Post AYTwRInoeAFdd6ekBU by slink@fosstodon.org
(DIR) More posts by slink@fosstodon.org
(DIR) Post #AYSapWOlMBWKb57aSm by selea@social.linux.pizza
2023-08-06T16:58:42Z
0 likes, 2 repeats
Well, I've seen alot of criticism against #cloudflare and the sites behind it.Instead of blaming and shaming sites because they are using cloudflare - the discussion should instead be:- what alternatives do we have?Some people say, and I quote "setup load balancers, and DDoS-mitigations".I find that kind of "tips" extremely unconstructive. They really dont mean anything, apart from "look how smart I am on talking".What REAL alternatives do we have?
(DIR) Post #AYSaubaLV2xA8Dxmka by downey@floss.social
2023-08-06T16:59:33Z
0 likes, 0 repeats
@selea #degrowth and #federation
(DIR) Post #AYSaxwiJOvJyWsHZPE by selea@social.linux.pizza
2023-08-06T17:00:04Z
0 likes, 0 repeats
How should we configure our webserver?What IPS/IDS should I use? How should I configure it?How do I buy and maintain DDoS-protection?How do I server media content to tens of thousands of users around the globe?
(DIR) Post #AYSb2afmm8QPcRJcS8 by feld@bikeshed.party
2023-08-06T17:00:40.032325Z
0 likes, 0 repeats
Nothing really. You either have the bandwidth and the WAF capability or you don't
(DIR) Post #AYSbDVrZ016jt125Im by giffengrabber@infosec.exchange
2023-08-06T17:03:02Z
0 likes, 0 repeats
@selea Good questions! This is an important discussion to have.I don’t have any good answers though! Looking forward to hear what people will suggest.
(DIR) Post #AYSbH1Cevvv5xHZUoK by selea@social.linux.pizza
2023-08-06T17:03:39Z
0 likes, 0 repeats
As someone who has worked with hosting for many many years, I can really confirm that there is nothing called "just do X".Getting stuff secure, maintaining it and keeping up to date with threats combined with making sure that the customer and users have a fast and pleasant experience it not an easy task.Infact, that is often a job for a whole It-department.I doubt that those instances here on fedi have those resources.So please, be constructive.
(DIR) Post #AYSbPRvjRm8ZAEfrXM by selea@social.linux.pizza
2023-08-06T17:05:12Z
0 likes, 0 repeats
@feld I agree. There is no alternative today.
(DIR) Post #AYSbPx3FjrZZgXQo40 by avrin@infosec.exchange
2023-08-06T17:05:15Z
0 likes, 0 repeats
@selea people saying setup load balances and ddos mitigations annoying me even more because... cloudflare is doing that. no I do not want to pay for and manage 5 different vps' in different locations when they're likely to be running cloudflare behind the scenes anyways.
(DIR) Post #AYSbc3xtrMWQbPhdU8 by selea@social.linux.pizza
2023-08-06T17:07:28Z
0 likes, 0 repeats
@avrin Dont forget that DDoS-mitigation is really really REALLY hard.Some people think that it is just to "push a button", but the truth is that there is always someone that is maintaining the filter and tweaking it, 24/7/365
(DIR) Post #AYSc1pXw5hFzPdqSsC by martijn@ieji.de
2023-08-06T17:12:07Z
0 likes, 1 repeats
@selea but there are plenty of alternatives. In .nl hosters can call the collective hosting organisation and cheaply do DDoS washing. Then you have other companies. Then there is noc.org (who also have noc.social for mastodon).People tend to 'just use cloudflare'. On the point of IDs/huis/nis etc, people usually have too little knowledge. But really just apt install fail2ban or crowdsec and you're already 1 step further than nothing.There are options 🫢
(DIR) Post #AYSc9kfM7Tw4aq5p6e by avrin@infosec.exchange
2023-08-06T17:13:34Z
0 likes, 0 repeats
@selea you have to have some deep pockets to be able to actually deploy and maintain true ddos protection without leaning on a larger company like cloudflare. it's an entire industry one doesn't just "dip their toes in".
