? I see, well, that last question is a societal question, right, about what's permittable speech. That I think, so there's that side of it, and if you were to look and say Germany, Germany has decided that it is not permitted to talk about Nazism as something that is a tall, positive thing. You can't say, hey, I think that's a good idea. Look at other countries like the US, which has a very long tradition of really, you can say whatever you like online, pretty much not everything, there are restrictions, right? The real question is what do you do as a private business about this, where do you draw the line? And I think what Matthew did when he knocked off Daily Stormer, it was very different to what we've done in the past. We had not taken a position, and he started a debate for that, and if anyone wants to read it, there's a really good Wall Street Journal editorial by the editorial board of Wall Street Journal about this, about what should a company do? And our position is we would much rather, this is a judicial thing than a company decision. We would much rather, a government said, openly, this type of content isn't allowed, you must take this down, than us say, well, we think this is bad. And the example, there are examples where it's easy to look at and you say, this is really definitely bad, and you sort of try and draw this line, and then you come against things where what do you do about websites that are anti-abortion and pro-women's rights? Because there are people who truly believe that abortion is murder, and there are people who truly believe that absolutely it's the case that abortion should be legal. You know, those are very opposing views, particularly in the US, and it's like diametrically opposed, you know, where do you draw that line? And clearly that's not the same thing that I personally think is Nazism, but there is some position, and our position is we'd much rather, as our government said, this is where we believe the line is, and that people who vote for a government can say we agree or disagree, than us say, we don't like that. Fascinating talk. John Graham Koeniger.