Today, like the past few days, we have had some downtime. Apparently some script kids are enjoying themselves by targeting our server (and others). Sorry for the inconvenience.
Most of these ‘attacks’ are targeted at the database, but some are more ddos-like and can be mitigated by using a CDN. Some other Lemmy servers are using Cloudflare, so we know that works. Therefore we have chosen Cloudflare as CDN / DDOS protection platform for now. We will look into other options, but we needed something to be implemented asap.
For the other attacks, we are using them to investigate and implement measures like rate limiting etc.
Thank you for the amazing job, as always! Cloudflare is a solid solution :)
Sure but maybe something less centralized/proprietary would be preferable
Such as?
Nothing. DDoS mitigation is inherently an ISP or someone like cloudflare. You will not have success against anybody who knows what they are doing without their help.
This is bullshit. Just take this as an example. I found it with one quick search and there are plenty more. Perhaps we should broaden our horizons a little rather than entrusting everything to some corpos.
My dude, I think you’re not super familiar with these technologies.
The most basic form of a content delivery network is a set of globally distributed servers that replicate content from a source of truth and a network to direct traffic to the closest server with a valid replica. So the cost here is servers.
With Lemmy, this problem is solved by eliminating the need for individuals to own many servers and a lack of need for trust between servers. The effort and cost is distributed among individual humans, making it manageable.
Now, if you’re familiar with blockchain, you probably perked up when you heard “lack of need for trust.” That’s what the blockchain was built for! Perfect fit, right? Ehh, not so much.
There’s two problems: acting as a proxy for content requires trust, and some single service needs to direct clients to the right local server. If I can arbitrarily join some network of serving content, I can always tell other servers in the network that I’m serving what they ask… and then serve ads. There’s no (reasonable and fast) way for the network to verify that I’m serving the correct content to every client. There’s no way to avoid the need for trust. Additionally, DNS, which directs you from mysite.com to 120.1.2.1, isn’t intelligent. It can’t direct clients to a geographically (or route-efficient, fucking ISPs) local IP. The best it can do is pick a random one from the pool. So when you go to lemmy.world, DNS can’t pick the correct server for you. So some set of servers needs to do the logic to select which local server to actually get content from. Those servers need to be central for the whole content delivery network.
This company you linked is just another company using “blockchain” to get investment money. If you read through their page to get a cursory understanding of how things work, an easy question comes up: what is the purpose of
mediatokens? Sure, maybe you can buy CDN time with it, but when you pay that token to someone providing compute… what do they do with that token? It’s worthless, just like crypto currency. Fucking scams. All that said, blockchain is a super, super interesting technology. There’s just very, very few suitable applications of it.I’ve worked in IT for about 12 years now. Everything from infrastructure monitoring to data analysis to data engineering to DevOps to backend engineering to product management. I’ve worked with systems serving tens of users and tens of millions of users. Happy to answer any questions. I love this shit.
If someone could figure out a trustless, decentralized way to implement a CDN, I’d eat that up in a second, but with my current understanding of the internet and available technologies, I don’t see a way it can work. At least, not with making every web page take >3s to load, which would absolutely kill websites.
That’s easier said than done, DDoS mitigation requires a large amount of servers that are only really useful to persist an active DDoS attack. It’s why everyone uses Cloudflare, because of the amount of customers they serve there’s pretty much always an active attack to fend off. Decentralization wouldn’t work great for it because you would have to trust every decentralized node not to perform man in the middle attacks. But if you know of any such solution I’d love to hear it.
Yeah I see the issue but on the other side you would get a more robust network which could also be incentivised by some sort of underlying blockchain technology. The man in the middle attack could also be mitigated on a technical level.
You are smoking crack. You clearly do not know what you are talking about.
Why is Cloudflare so bad?
It is obviously not. Why would it be?
deleted by creator
Seems like we had downtime again just a little while earlier?
I assume you are rotating ip addresses after swapping to cloudflare?
CloudFlare IP ranges can be found here. The DNS entry can point to any one of those IP addresses.
I think Ryan is referring to the usual requirement that the server’s IP address is changed if switching to a CDN to avoid DDoS, since otherwise the attackers can usually just bypass the CDN by sending requests to the original IP of the server.
Not an issue if you only accept request from the cloudflare IPs and reject everything else
Depends on how big the attack is I think - inbound connection handling is not free, even if you’re just rejecting
I mean, on your origin you can control the firewall of your own webserver. If you only accept https from the cloudflare IPs everyone using your Url should be patched thought cloudflare without issue and the attack wouldn’t be much of a problem as they would be rejected. I use this method on some of my website at work.
I hope lemmy.world can avoid using Cloudflare which goes against the spirit of Fediverse as it’s just an objectively evil company.
Can you give some insight to this?
There are thousands of reasons from centralizing internet, abusing their market power, implementing barriers on web automation that can only be bypassed by the priviledged to fingerprinting and tracking users across the whole internet. It’s a major for-profit market capture corporation - it’s evil by design.
Yeah, they’re not someone I’d choose to give money or support to. Pretty disappointed it has come to this tbh.
they have a bad habbit of getting Brain bleeds
sure, but there’s so many ddos attacks and other scans and probes its nearly required to put something in front of the server
Well I signed today and I got an error saying rate limit earlier for using these types of symbols “î¦âö)ééäë((ºÜݨ¿ã¿ï” I’m assuming It has nothing to do with this but just In case I’m making a comment about it edit:also just realized It may have been from how long the password was (33 characters)
This might be related. Encrypting passwords is resource intensive, and longer passwords need more resources.
Specifying really long passwords, repeatedly, is one way to DDoS a server. Maybe they’re blocking unnecessarily long passwords.
Obviously cloudflares ddosing lemmy just to get some extra money
This might not be a joke as CloudFlare employs lots of woke types that just might do that.
woke bots lol. I seriously don’t doubt, It’s a logical step for a business like cloudflare. Won’t ever really be proven or disproven though.
What do you mean by woke types?
Woke as in believing in identity politics, Marxism, the usual crap.
What do you believe in?
I don’t understand why people want to take down websites. Especially sites like Lemmy, which isn’t exactly sticking it to anyone because no one owns it!
Are they just Reddit groupies?
Some people enjoy causing suffering to others. On the internet they are termed trolls. Irl people usually just call them assholes. Most people have encountered them before.
I think they are far more common and likely than anyone giving two shits about reddit.
meanwhile it was giving me incorrect login error and I had thought someone got into my account lol
