Firesheep is a poor comparison. It's a piece of software. The developer (or his associates) do not provide a product or service to protect against it, which would be a requirement to be considered racketeering. (Even if they were offering some "service," say to set up SSL on your server, I'd have a hard time calling it a racket simply because what Firesheep accomplished, i.e. packet sniffing for cookies, has always been possible.)
I don't have a problem with CloudFlare offering multiple service levels. That's just smart business. They are one of the relatively few companies with their own network that can mitigate attacks. And that's where the problem lies - they are using that capability to prop up booters (DDoS attack services, if you weren't familiar with the term). As others have said, booters would be largely uneconomical to operate without the cheap assistance of CloudFlare, because the booter "market" is similar to drug gangs - it's a "war" with the booter owners all trying to take out their competition. (So this makes DDoS attacks less easily available, a good thing for the rest of the Internet.)
The problem is that CloudFlare is choosing to allow them to operate, while offering protection services at the same time. This is the very definition of a racket. It is no different from "wouldn't it be a shame if your shop burned down, you should pay us money."
Now, I'm not saying that _all_ DDoS would instantly go away if CloudFlare stopped this. It wouldn't. It would make a significant difference though, IMO. Services like this make it easy for anyone with little skill to launch attacks, and with amplification techniques (NTP, DNS, SNMP, chargen, etc.) the booter needs very little hardware and bandwidth to launch massive attacks.
From some of your comments, it seems like you are heavily involved with similar situation as former CloudFlare customer?
put it this way: if I am a security researcher and I want to publish a paper on DoDs, I can make use of CloudFlare to accomplish my objective. How do you distinguish good from the bad?
I'm not and have never been a CloudFlare customer. My experience with them stems from hosting game servers and dealing with many DDoS incidents, nearly all of which originated from CloudFlare-"supported" (I would like to use the term "hosting" but I realize they will dispute this, and I'm not interested in a debate on semantics) booters. As part of this, I also have experience dealing with CloudFlare, which I detailed in another comment here.
Publishing research papers about DDoS attacks is one thing. Selling a service that performs them (i.e. DDoS-for-hire) is completely different, IMO.
I don't have a problem with CloudFlare offering multiple service levels. That's just smart business. They are one of the relatively few companies with their own network that can mitigate attacks. And that's where the problem lies - they are using that capability to prop up booters (DDoS attack services, if you weren't familiar with the term). As others have said, booters would be largely uneconomical to operate without the cheap assistance of CloudFlare, because the booter "market" is similar to drug gangs - it's a "war" with the booter owners all trying to take out their competition. (So this makes DDoS attacks less easily available, a good thing for the rest of the Internet.)
The problem is that CloudFlare is choosing to allow them to operate, while offering protection services at the same time. This is the very definition of a racket. It is no different from "wouldn't it be a shame if your shop burned down, you should pay us money."
Now, I'm not saying that _all_ DDoS would instantly go away if CloudFlare stopped this. It wouldn't. It would make a significant difference though, IMO. Services like this make it easy for anyone with little skill to launch attacks, and with amplification techniques (NTP, DNS, SNMP, chargen, etc.) the booter needs very little hardware and bandwidth to launch massive attacks.