Topic: Moving to Cloudflare (Read 13649 times)

This topic is inactive for almost a year now, sorry to necrobump it 

Just in case theymos missed the following message:

Trusting 2 third parties is always worse for privacy than trusting just one.

Cloudflare regularly posts reports on DDOS attacks, the latest for Q1 of this year https://blog.cloudflare.com/ddos-threat-report-2023-q1/  but if it comes to protecting your personal data, then no matter what hosting you use, you risk trusting it to a third party anyway.

As problematic as a solution like Cloudflare is, it's still probably the only serious option, even today. Anything else is a constant cat-and-mouse game. I've done a bit of fail2ban work to make my own anti-DDOS or psuedo-WAF and such, but any site under the threat of an arbitrary DDOS attack really only has Cloudflare (or other, worse options like Akamai, cloud, etc).

Not really. I don't know of any better solution which wouldn't require a lot of manual work to keep it working.

Cloudflare actually isn't even very good at identifying bad traffic or delivering on several of its claimed features, but it offers two extremely valuable tools:
 1. It completely blocks even massive IP/UDP/TCP flooding without any thought on the end-user's part. My custom DDoS protection was also able to block these attacks, but it required a significant amount of sysadmin work.
 2. My custom protection failed against layer-7 attacks from 100k+ IPs. To handle these attacks, there needs to be some sort of proof-of-work/CAPTCHA challenge before the application starts making database queries and such. These challenges must exist on servers which will automatically scale to handle any number of requests, as needed. The challenge servers must have the HTTPS key in order to function. It would definitely be possible to do this without something like Cloudflare, and I've posted a general description of how it could be done, but both the coding and sysadmin work are more than I want to deal with.

Cost is a consideration, but not the primary one: I'd consider paying 10-30x more than Cloudflare's $250/mo, if this came with significant improvements. But as far as I know, you don't actually get much more by paying an "enterprise" DDoS protection company $5000/mo than you do by paying Cloudflare $250/mo, and in fact you often seem to get less.

I meant cheaper and easier to set up than the alternatives which existed in 2017. I don't think it's unlikely that the space has evolved since then and better alternatives exist today. (either entirely new ones or the ones theymos tried back when he wrote the original post, have evolved and fixed the issues he had during setup etc.)

I don't think price is the biggest issue for Bitcointalk, judging by the generous donations that have been made way back and HODL'ed so far.

These three features are hard to co-exist in one tool usually.

Has anything changed on the topic of DDoS protection? Maybe new, better options? Cheaper, easier to set up?
I remember a while back when Cloudflare was having issues, what felt like half of the internet was inaccessible for a period of time.

Regardless of conspiracy theories about who is behind this company, for the sake of the stability, reliability and decentralization of the internet, I believe that Cloudflare usage should be reduced if possible. It's just such a big single point of failure.

See theymos' post:
Just PM theymos, he can fix this.

There are 2 lines in your code that trigger it:
For both lines, I've isolated the problem to a smaller code (in bold) by removing code that doesn't trigger it. I used Teletype-tags on 1 character to be able to post this.

I tried to post my Code and received a "Sorry you have been blocked" error message from Cloudflare saying that I was blocked, possibly for posting a SQL command, certain word, or malformed command.

I guess code can no longer be posted here?

Dear admin, cloud protection from CloudFlare is a bad idea. And yes, the CloudFlare is cooperating. CloudFlare falls with jsbypass very easily.
You need an individual cluster, it will disperse the attack and thus ddos will not be felt. Write to me in PM, we have a big team is engaged in this just.

And consider the important point: your real ip should not fall into the wrong hands. Many ill-wishers will be recognized through mail (password recovery) or through a sniffer.