(DIR) Post #AYScV7d1wOMptKCAwC by selea@social.linux.pizza
2023-08-06T17:17:24Z
0 likes, 0 repeats
@martijn This is a great example of a post that is constructive and shows alternatives!I did not know about noc.org, will not it down!
(DIR) Post #AYSccFJ7mz4bjaHWHA by martijn@ieji.de
2023-08-06T17:18:38Z
0 likes, 0 repeats
@selea great, I'm always scared I sound too harsh in 500 characters 🫢
(DIR) Post #AYScfbKkLvxcuqdkgK by joacim@mastodon.melin.org
2023-08-06T17:19:17Z
0 likes, 0 repeats
@selea Spending a boatlod of money and time.
(DIR) Post #AYScwVPFdyGdSIo9Ca by selea@social.linux.pizza
2023-08-06T17:22:20Z
0 likes, 0 repeats
@joacim And sanity probably
(DIR) Post #AYSd1jcaDhRkzTXMxs by 1ll173r47@mastodon.online
2023-08-06T17:23:12Z
0 likes, 0 repeats
@selea The way I see it, it will come down to money. Even if something could be packaged up that could be deployed at multiple locations easily, (most) individual users will not pay for it. Cloudflare can subsidize their free tier and it’s a lead generation tool for them. Donations or Patreon-type services are tough when you have fixed overhead costs. Otherwise you are dependent on sponsors in which case you might as well just use Cloudflare.
(DIR) Post #AYSdQs7dkc1eay3Ag4 by selea@social.linux.pizza
2023-08-06T17:27:45Z
0 likes, 0 repeats
@avrin Oh yes, toghether with some high skilled network engineers working around the clock that can quickly identify attacks and deploy mitigations against those.An ISP here in Sweden buys hardware and software to mitigate ddos attacks, they cost 1 million dollar per unit.And they are not even user friendly.
(DIR) Post #AYSe3QymbKdBhtIMKG by binaryphile@fosstodon.org
2023-08-06T17:34:50Z
0 likes, 0 repeats
@selea My limited knowledge: Highly qualified employees is the only option of which I'm aware, then the pockets to pay them and the technological costs they deem appropriate. Or contract with an organization that already does, like cloudflare.That is to say I fully agree, the options are less than myriad.
(DIR) Post #AYSefOZK0oyDEbUGSO by Crudge@infosec.exchange
2023-08-06T17:41:41Z
0 likes, 0 repeats
@selea @deltatux It’s hard to compete with a free offering like cloudflare and the AI models it had that have so much data coming in to learn attack patterns.https://radar.cloudflare.com/reports/ddos-2023-q2The level of skill and tuning required to emulate what they have makes them a necessary “evil”? #cloudflare
(DIR) Post #AYSfUmthJoKnSPWWXo by selea@social.linux.pizza
2023-08-06T17:50:59Z
0 likes, 0 repeats
@CrudgeOne person is the thread knew about noc.org - it is probably an alternative to even small sites and blogs @deltatux
(DIR) Post #AYSfmD53Dv8JaN8qBM by deltatux@infosec.town
2023-08-06T17:52:44.661Z
0 likes, 0 repeats
@selea@social.linux.pizza @Crudge@infosec.exchange Might not be a bad alternative, could be great for a small community. Though for a personal site, really depends on the person's budget as well, it is an additional $5/month vs. free. Could be a good option to give it a try regardless.
(DIR) Post #AYSfmDjSnfSXbi37Am by selea@social.linux.pizza
2023-08-06T17:54:04Z
0 likes, 0 repeats
@deltatux$5 is most likely a reasonable amount of money for many.Apparently, noc.social is using it too @Crudge
(DIR) Post #AYSfmjOf4XpjoSYxBw by joacim@mastodon.melin.org
2023-08-06T17:54:13Z
0 likes, 0 repeats
@selea oh yes.
