Topic: Moving to Cloudflare - page 2. (Read 13649 times)

Thanks for the suggestions, Ben.

Unfortunately, to the best of my knowledge, all of your suggestions would require action by theymos; there’s nothing there which I could do myself, as a workaround to obtain downloads right now.  If there’s a legitimate public means to find a direct IP address, I’d appreciate being corrected here.  But I rather suspect that theymos wishes to keep his real IP addresses unknown to DDoSers; and if I could find it, so could they.


Same here.  Specifically as to Cloudflare, in addition to how they sometimes cavity-search you with Javascript while still failing to keep the site reliably available, see e.g.:

https://trac.torproject.org/24351


Cloudflare intercepts all traffic (and modifies at least HTTP response headers), as a matter of course!

My biggest complaint is that Cloudflare is a MITM attack against TLS on a substantial portion of the whole Internet.  From the user end of things, I generally boycott Cloudflared sites insofar as practical.  But I support the Bitcoin Forum, out of my respect for how theymos was honest with people when he was effectually forced behind Cloudflare by Internet arsonists:


To get a gauge on what independent, no-MITM DDoS protection can require for a(n extremely) high-profile target, I found Protonmail’s experience interesting:

https://protonmail.com/blog/ddos-protection-guide/


Though I would be concerned about the affordability of an ongoing subscription, an official .onion proxy would solve many problems.  I may even offer to help with such a project, depending on what would be required of me.  See my reply to ChipMixer upthread.

---

And congratulations, Phash2k reinvented Steem.  This sort of nonsense reminds me of one of the earliest posts to which I awarded merit.  It spoke of how DHTs...


No, the problem will not be fixed by sprinkling some magical blockchain pixie dust on it.

That would mad, the whole point of this forum is to have the public have a balanced or neutral stance in the cryptocurrency community.

Creating a token or ICO for BTCtalk is effectively the same as losing net neutrality in the CC industry.

For the downloads problem, if the downloads do not require you to be logged in, accessing the BCT server by its direct IP address and/or a DNS record that resolves to the IP should make it accessible, provided BCT hasn't blacklisted all non-CF IPs.

For the website issue, how about 2FA, that could help the situation?  As you know, anytime a CDN has your certificate, they can intercept your traffic if they choose.

You could also make a login URL that is not routed through CF.  I don't know how much hacking of SMF it would take to implement that.  Actually, cloudflare might have a way to direct certain URLs to directly point to the backend (BCT) servers.  I haven't messed with them in a while, since before they started doing their shared SSL service, so I'm not positive about this.

On the other hand, this might not address the problem that putting in a CDN was designed to prevent.  If the DDOS attacks were directed to the login URL it would then be vulnerable again.

I have an inherent distrust of infrastructure services that I don't control, which is why I try to avoid CDNs.  However, I have no website with as much traffic as BCT, so have never had to deal with that situation.

Best regards,
Ben

Quoting from another thread:


Through Tor—and this is not the first time I’ve had this problem:


I have had the same problem with PGP keys and the trust database.  Even right-clicking to save images from within a browsing session oft (inconsistently) results in a Cloudflare 403 HTML file, apparently due to some weird quirks in how Tor Browser interacts with Cloudflare’s control-freakiness.

I request a workaround or solution for this general problem.  (Note: “VPN” is a non-answer.)

How dumb can someone be?

I will not use this forum anymore because of that.

Bye

Why no bitcointalk forum coin with ICO
You earn coins by posting, and devs & sysadmins are paid with it?

Everything is creating tokens and ICOs... Even without value...
This place here is valuable!

Decentralise the Forums!

what about a solution like Protonmail using it?
https://protonmail.com/blog/ddos-protection-guide/

Radware’s technology does not require our SSL keys to operate effectively, meaning both layers of encryption that ProtonMail offers (SSL and OpenPGP) can be kept intact. Thus, there is no compromise in the privacy of our secure email service.

[Edit again:  Raize, that was the post of the thread.  I’d intended to reply before, to simply say:  Well said.]

This blocked a post.  I will try again, and edit if it’s still blocked.

Edit:  This is persistently blocking a particular post.  It is a very long post, which I spent much time writing in a text editor.  It contains a modest snippet of C code in BBcode code tags.  Other than that, I cannot imagine what trigger this is hitting.

This does happen, but it's a whole lot more rare in practice. In reality, most attacks come from thousands of compromised IPs [botnets] run by people or organizations looking to blackmail operators into paying a fee or doing something like giving up user data. It has long been rumored that these entities with blackmailing power are often state-run themselves, in order to bully providers into sharing their data with "a trusted anti-DDoS company" that the governments can force to give up plain-text info about their customers more easily. Why bother even trying to get an operative in a position to run the site when you can sniff all the data and who is writing what via an anti-DDoS provider?

