Post ASVMcvtQc3OC2pdaym by pmurphs@linuxrocks.online
(DIR) More posts by pmurphs@linuxrocks.online
(DIR) Post #ASUz7g80sUfPEDaTzM by GrapheneOS@grapheneos.social
2023-02-09T09:27:43Z
0 likes, 1 repeats
Our website was targeted with a Distributed Denial of Service attack using HTTP/2 multiplexing within the 2 minute window from 2023-02-09T00:58:00Z to 2023-02-09T01:00:00Z. OVH detected it and enabled mitigation but enough went through to cause downtime due to memory limits.#grapheneos #ddos #http2 #nginx #ovh
(DIR) Post #ASUz8iR1mru8fiyZVo by GrapheneOS@grapheneos.social
2023-02-09T09:27:55Z
0 likes, 1 repeats
In September, a similar attack caused nginx's master process to be killed by the out-of-memory killer causing much longer downtime. Default systemd service lacked auto-restart since master process supervises workers. We fixed that:https://github.com/GrapheneOS/infrastructure/commit/320ad2e3a8fe4d8823abe628573bc209b7305899https://github.com/GrapheneOS/infrastructure/commit/36423fb2bc31561f2519aedcc6193038c1b7890f
(DIR) Post #ASUz9UCqAv4opchv3w by GrapheneOS@grapheneos.social
2023-02-09T09:28:02Z
0 likes, 1 repeats
We also added a large encrypted swapfile to each server:https://github.com/GrapheneOS/infrastructure/commit/b93695ecc4862d1bdba9dabd76f5ffcf5d154902We also reduced HTTP/2 multiplexing limit, per-IP connection limit, buffer sizes, etc. last time:https://github.com/GrapheneOS/grapheneos.org/commit/2ef894ca47d7ef284d007f4f89a755360171a296https://github.com/GrapheneOS/grapheneos.org/commit/329bc8fd62633e7bc18b584319ca744e28d8ce1chttps://github.com/GrapheneOS/grapheneos.org/commit/e57765c650cefa741888326ada2744599b1b4722https://github.com/GrapheneOS/grapheneos.org/commit/511be885bf9cd421f606a8d07c130932b7a551d5
(DIR) Post #ASUzAA7eKbscpgbMno by GrapheneOS@grapheneos.social
2023-02-09T09:28:09Z
0 likes, 1 repeats
This time around, they exhausted the overall connection limit and started causing dropped connections, essentially creating downtime.HTTP/2 streams use comparable resources to an HTTP/1.1 connection so nginx has to count each one as part of overall and per-IP connection limits.
(DIR) Post #ASUzApRwg3Tb0VPed6 by GrapheneOS@grapheneos.social
2023-02-09T09:28:16Z
0 likes, 1 repeats
We could do further tuning to reduce resource usage per connection combined with greatly raising overall connection limit. Could further reduce concurrent streams and per-IP connection limits. We'd only want to disable HTTP/2 or use very aggressive limits/timeouts during attacks.
(DIR) Post #ASUzBkvKzRr7GAbQrA by GrapheneOS@grapheneos.social
2023-02-09T09:28:27Z
0 likes, 1 repeats
Cloudflare could protect our websites from these attacks but isn't usable for our other services and our users wouldn't be happy about it due to privacy concerns. We're more concerned with other services than the websites so that's not really on the table as a solution anyway.
(DIR) Post #ASUzCPLch8eIdHCzNg by GrapheneOS@grapheneos.social
2023-02-09T09:28:35Z
0 likes, 1 repeats
We could scale up server resources and add more servers but it'd be a very poor use of funds. Our services are already scaled up more than we need when not under attack. Only our update servers are ever overloaded with legitimate traffic and only during quarterly/yearly releases.
(DIR) Post #ASUzDI0xRfnaB6xlJ2 by GrapheneOS@grapheneos.social
2023-02-09T09:28:43Z
1 likes, 1 repeats
There are other kinds of ongoing malicious attacks on GrapheneOS including harassment/threats/doxxing targeting our project members and coordinated misinformation being spread across platforms by groups of people using a mix of legitimate and sockpuppet accounts. It's quite bad.
(DIR) Post #ASV0VPe1unMD0eRbIe by Digitaluntertauchen@social.tchncs.de
2023-02-09T09:43:05Z
0 likes, 0 repeats
@GrapheneOS I wonder what the criminals expect or want to achieve?
(DIR) Post #ASVMcvtQc3OC2pdaym by pmurphs@linuxrocks.online
2023-02-09T13:50:47Z
0 likes, 0 repeats
@GrapheneOS How can users help support the OS team?
(DIR) Post #ASVlIUNThawPln2dnc by GrapheneOS@grapheneos.social
2023-02-09T18:27:27Z
0 likes, 0 repeats
@lispi314 There's no auto-configuration. They're self-managed VPS and dedicated servers. OVH DDoS mitigation happens on their network before traffic arrives at your server. It detects DDoS and reroutes traffic for that server through their DDoS scrubbing system and firewall. It unfortunately isn't working very well for defending us from these attacks though.