(DIR) Post #AYSoE5RQ1E4ZdPPKOu by gigantos@social.linux.pizza
2023-08-06T19:28:47Z
0 likes, 0 repeats
@selea I have wondered this myself when I once mentioned I used the free website hosting and got pushback.The argument then was basically that you may be blocking people from accessing your site even though they should be able to.But this also happens if you roll your own. A subnet previously used by attackers can easily lead to blocking the wrong thing later.Also, the only reason I would be able to roll my own is if I got lucky and never was attacked
(DIR) Post #AYSpytrD0P3dGvMBBA by zleap@qoto.org
2023-08-06T19:48:29Z
0 likes, 0 repeats
@selea I fully agree, we need alternatives that are fully funded, protected against patent or other such litigation so we can use them freely but also need to fund all of this.
(DIR) Post #AYSpzIvfmwU120db6m by martijn@ieji.de
2023-08-06T19:48:33Z
0 likes, 0 repeats
@selea @deltatux @Crudge one of the founders started Ossec and a few other cool projects. That's why I follow them. Small disclaimer I contributed translations back then 😂. Worth following @dcid while you're at it. But you've probably found them already
(DIR) Post #AYSr4r52LKPSLpED8y by selea@social.linux.pizza
2023-08-06T20:00:42Z
0 likes, 0 repeats
@martijn @deltatux @Crudge Yeah I've followed @dcid for a while :) seen hos stuff on dnschecker.org and other sites, always cool stuff!
(DIR) Post #AYSztXrANK898EQEpU by slink@fosstodon.org
2023-08-06T21:39:32Z
0 likes, 1 repeats
@selea firstly, you have a very good point! i hope to have some answers, but also i feel like i need to make the problem even harder first:as commonly set up, cf and other #cdn based "solutions" only work because current #ddos attacks are sufficiently dumb. if attackers were better informed, used a little more recon and directed attacks at the origin, they would be, in many cases, useless. we should consider ourselves lucky, and not much else.regarding alternatives … 🧵
(DIR) Post #AYT6PzFydY6R6TscHg by CaptainDrewBoy@social.linux.pizza
2023-08-06T22:52:41Z
0 likes, 0 repeats
@selea I'm not a web developer though I just hate cloudflareDDoS mitigation is super hard but surely if you're large enough to be DDoSed you can build and scale your own solutions? idk
(DIR) Post #AYTwRI7HCKDvVAklsW by slink@fosstodon.org
2023-08-06T21:47:25Z
0 likes, 1 repeats
@selea we need to look all network layers:- layer3: "volumetric" attacks happen here (dns amplification etc). the only solution i know is to have enough bandwidth to blackhole traffic which you do not want, or buy this as a service. for the latter, the protection can only be complete if you fully hide your origin (tunnel endpoint), which mostly boils down to using someone else's ip and keeping it a secret.🧵
(DIR) Post #AYTwRInoeAFdd6ekBU by slink@fosstodon.org
2023-08-06T21:55:18Z
0 likes, 1 repeats
@selea layer4 (syn flood, file descriptor exhaustion): mostly a non issue nowadays because ram is cheap enough.tls: rate limiting works (eg with #haproxy ) or techniques along the #fail2ban idea : if an ip hits you too hard, filter it efficiently in the kernelhttp: here my best recommendations are all based around #varnishcache because i work on it, but alternatives do exist. i will focus on what i know to be most helpful. 🧵
(DIR) Post #AYTwRNWz4Al4ILos8u by slink@fosstodon.org
2023-08-06T22:03:37Z
0 likes, 1 repeats
@selea so http:- cache everything you possibly can- rate limit also on the http layer (vmod vsthrottle)- filter allowed urls ("waf"), ideally by using well defined patterns (positive list) with vmod re2 or vmod re- use signed urls, verification with vmod blob and vmod blobdigestwe do combine these techniques in practice, all i wrote are things we actually do in #opensource - except i only know commercial options for traffic sinkholes and would like to have better options
(DIR) Post #AYTzxPrcEDQ8evRE4O by selea@social.linux.pizza
2023-08-07T09:14:57Z
0 likes, 0 repeats
@sheogorath This have slipped past me!Thanks!
