Pages:
Author

Topic: Moving to Cloudflare (Read 13652 times)

hero member
Activity: 504
Merit: 1065
Crypto Swap Exchange
February 27, 2024, 05:30:51 AM
#89
This topic is inactive for almost a year now, sorry to necrobump it  Roll Eyes

Just in case theymos missed the following message:

--snip--
I have however decided to use a residential proxy on top of my setup to access this forum from now. Hopefully theymos will consider some better alternative to Cloudflare within next years or at least could re-configure the current Cloudflare settings to facilitate access to users with complex Tor setups. We are also ready to provide technical assistance in Cloudflare-less DDoS protection setup if it's the case.

legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
April 27, 2023, 05:01:53 AM
#88
if it comes to protecting your personal data, then no matter what hosting you use, you risk trusting it to a third party anyway.
Trusting 2 third parties is always worse for privacy than trusting just one.
legendary
Activity: 2618
Merit: 1505
April 27, 2023, 04:09:42 AM
#87
As problematic as a solution like Cloudflare is, it's still probably the only serious option, even today. Anything else is a constant cat-and-mouse game. I've done a bit of fail2ban work to make my own anti-DDOS or psuedo-WAF and such, but any site under the threat of an arbitrary DDOS attack really only has Cloudflare (or other, worse options like Akamai, cloud, etc).

Cloudflare regularly posts reports on DDOS attacks, the latest for Q1 of this year https://blog.cloudflare.com/ddos-threat-report-2023-q1/  but if it comes to protecting your personal data, then no matter what hosting you use, you risk trusting it to a third party anyway.
donator
Activity: 1419
Merit: 1015
March 15, 2023, 12:44:16 AM
#86
As problematic as a solution like Cloudflare is, it's still probably the only serious option, even today. Anything else is a constant cat-and-mouse game. I've done a bit of fail2ban work to make my own anti-DDOS or psuedo-WAF and such, but any site under the threat of an arbitrary DDOS attack really only has Cloudflare (or other, worse options like Akamai, cloud, etc).
administrator
Activity: 5222
Merit: 13032
January 05, 2023, 04:09:41 PM
#85
Has anything changed on the topic of DDoS protection? Maybe new, better options? Cheaper, easier to set up?

Not really. I don't know of any better solution which wouldn't require a lot of manual work to keep it working.

Cloudflare actually isn't even very good at identifying bad traffic or delivering on several of its claimed features, but it offers two extremely valuable tools:
 1. It completely blocks even massive IP/UDP/TCP flooding without any thought on the end-user's part. My custom DDoS protection was also able to block these attacks, but it required a significant amount of sysadmin work.
 2. My custom protection failed against layer-7 attacks from 100k+ IPs. To handle these attacks, there needs to be some sort of proof-of-work/CAPTCHA challenge before the application starts making database queries and such. These challenges must exist on servers which will automatically scale to handle any number of requests, as needed. The challenge servers must have the HTTPS key in order to function. It would definitely be possible to do this without something like Cloudflare, and I've posted a general description of how it could be done, but both the coding and sysadmin work are more than I want to deal with.

Cost is a consideration, but not the primary one: I'd consider paying 10-30x more than Cloudflare's $250/mo, if this came with significant improvements. But as far as I know, you don't actually get much more by paying an "enterprise" DDoS protection company $5000/mo than you do by paying Cloudflare $250/mo, and in fact you often seem to get less.
hero member
Activity: 910
Merit: 5935
not your keys, not your coins!
January 05, 2023, 09:49:09 AM
#84
Maybe new, better options? Cheaper, easier to set up?
These three features are hard to co-exist in one tool usually.
I meant cheaper and easier to set up than the alternatives which existed in 2017. I don't think it's unlikely that the space has evolved since then and better alternatives exist today. (either entirely new ones or the ones theymos tried back when he wrote the original post, have evolved and fixed the issues he had during setup etc.)