Cloudflare regularly provides the US gov't data on its customers. I'm not sure I'd go so far as theymos and say they are basically CIA-run, but I do think they are forced to work with three-letter agencies all the time. If there are any people with principles that work for Cloudflare, it doesn't matter, they have to comply in order to keep their job, and I doubt they are allowed to talk about it even after they have left. Cloudflare itself might have state contracts, or do contracts for other DoD-like agencies and groups, all of which have the specific purpose of cataloging citizens for the government in clear violation of the fourth amendment and chilling the free speech guarantees of the first amendment.


For the same reason that OpenDNS sold to Cisco for a whopping $635 million. DoD contracts are phat loot and the CIA/NSA need the data routed in about who is doing what.

Well, it’s not only Cloudflare.  It’s that and/or something else:


Admins may e-mail me for details, if that would be useful.  (I doubt it; that’s all I saw.)  PM seems not so useful right now.

@theymos, this isn’t what you signed up for!  Not the downtime, and not the following—as seen through Tor.  Not changed by rotating circuits.  I can’t dump cookies, because I need to stay logged in; and once Cloudflare decided to demand from me an Internet cavity search, they locked me out of bitcointalk.org with a demand that I let them run their executable code on my machine.  I waited it out, and they eventually let me pass.


Cloudflare also repeatedly tried to Google-CAPTCHA me on their error pages.  No, thanks; I can do without seeing the holy secret errors.

This interrupted my repeated attempts to post the following.  (Anybody awaiting a reply from me elsewhere, please understand if it may be slow in coming.)

---

I’ve oftentimes wondered how Cloudflare can afford to offer “free” DDoS protection.  Their product requires serious network bandwidth, hardware, sysadmin, and engineering.  Those cost money—lots of money.

Usually, “free” products which cost big money to offer can be explained with the aphorism, “You are not the customer; you are the product.”  That raises the question, who pays?

In practice, who pays? is isomorphic to the ancient idiom:  Cui bono?

“You are the product.”  Bitcointalk.org is now a product.  For whom?  And does the customer truly wish for Bitcointalk.org to succeed?

At that, does Cloudflare itself like customers who “especially dislike Cloudflare”?  One of the great benefits of dependence on “huge centralized anti-DDoS companies” is that you can’t bite the hand which feeds you—at least, not more than that hand will deign to tolerate.  Too bad.  Even if this is only some generalized Cloudflare failure, I doubt that theymos stands at the front of their support queue.

Connectivity has sucked all day. NSA must have finally implemented their traffic analyzer      


Cloudflare is seriously flawed if your homemade DDoS protection works better than theirs.

Seemingly nothing at the moment.

I can hardly connect to bitcointalk.org and read the topics without many errors / downtime.
Another DDOS attack?
What's the difference between having cloudflare and not?

Edit : more than 3 minutes to pass this post (and i think the same time to pass this edit). Agree totally with hilarious.

Yeah, I'm not sure it even works very well because every other website that uses it seems to have a lot of downtime and cloudflare errors. There's seemingly no difference between when we had theymos' own version and it's been especially bad today. Barely been able to use the site at all, so not sure how effective the service really is if the forum is still going to be unusable.

it isn't working

How is Cloudflare thus relevant?  The purpose of the image proxy is to “improve privacy and eliminate mixed content warnings”.  (I also speculate that it might filter some evil, though that’s only an idle guess.)  It has nothing to do with DDoS protection, other than needing it.

---

On a related note, I am now working to spearhead the development of a browser add-on to block Cloudflare.  Bitcointalk.org is discussed in Issue 4.

can you (theymos) suppress the automated filtered ip.bitcointalk.org picture recreation ... if we are on cloudflare, now ?

many pictures are not recreate now (on popular thread : the Wall Observer).

Hot off the presses, a Cloudflare-blocking browser add-on!  a.m.o. currently says it was last updated “an hour ago (Dec 11, 2017)”:

https://addons.mozilla.org/en-US/firefox/addon/block-cloudflare-mitm-attack/

I have not yet examined the code.  Use at your own risk, pending review.

Referred by:

https://trac.torproject.org/projects/tor/ticket/24351#comment:25

Cheers to whomever did this.  “Cypherpunks write code.”

I was careful not to suggest that .onions be DDoS-proof.  Of course, they’re not.  But they do radically change the attack surface, largely for the better (at least against DDoS).

In practice, I would suppose that probably, the best means to deny access to a .onion would be to DDoS its introduction points.  Those have publicly known IP addresses; and I doubt many Tor node operators are prepared to handle even something so commonplace as an amplified flood of UDP packets in response to forged DNS requests.  The .onion will become available again as it changes introduction points; but meanwhile, users will have an awful time getting through.  I am not saying anything which is not already well-known and widely discussed amongst Tor devs.

On another note, I would not deem Ulbricht competent to admin the website for a hot-dog cart.  Let alone to run a site under a threat model far beyond my abilities, and likely beyond the capability of the Tor network.  He couldn’t even keep PHP (!) errors from spilling his servers’ guts.  I guess he must have been high on drugs.  I would not take any lessons from his experience, other than mining it for examples of what not to do.  Whereas .onions run by competent sysadmins have survived extreme DDoS attempts.