(DIR) Post #AYUYhvQgb4mIJwBteC by lightone@mastodon.xyz
2023-08-07T15:44:17Z
0 likes, 0 repeats
@selea Change begins when users start asking: "hey, what are my alternatives?" That's what Fedi taught me over the years.I've heard something about https://serverius.net(https://serverius.net/qbine/the-european-cloudflare-alternative)
(DIR) Post #AYfCzBtOa2I23A0SO0 by oblak@nixnet.social
2023-08-12T18:32:28.290146Z
0 likes, 0 repeats
@gme @selea I have been using CF for free, also almost since day one. Matthew Prince and CF have done incredible work to make the internet more secure. Their captchas can be a pain, but no one is forced to use CF.
(DIR) Post #AYfCzCu8okTrBlMZBg by selea@social.linux.pizza
2023-08-12T19:02:36Z
0 likes, 0 repeats
@oblakWell, their captchas is so much pain so they prevent me sometimes from visiting a website.No entity should handle so much traffic as CF does today. They have to much power. @gme
(DIR) Post #AYfEPTRg2cflyN8cAC by oblak@nixnet.social
2023-08-12T19:14:08.810165Z
0 likes, 0 repeats
@selea @gme To be fair, we only use their DNS service, with their proxies disabled.Of course this means we don't enjoy their DDOS protection, but worst-case if we become a target, we can temporarily enable it.In any case, like mentioned by others in the comments, there are many things you can do, and a multi layered defense is probably a good approach.
(DIR) Post #AYfEPUMkcQKIpNqC7k by selea@social.linux.pizza
2023-08-12T19:18:42Z
0 likes, 0 repeats
@oblak @gme They sure deliver a great product that works REALLY well, there is no denying to that!
(DIR) Post #AYfEdldLDORsR7PRLs by viktor@me.dm
2023-08-12T19:21:19Z
0 likes, 0 repeats
@selea Nothing comes close to CloudFlare's free plan, but there are plenty of options if you're willing to pay. This includes paying for server resources to run #FOSS. - WAF: Virusdie, Naxsi, ModSecurity, CFS- IDS: Wazuh, Snort- CDN: Bunny- SSL: Let's Encrypt- DoS: Nginx/Apache configs, find server providers that include it (Hetzner)- Storage: Backblaze B2mod_pagespeed was the go-to optimization tool but it was archived by Apache foundation. Still usable for now.
(DIR) Post #AYuDjNg2iVCAQpIjlA by strypey@mastodon.nzoss.nz
2023-08-20T00:51:50Z
0 likes, 0 repeats
@selea> One person is the thread knew about noc.org - it is probably an alternative to even small sites and blogsThere's also Deflect.ca, used by @pluralistic This is a classic example of a collective action problem. Every small site needs some protection against DDoS etc, even when it a totally innocent slashdotting. But none of them can afford to build their own. But by our combined our efforts, we can replace the legit uses of CloudFlail.@Crudge @deltatux
(DIR) Post #AYuDl4y5FP10zBY7xQ by strypey@mastodon.nzoss.nz
2023-08-20T00:51:50Z
0 likes, 0 repeats
@selea@Crudge @deltatux
(DIR) Post #AYuDvX7NRRTnBeshPM by strypey@mastodon.nzoss.nz
2023-08-20T00:54:02Z
0 likes, 0 repeats
The CloudFlail business model is a classic protection racket;'That's a lovely website you have there. Very nice, very nice indeed. It would be a terrible shame if some nasty, ill-mannered gentlemen wandered up to your lovely website, and took a baseball bat to your homepage. Maybe gave the admins a bit of a roughing up in their personal accounts?'(1/2)@selea@pluralistic @Crudge @deltatux
(DIR) Post #AYuE41t4vSAyvvFDmq by strypey@mastodon.nzoss.nz
2023-08-20T00:55:33Z
0 likes, 0 repeats
'We really wouldn't that to happen, would we boys. Not at all. But we could make sure that won't happen. We could watch out for our local neighbourhood website owners... for a very reasonable monthly fee. Just to cover our out-of-pocket expenses, of course...'(2/2)@selea@pluralistic @Crudge @deltatux