I don't think price is the biggest issue for Bitcointalk, judging by the generous donations that have been made way back and HODL'ed so far.
full member
Activity: 1470
Merit: 108
January 05, 2023, 08:29:42 AM
#83
Maybe new, better options? Cheaper, easier to set up?
These three features are hard to co-exist in one tool usually.
hero member
Activity: 910
Merit: 5935
not your keys, not your coins!
January 05, 2023, 08:05:21 AM
#82
Has anything changed on the topic of DDoS protection? Maybe new, better options? Cheaper, easier to set up?
I remember a while back when Cloudflare was having issues, what felt like half of the internet was inaccessible for a period of time.

Regardless of conspiracy theories about who is behind this company, for the sake of the stability, reliability and decentralization of the internet, I believe that Cloudflare usage should be reduced if possible. It's just such a big single point of failure.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
December 15, 2019, 03:41:57 AM
#81
I tried to post my Code and received a "Sorry you have been blocked" error message from Cloudflare saying that I was blocked, possibly for posting a SQL command, certain word, or malformed command.

I guess code can no longer be posted here?
See theymos' post:
That "blocked" page is almost always a Cloudflare WAF false positive related to some data you submitted.
Just PM theymos, he can fix this.

There are 2 lines in your code that trigger it:
Quote from: edited from PrimeNumber7's code
delete_link = delete_link.split('href="')[1].split('" onclick=')[0]  
onclick='

delete_link = page_posts[post].find('a', onclick="return confirm('Remove this message?');")
onclick=confirm()
For both lines, I've isolated the problem to a smaller code (in bold) by removing code that doesn't trigger it. I used Teletype-tags on 1 character to be able to post this.
copper member
Activity: 1666
Merit: 1901
Amazon Prime Member #7
December 15, 2019, 02:21:33 AM
#80
I tried to post my Code and received a "Sorry you have been blocked" error message from Cloudflare saying that I was blocked, possibly for posting a SQL command, certain word, or malformed command.

I guess code can no longer be posted here?
jr. member
Activity: 126
Merit: 1
April 08, 2018, 02:37:47 AM
#79
With regret, I am (for now) admitting defeat on the DDoS front, and we will soon be using using Cloudflare to protect against DDoS attacks. This change is in progress, and will take ~24 hours for everyone to see.

I really don't believe in willingly putting a man-in-the-middle in your HTTPS like this, but my homebrew DDoS mitigation has been one of my biggest time sinks for the last 6 months or so, and the necessary servers are still pretty expensive. If I had more manpower, then I would prioritize maintaining our own DDoS protection, but with me as the only sysadmin and current-software developer, it's become unsustainable.

I especially dislike Cloudflare, which I'm almost certain is basically owned by US intelligence agencies. I considered several alternatives to Cloudflare, but the smaller ones (eg. Stackpath and OVH) didn't strike me as reputable/competent enough, and the enterprise-targeted ones like Incapsula and Akamai are around $3500/month. Even though $3500/month seems absolutely ridiculous to me, I was seriously considering Incapsula due to its pretty good reputation, but then they were having all sorts of technical issues while I was trying to set it up. So I gave up for now and went with Cloudflare.

The Internet is seriously flawed if everyone needs to huddle behind these huge centralized anti-DDoS companies in order to survive...

The security implications are that Cloudflare can read everything you send to or receive from the server, including your cleartext password and any PMs you send or look at. They can't access the database arbitrarily, though: they can only see data that passes over the Internet.

Tor users and benevolent-bot operators: please wait a couple of days for the current DDoS to subside, and then post your complaints here. I am able and willing to tune Cloudflare to be minimally annoying. Not every Cloudflare site has to do that "Using Tor? Here's an impossible captcha" thing.

Dear admin, cloud protection from CloudFlare is a bad idea. And yes, the CloudFlare is cooperating. CloudFlare falls with jsbypass very easily.
You need an individual cluster, it will disperse the attack and thus ddos will not be felt. Write to me in PM, we have a big team is engaged in this just.

And consider the important point: your real ip should not fall into the wrong hands. Many ill-wishers will be recognized through mail (password recovery) or through a sniffer.

