> If an attacker is capable of installing apps on your server... you've already lost.
You're right, but cloudflared is a whole lot easier to get running than previous RATs, and attackers don't need to operate their own c&c infrastructure - you can't defend yourself from such attacks by blanket banning Chinese, Russian, Iranian and North Korean IP addresses (which I honestly advise everyone to do if they don't have business in that country), and you can't easily block outbound to Cloudflare either as half the Internet is hiding behind them.
Basically, cloudflared lowers the price and effort for attackers dramatically, while the effort to defend against this threat model has now risen significantly.
If Cloudflare were to actually be willing to do something against being used by scammers, they'd put the ingress IPs for the C&C infrastructure on dedicated IP ranges and publish these in a machine-readable format so every reasonable person that does not use Cloudflare tunnels can ban them.
This kinda surprises me, what is so "dramatic" about cloudfared specifically? This seems just like another reverse tunnel tool, and there are plenty of them.
I am not working with malware specifically, but in the past I've used ssh tunnels, random one-off websocket thingy we wrote, wireguard tunnel, frp proxy, and even AWS SSM agent to get access to machines with all incoming connections blocked. They are pretty simple to setup and generally cannot be blocked with whitelist block already.
(and I bet that for malware, they are worse than cloudfared. Based on CF's reputation, they take security reports seriously, so I would not be surprised if they take down malicious tunnels fast. While random VM on low-cost hosters will probably takes days to respond.)
> This seems just like another reverse tunnel tool, and there are plenty of them.
These are known though, you can block them without causing issues.
> and even AWS SSM agent to get access to machines with all incoming connections blocked
SSM is awesome, but the ways it works... I have no idea how. I think though that it uses outbound connections, but unfortunately AWS SGs can't do deny rules.
> If Cloudflare were to actually be willing to do something against being used by scammers, they'd put the ingress IPs for the C&C infrastructure on dedicated IP ranges and publish these in a machine-readable format so every reasonable person that does not use Cloudflare tunnels can ban them.
I don't like the idea of making it easier to block certain services, because it goes both ways: it'd also be easier for bad guys to block good guys from using said services.
I'm not seeing how the GP's idea could be used by bad guys to block access to services - it'd be something you could add to your firewall, if you don't use this service, to prevent it's use in gaining persistence.
If the bad guys can modify your firewall config, you already have a problem.
You're right, but cloudflared is a whole lot easier to get running than previous RATs, and attackers don't need to operate their own c&c infrastructure - you can't defend yourself from such attacks by blanket banning Chinese, Russian, Iranian and North Korean IP addresses (which I honestly advise everyone to do if they don't have business in that country), and you can't easily block outbound to Cloudflare either as half the Internet is hiding behind them.
Basically, cloudflared lowers the price and effort for attackers dramatically, while the effort to defend against this threat model has now risen significantly.
If Cloudflare were to actually be willing to do something against being used by scammers, they'd put the ingress IPs for the C&C infrastructure on dedicated IP ranges and publish these in a machine-readable format so every reasonable person that does not use Cloudflare tunnels can ban them.
(Side note: "zero trust" needs to die)