Author Topic: PLEASE disable Cloudflare on the forum  (Read 9976 times)

0 Members and 1 Guest are viewing this topic.


Offline bobmaloney

"The crows seemed to be calling his name, thought Caw."
- Jack Handey (SNL)

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile
@xeroc @bitsapphire just spent FIFTEEN minutes between captcha loops and "Cannot contact reCAPTCHA. Check your connection and try again", captchas loading VERY slowly (happens frequently) to be able to access the forum.

I'm almost ready to give up at this point. This forum is the central point of contact with this community, and as someone concerned with being private, I'm being CENSORED from acessing the forum normally by this company CLOUDFLARE.

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile
Unfortunately still no changes on this front. Lately I don't really visit the forum any longer due to this captcha bs.

Offline fav

  • Hero Member
  • *****
  • Posts: 4278
  • No Pain, No Gain
    • View Profile
    • Follow Me!
  • BitShares: fav
cloudflare is pissng me off and I use a regular ISP. that thing occasionally bans IPs from my ISP for whatever reason (we do not have static ips, so it's easy to catch one)

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile
@bitsapphire saddened to see that weeks later this has not been addressed.

Meanwhile, the tension between Cloudflare and the Tor community has been increasing: https://blog.torproject.org/blog/trouble-cloudflare

Strongly recommend (quick read) https://people.torproject.org/~lunar/20160331-CloudFlare_Fact_Sheet.pdf - as linked in the above blogpost.

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile
The choice of CA is not so much related to using a reverse-proxy-style (mitm) service such as Cloudflare.

Of course, it's still important to choose a decent CA due to other reasons (quality of OCSP responders, for instance).


As for previous DDoS, do you remember what sort of DDoS it was? Except for the really overwhelming ones, they can be simple to thwart.

1Gbps (or more) connection helps, enabling TCP syncookies under load will kill all syn floods attacks, and a decently configured firewall that drops unecessary probes and responses to closed ports is also necessary.

You can also rate-limit at the firewall how many new connections over a period of time a single ip can make.
Putting up a high-quality load balancer (even if it's just one backend server (the forum) behind it) such as HAProxy in front of the webserver can also significantly help in a DDoS scenario -- and just in general -- by doing protocol-level checks, adding security rules, and most importantly in this case, gaining the ability to queue incoming connections (rather than just dropping them) so that the backend webserver(s) never have to deal with more that they can eat.

If you want to go REALLY hardcore, then using varnish in front of the webserver and caching the dynamic content on the forum (some VCL mastery needed to make sure the cache is invalidated in a timely/correct manner) such that the webserver doesn't even see most of the requests since they are served static from varnish..

My point is, there is a LOT one can do to mitigate a DDoS attack, and force the attacker to really throw several gbit/s at you rather than relying on simpler to execute ddos techniques (and at that point, if you can detect a pattern in the ddos, getting in touch with the provider and blocking these traffic patterns will help in a pretty good portion of cases!).. the hardware investment, unless you want to start doing DNS round-robin load balancing and having backend webservers in multiple datacenters with a replicated database also in multiple locations, is negligible.

So, a good relationship with the upstream provider helps. Many times in the past, for me, it was a matter of calling the datacenter, giving them a list of IP ranges, or a range of UDP ports, or whatever pattern could be detected in the DDoS, and ask them to temporarily block traffic upstream. Most of the time that immediately brought the customers' site back online.



edit: Aware of letsencrypt, but haven't played with it yet. Good initiative. Cursory rtfm seems to indicate the official client requires root to run, which I would say is an unacceptable thing on a producting server (for the purpose of generating/updating ssl certs). There seems to be a -nosudo variant around on github, anyway, I would recommend not running it as root in the production machine.
« Last Edit: March 12, 2016, 03:14:34 pm by karnal »

Offline bitsapphire

We're going to change the certificate provider. Totally agree with you @karnal . Just so you know why we didn't change it so far:
- Other SSL providers made the mobile app randomly drop the connection (still don't know why)
- We had 2 ddos attacks in the past, since we have Cloudflare that hasn't happened anymore.

We're currently testing "Let's Encrypt" because they are the only ones we know that won't sell user data. We still need a ddos solution, if anybody has any idea, we're open to hearing it.
Register and get your personal Moonstone Wallet Beta here: https://moonstone.io/login-register.html

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12922
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
I cant do anything about it. This domain is under bitsapphire's control

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile
Eerily timely.. http://betanews.com/2016/02/27/tor-dark-web-surveillance/

And yes @cass, piwik is the good stuff. We should use it here. Nothing but good things to say about it, other than still not supporting postgresql.

And on a more general note, very happy to see the positive impact the thread appears to have had. Thanks @xeroc for trying to contact the right people. Thanks to everyone for participating.

Offline cass

  • Hero Member
  • *****
  • Posts: 4311
  • /(┬.┬)\
    • View Profile
█║▌║║█  - - -  The quieter you become, the more you are able to hear  - - -  █║▌║║█

Offline btstip

  • Hero Member
  • *****
  • Posts: 644
    • View Profile
  • BitShares: btstip-io
Hey Tuck Fheman, here are the results of your tips...
  • karnal: has been credited 1 GREATIDEA
  • karnal: has been credited 5 PERCENT
Curious about ShareBits? Visit us at http://sharebits.io and start tipping BTS on https://bitsharestalk.org/ today!
Created by hybridd