And in general, there is an expert on attacks, his name is Agata, he has been dealing with attacks for a long time, everybody knows him.
https://forum.zloy.bz/showthread.php?t=130510
sr. member
Activity: 602
Merit: 327
Politeness: 1227: - 0 / +1
April 07, 2018, 11:55:23 PM
#78
Snip
Its already fixed. Sir theymos said it just killed the connection when Cloudfare's strict TLS enforcement was enabled, that caused the downtime earlier.
Check here https://bitcointalksearch.org/topic/tls-error-3279125
member
Activity: 732
Merit: 18
New exchange generation
April 07, 2018, 11:44:55 PM
#77
Came here to see if such was the case and if so would you admit it. Class! Now go back outside and play in the snow.  Tongue Tongue Tongue
Same here, I checked out this thread having thoughts that it was a server down again. But there's no too much update, I thought newbies will flood the Meta section with earlier problem of the Forum but it seems like they are behave this time. Seeing "Error 526" in my browser gave me a little nervous and a bit happiness. A little bit happiness because I saw my own number in the error which is "526".
By the way Teacher, I'm going out to make a snow man for a while. I'll be back in the chemistry class.  Tongue
the cloudflare stopped for a long time. I'm a little worried  Cry . the good thing is that it has already activated again  Smiley
sr. member
Activity: 602
Merit: 327
Politeness: 1227: - 0 / +1
April 07, 2018, 10:58:07 PM
#76
Came here to see if such was the case and if so would you admit it. Class! Now go back outside and play in the snow.  Tongue Tongue Tongue
Same here, I checked out this thread having thoughts that it was a server down again. But there's no too much update, I thought newbies will flood the Meta section with earlier problem of the Forum but it seems like they are behave this time. Seeing "Error 526" in my browser gave me a little nervous and a bit happiness. A little bit happiness because I saw my own number in the error which is "526".
By the way Teacher, I'm going out to make a snow man for a while. I'll be back in the chemistry class.  Tongue
vip
Activity: 1428
Merit: 1145
April 07, 2018, 10:31:02 PM
#75
yeah Theymos

that wasn't working out so well this afternoon

The recent downtime was my screw-up, not Cloudflare's fault.

Came here to see if such was the case and if so would you admit it. Class! Now go back outside and play in the snow.  Tongue Tongue Tongue
legendary
Activity: 3374
Merit: 4738
diamond-handed zealot
April 07, 2018, 10:26:10 PM
#74
lol, right on

thanks for owning it, I was getting pretty jittery there
administrator
Activity: 5222
Merit: 13032
April 07, 2018, 10:24:26 PM
#73
yeah Theymos

that wasn't working out so well this afternoon

The recent downtime was my screw-up, not Cloudflare's fault.
legendary
Activity: 3374
Merit: 4738
diamond-handed zealot
April 07, 2018, 10:23:25 PM
#72
yeah Theymos

that wasn't working out so well this afternoon
legendary
Activity: 2912
Merit: 1060
March 21, 2018, 06:09:08 AM
#71
They attack you until you give in and move to Cloudflare, not much choice. Are you at least using that temporary ssl feature?
https://www.cloudflare.com/ssl/keyless-ssl/

Are you using https://origin-pull.cloudflare.com/
It helps enforce Cloudflare
member
Activity: 208
Merit: 84
🌐 www.btric.org 🌐
March 04, 2018, 03:06:14 PM
#70

Thanks for the suggestions, Ben.

Unfortunately, to the best of my knowledge, all of your suggestions would require action by theymos; there’s nothing there which I could do myself, as a workaround to obtain downloads right now.  If there’s a legitimate public means to find a direct IP address, I’d appreciate being corrected here.  But I rather suspect that theymos wishes to keep his real IP addresses unknown to DDoSers; and if I could find it, so could they.

...

Same here.  Specifically as to Cloudflare, in addition to how they sometimes cavity-search you with Javascript while still failing to keep the site reliably available, see e.g.:

...

My biggest complaint is that Cloudflare is a MITM attack against TLS on a substantial portion of the whole Internet.  From the user end of things, I generally boycott Cloudflared sites insofar as practical.  But I support the Bitcoin Forum, out of my respect for how theymos was honest with people when he was effectually forced behind Cloudflare by Internet arsonists:

Yes, you are absolutely right.  I don't know what I was thinking, the only way you could exclude from CloudFlare is with a subdomain.  Anything else would terminate SSL on their side, even if there's another SSL connection between CF and BCT.