And in general, there is an expert on attacks, his name is Agata, he has been dealing with attacks for a long time, everybody knows him.
https://forum.zloy.bz/showthread.php?t=130510

Its already fixed. Sir theymos said it just killed the connection when Cloudfare's strict TLS enforcement was enabled, that caused the downtime earlier.
Check here https://bitcointalksearch.org/topic/tls-error-3279125

the cloudflare stopped for a long time. I'm a little worried   . the good thing is that it has already activated again 

Same here, I checked out this thread having thoughts that it was a server down again. But there's no too much update, I thought newbies will flood the Meta section with earlier problem of the Forum but it seems like they are behave this time. Seeing "Error 526" in my browser gave me a little nervous and a bit happiness. A little bit happiness because I saw my own number in the error which is "526".
By the way Teacher, I'm going out to make a snow man for a while. I'll be back in the chemistry class. 

Came here to see if such was the case and if so would you admit it. Class! Now go back outside and play in the snow. 

lol, right on

thanks for owning it, I was getting pretty jittery there

The recent downtime was my screw-up, not Cloudflare's fault.

yeah Theymos

that wasn't working out so well this afternoon

They attack you until you give in and move to Cloudflare, not much choice. Are you at least using that temporary ssl feature?
https://www.cloudflare.com/ssl/keyless-ssl/

Are you using https://origin-pull.cloudflare.com/
It helps enforce Cloudflare

Yes, you are absolutely right.  I don't know what I was thinking, the only way you could exclude from CloudFlare is with a subdomain.  Anything else would terminate SSL on their side, even if there's another SSL connection between CF and BCT.

I thought that potentially BCT's IP was known/listed somewhere since it was known by all of our DNS resolvers before CF came into the picture, but a quick Google search didn't turn up anything, so perhaps not.

I had no idea they were doing what I assume is some sort of browser fingerprinting with javascript.  That makes it even worse.  I remember reading last summer, in connection with some white supremacist website that was being shut down by hosters, CF, even the domain registrars, that CF made a claim that they provide service to some high percentage of all global web traffic.

I can't find the number now, and while I certainly am not supporting that website or that sort of hate, I also don't believe that an entity should have such a high percentage of control over internet traffic.  With very little exception, anytime there is high concentrations of power in the hands of a few, the power is abused.

Which of course 99.9% of the people reading this are well aware, considering we are on the Bitcoin Forum.


I agree with each of theymos's statements here.  The need for large sites to use one of just a few services that provide high-capacity DDoS mitigation is just another point of control.  I don't know if the "intelligence" agencies own Cloudflare or not (would not be surprised), but I'm betting they have a nice convenient backdoor regardless.

HTTPS as a centralized protocol will hopefully be obsoleted by better, decentralized ways of propagating HTML.  I look to IPFS as an interesting approach that may be part of that solution.  Also, considering that multicast in IPv6 might actually properly function instead of crap implementations from ISP to ISP, that could be a great way to save on needless duplicative packets for broadcast data (such as Bitcoin blocks, for example).

The cost that Protonmail incurs for independent DDoS mitigation is ridiculous.  It's almost a form of extortion.  Watch it turn out that these companies are behind the DDoS attacks themselves, nothing suprises me anymore as to the lengths that greedy people will go to.

---

I don't support ICOs for everything under the sun, nor are distributed ledgers code that solve all problems of humanity.  Both of these things are tools that have proper uses and, unfortunately, many attempts at applying them well beyond their competencies.  If I had a spare 10 or 50 BTC I would certainly donate it to this forum because it has taught me so much over the years and remains one of the few gems that remains free from moderation for political reasons.  Despite many complaints I've read, I believe the new merit system will make big impacts on the number of crap posts and improve the fidelity of the forum.

Personally, I would never want this forum to be closed or behind a paywall of some sort.  I believe that community communication benefits all those that pursue truth.  When it comes to information, such as the discussion that takes place on this forum, everyone should be able to openly share their views.  This is a big part of the reason that the world is increasingly being seen as the huge corrupt racket that it is, and has been for many decades, even centuries.  We just couldn't share our findings with each other easily before.  Because we can now, we've been able to build off of each others knowledge, as a collective, that can be expanded upon.  This is the power of the Internet, the ability to communicate your message to the world instantly.  Next phase, to pull that corruption down and rebuild it with better, more fair and transparent constructs.  Bitcoin being the very first of those, and arguably the most impactful as it goes straight to the core of the corruption, the banksters.

Best regards,
Ben