(DIR) Post #ASVlURSOO4A4Bc2Wps by GrapheneOS@grapheneos.social
2023-02-09T18:29:34Z
0 likes, 0 repeats
@lispi314 @Digitaluntertauchen We know that most of the attacks are from companies and other organizations selling phones they claim are private/secure but which do not hold up to scrutiny. They're attacking GrapheneOS because they see it as a major threat to their business or jobs. Some of these people are even part of a couple open source projects, although they aren't volunteers and notably do a lot of contract work that is being disrupted by what GrapheneOS is providing now and will provide.
(DIR) Post #ASVlapaDbDiYkYkN0q by GrapheneOS@grapheneos.social
2023-02-09T18:30:44Z
0 likes, 0 repeats
@lispi314 @Digitaluntertauchen There are even people making products heavily based on GrapheneOS who are attacking us with misinformation. They sell products based on it but GrapheneOS being so easy to install via https://grapheneos.org/install/web makes it much harder for them to sell devices, and we're regularly adding new features which often obsolete what they implement in their proprietary forks or apps. They get very mad about this and other things.
(DIR) Post #ASVljXFf7o8KVBHZwW by GrapheneOS@grapheneos.social
2023-02-09T18:32:20Z
0 likes, 0 repeats
@lispi314 We publish most of our server configurations in https://github.com/GrapheneOS/infrastructure and the server-specific repositories such as https://github.com/GrapheneOS/grapheneos.org for the main website, https://github.com/GrapheneOS/releases.grapheneos.org for the update servers and https://github.com/GrapheneOS/aapps.grapheneos.org for the app repository hosted on those update servers. There are more repositories for attestation.app (part of AttestationServer repository), grapheneos.social, discuss.grapheneos.org, mail.grapheneos.org, matrix.grapheneos.org and grapheneos.network.
(DIR) Post #ASVlqWX0CYHiILj2aO by GrapheneOS@grapheneos.social
2023-02-09T18:33:36Z
0 likes, 0 repeats
@lispi314 We try to publish as much of the configuration as we can but in some cases we can't easily publish them such as the Matrix synapse configuration and matterbridge configuration where there are a bunch of secrets included in the configuration files. We could store those elsewhere and set up automatically including them in the configuration but we have much higher priorities than trying to publish closer to all of the configurations and scripts for our servers.
(DIR) Post #ASVmTCjJkwzAAxvjhw by Digitaluntertauchen@social.tchncs.de
2023-02-09T18:40:34Z
0 likes, 0 repeats
@GrapheneOS @lispi314 is it again regarding CalyxOS? It think I remember there was something in the past.
(DIR) Post #ASVmXtS0rZ3BpZ4WdU by Digitaluntertauchen@social.tchncs.de
2023-02-09T18:41:26Z
0 likes, 0 repeats
@GrapheneOS @lispi314 which proves me right donating to you :-) and not others. Keep up the good work
(DIR) Post #ASXkg7SmpzHW0w9Gj2 by bartavi@mastodon.nl
2023-02-10T17:29:44Z
0 likes, 0 repeats
@GrapheneOS @lispi314 @Digitaluntertauchen What is your opinion on Nitrokey/Nitrophone in this regard? Are they OK? Do they behave well?
(DIR) Post #ASY3Fnv0mQrkzsW34y by GrapheneOS@grapheneos.social
2023-02-10T20:58:05Z
0 likes, 0 repeats
@bartavi @lispi314 @Digitaluntertauchen They don't do anything negative but they aren't funding or contributing to GrapheneOS development at the moment. They may do that in the future.
(DIR) Post #ASZ8r7BuugGUXesvGC by bartavi@mastodon.nl
2023-02-11T09:35:30Z
0 likes, 0 repeats
@GrapheneOS @lispi314 @Digitaluntertauchen Oh, that is interesting. So essentially, they ask an additional 300 bucks for a phone (Pixel 7: 600 -> 900), primarily to install GrapheneOS. I can only hope that it is worth it for non-technical users, or that they use the money to improve their other products.
(DIR) Post #ASd4dFJqH6lWVlYxN2 by shipp@mastodon.coffee
2023-02-13T07:06:54Z
0 likes, 0 repeats
@GrapheneOS @bartavi @lispi314 @Digitaluntertauchen Would swapping Graphene to an AGPLv3 license help so that commercial usage would have to go back and support official GrapheneOS?
(DIR) Post #AShMyMleLtmHV7d75M by GrapheneOS@grapheneos.social
2023-02-15T08:51:12Z
0 likes, 0 repeats
@shipp @bartavi @lispi314 @Digitaluntertauchen AGPLv3 permits commercial usage and won't help make the project sustainable. It would make it less sustainable by making it much less free and reducing contributions. We have been through this whole experience before. We're sticking to permissive licensing and GPLv2.