I thought that potentially BCT's IP was known/listed somewhere since it was known by all of our DNS resolvers before CF came into the picture, but a quick Google search didn't turn up anything, so perhaps not.

I had no idea they were doing what I assume is some sort of browser fingerprinting with javascript.  That makes it even worse.  I remember reading last summer, in connection with some white supremacist website that was being shut down by hosters, CF, even the domain registrars, that CF made a claim that they provide service to some high percentage of all global web traffic.

I can't find the number now, and while I certainly am not supporting that website or that sort of hate, I also don't believe that an entity should have such a high percentage of control over internet traffic.  With very little exception, anytime there is high concentrations of power in the hands of a few, the power is abused.

Which of course 99.9% of the people reading this are well aware, considering we are on the Bitcoin Forum.

My biggest complaint is that Cloudflare is a MITM attack against TLS on a substantial portion of the whole Internet.  From the user end of things, I generally boycott Cloudflared sites insofar as practical.  But I support the Bitcoin Forum, out of my respect for how theymos was honest with people when he was effectually forced behind Cloudflare by Internet arsonists:

With regret, I am (for now) admitting defeat on the DDoS front, and we will soon be using using Cloudflare to protect against DDoS attacks. [...]

I really don't believe in willingly putting a man-in-the-middle in your HTTPS like this, [...]

I especially dislike Cloudflare, which I'm almost certain is basically owned by US intelligence agencies. [...]

The Internet is seriously flawed if everyone needs to huddle behind these huge centralized anti-DDoS companies in order to survive...

The security implications are that Cloudflare can read everything you send to or receive from the server, including your cleartext password and any PMs you send or look at. They can't access the database arbitrarily, though: they can only see data that passes over the Internet.

I agree with each of theymos's statements here.  The need for large sites to use one of just a few services that provide high-capacity DDoS mitigation is just another point of control.  I don't know if the "intelligence" agencies own Cloudflare or not (would not be surprised), but I'm betting they have a nice convenient backdoor regardless.

HTTPS as a centralized protocol will hopefully be obsoleted by better, decentralized ways of propagating HTML.  I look to IPFS as an interesting approach that may be part of that solution.  Also, considering that multicast in IPv6 might actually properly function instead of crap implementations from ISP to ISP, that could be a great way to save on needless duplicative packets for broadcast data (such as Bitcoin blocks, for example).

The cost that Protonmail incurs for independent DDoS mitigation is ridiculous.  It's almost a form of extortion.  Watch it turn out that these companies are behind the DDoS attacks themselves, nothing suprises me anymore as to the lengths that greedy people will go to.


Why no bitcointalk forum coin with ICO
You earn coins by posting, and devs & sysadmins are paid with it?

Everything is creating tokens and ICOs... Even without value...
This place here is valuable!

Decentralise the Forums!

That would mad, the whole point of this forum is to have the public have a balanced or neutral stance in the cryptocurrency community.

Creating a token or ICO for BTCtalk is effectively the same as losing net neutrality in the CC industry.

I don't support ICOs for everything under the sun, nor are distributed ledgers code that solve all problems of humanity.  Both of these things are tools that have proper uses and, unfortunately, many attempts at applying them well beyond their competencies.  If I had a spare 10 or 50 BTC I would certainly donate it to this forum because it has taught me so much over the years and remains one of the few gems that remains free from moderation for political reasons.  Despite many complaints I've read, I believe the new merit system will make big impacts on the number of crap posts and improve the fidelity of the forum.

Personally, I would never want this forum to be closed or behind a paywall of some sort.  I believe that community communication benefits all those that pursue truth.  When it comes to information, such as the discussion that takes place on this forum, everyone should be able to openly share their views.  This is a big part of the reason that the world is increasingly being seen as the huge corrupt racket that it is, and has been for many decades, even centuries.  We just couldn't share our findings with each other easily before.  Because we can now, we've been able to build off of each others knowledge, as a collective, that can be expanded upon.  This is the power of the Internet, the ability to communicate your message to the world instantly.  Next phase, to pull that corruption down and rebuild it with better, more fair and transparent constructs.  Bitcoin being the very first of those, and arguably the most impactful as it goes straight to the core of the corruption, the banksters.

Best regards,
Ben
Pages:
Jump to: