Why we kept LulzSec safe

On June 2nd, 2011, the antisec hacker group known as LulzSec launched a web site. Although they had been an active hacking group for several weeks, the creation of Lulzsecurity.com was their first official web presence other than the Twitter account they had been using.

Shortly after launching LulzSecurity.com, the group experienced a denial-of-service attack and the site was taken down. But within 45 minutes, they were back up and running again — and they had created an account with CloudFlare, a cloud-based security and performance service for web sites. CloudFlare offers both free and commercial services, and LulzSec had signed up for a free account.

For the next 22 days, CloudFlare CEO Matthew Prince and his colleagues were part of what he described as an intense experience that was at times alarming, but ultimately quite educational, as his company provided security protection for the group everyone wanted to take down.

"Every type of hacker was trying to find out where LulzSec was posted and how they can knock them offline," Prince explained in a RSA Conference talk on Tuesday in which he detailed the story.

During the time CloudFlare provided services to LulzSec, they saw a myriad of attacks from all over the globe that ranged from Layer Seven attacks that Prince described as "harmless," to one he termed as "clever" — an IP scan and attack on CloudFlare's router interfaces. None were successful in taking down LulzSec.

The peak day, according to Prince, was on June 16th when they saw 21 gigabytes of attack traffic. It was shortly after LulzSec had taken down several popular gaming sites, including Minecraft.


"You can't pay for pen testing like this. Once we realized we were going to survive, it was actually kind of a fun experience for us," said Prince.

During the three weeks LulzSec was using CloudFlare, the group took down several sites, including the CIA's web site. They also managed to obtain and then leak sensitive information from Sony Pictures, The Arizona Department of Public Safety and a Brazilian government web site, among others. Because of the model CloudFlare is based on, Prince was quick to point out none of LulzSec's hacking activity took place within CloudFlare services. All hacking took place elsewhere. The group also switched web site hosts seven times, said Prince; moving all over the world, from the U.S to Germany.

On June 26th, LulzSec issued a statement and said the group was done with its public hacking. They took down their site and CloudFlare's experience with the hacker group ended. Prince soon started to field requests for talks on the experience. Not wanting to violate his company's privacy agreement, he wrote to LulzSec using the email they had used to sign up and asked permission to discuss what they had been through.

Several days later he received a response. It simply read:

"You have my permission. — Jack Sparrow"

Prince said while CloudFlare had been contacted by government law enforcement officials about LulzSec, they had very little information to provide. All that is needed to sign up for free CloudFlare services is an email address, a username and a password.

At no time did law enforcement ask CloudFlare to discontinue providing services to LulzSec.

"It would have been an interesting question if they had," said Prince.

Prince and colleagues suffered what he called an existential crisis many times during the experience.

"We thought: Is this who we want to have on our network?" said Prince. But, ultimately, the company felt they were not in a position to play censor.

CloudFlare will not allow sites that distribute malware, conduct phishing or host child pornography to use their services. But beyond that, Prince said he feels just about any site deserves to be served.

"I'm not sure it's my role to decide what should be on the internet."

Join the CSO newsletter!

Error: Please check your email address.

More about etworkRSASony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joan Goodchild

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place