Topic: Moving to Cloudflare - page 3. (Read 13580 times)

There have been plenty of .onion sites that have been DDoS'ed over the years. I know that Silk Road had a decent number of DDoS issues, and Ulbright apparently spent a decent amount of money fighting it. I am not sure if he implemented any of what you suggested though.

THIS.  Thank you.  A Bitcointalk .onion was on my mind all week, together with other anti-DDoS mitigation ideas about which I hope to write up suggestions.  It is also something I may perhaps, maybe, perhaps be willing to not only talk about (hint, hint).

.onion sites already have less exposure to DDoS than sites on the open Internet.  Connections to .onion have no access to a full network stack—only to streams through Tor’s circuit protocol, a custom stream transport layer.  No TCP handshake tricks, no amplified UDP floods to clog the pipes, etc.  I suppose theymos’ “homebrew” anti-DDoS had already stopped those.  But also, the capacity limitations and cell queuing mechanisms of the Tor network and its nodes provide some upper bounds on any type of DDoS which uses high bandwidth.  That leaves (1) specialized attacks against the Tor onion proxy, (2) DDoS against introduction points, and (3) any relatively moderate-/low-bandwidth application-layer attacks.  (“Relatively” compared to DDoS which uses tens or hundreds of gigabits per second.)

For (1), lock down that onion proxy tight and isolate it from the web backend—which you should do anyway.  At least it can’t take down the site itself, or affect reachability from clearnet.  Better still, use onionbalance with multiple onion proxies; that gives load-balancing and failover, and also permits isolating v2 .onion private keys from the machines handling visitor traffic.  (2) is really a Tor network issue, though maxing out your intro points with onionbalance will help.  For (3), well, as always—don’t run poorly designed software.  nginx is already robust against HTTP-level DDoS; I have no idea about the vulnerability profile of SMF, other than that it’s database-intensive forum software written in PHP.  I guess, start by disabling the search function through .onion...

I don’t see why a monthly paid subscription should be required.  If that was intended as an idea for .onion, it would effectually restrict .onion use to people who directly make money off the forum—signature campaigners, etc.  Instead, to prevent abuse, I’d suggest that full posting privileges through .onion be restricted to full Members or paid Copper Members.  (I am guessing that Junior Member accounts may be too cheap on the account sale market, especially for hacked accounts.)  .onion posters without those ranks should be restricted through a “newbie jail”-like system.  Those who could not afford paid membership, could spend a few months ranking up in the .onion jail—or through clearnet exits, just like now.  For spammers and scammers, throwaway accounts would be prohibitively expensive.

Perhaps also add a “.onion” tag below the username and rank for posts made through .onion.  I am reluctant to suggest that, given the level of prejudice some people have against Tor users; but I don’t think the moderators here have such a bias, which is the important part to me, personally.  I myself would be proud to wear a “.onion” tag.  I would explicitly add it, if it were offered as an option.

For a non-location-hidden .onion, as I presume this would be, single-onion mode should be snappy for users.  Projects such as Debian and Tor Project successfully run high-bandwidth services such as public apt repositories through .onions, using onionbalance.  Debian users can do all their OS updates without ever touching clearnet!  Use of .onion also helps the Tor network, by shifting load off the bottleneck of exit nodes.  Any relay can serve as as a rendezvous point, including the far more numerous “middle nodes”.

Note that any .onion version of the forum must be verified to work with Javascript disabled.  Excepting signup and login functions, basic functionality seems to work fine that way.


Cloudflare’s effect on spam should be somewhere between negligible and nil.  It’s an anti-DDoS reverse proxy network and caching CDN; it also filters out attacks against braindead applications which can’t handle Bobby Tables.  I don’t see how it could help much against spam; how could the HTTP requests involved in spam posts be distinguished from legitimate network traffic?  Especially the spam posts made by nominal humans?  Though I suppose that forum spam is a wetware-layer DDoS.  It does “deny service” when the forum is unreadable.


I wonder whether theymos’ “evil IP” system uses the publicly known IPs of Tor exits, as published in the consensus.  It would make sense to charge a set price to all Tor users, rather than varying the fee by measurements taken on a particular exit IP.  But n.b., not all exits actually exit through the same IP as they use for their ORPort.  I recall some research finding that as many as 10% of exits did otherwise.  This is useful for avoiding blocks, but risky for node operators since the IP is not listed in the “exonerator”.

that's only if the exit node ip has points of evil associated with it though, i could imagine some new nodes might not have any points linked to them.

Is there an official .onion proxy of BitcoinTalk that bypass Cloudflare? We do sometimes get support request PMs.

How about BitcoinTalk Pro accounts with monthly payments, private proxy without Cloudflare and captchas, bot access?

I think there might be numerous individuals like me who don't generally mind if their posts or messages are perused. On the off chance that I have to make some secret courses of action with some individual, at that point I would do this far from the discussion. My essential concern is the security of my posting. You may not concur with my assessments and thoughts, but rather at any rate they are mine, and I don't need anyone putting on a show to be me to post other data, or to execute any extortion. Anything that diminishes spam and pernicious assaults is great as I would like to think.

Why would they bother trying the back door, when sites (and browsers) grant them front-door access?

Cloudflare is a global active adversary which MITMs every connection by design, as theymos wisely noted.

No matter using cloudflare or something else, NSA already had access to forum's servers, Since they are in USA.

Single data point:  This applies to me.  I don’t wish to discuss details publicly.  I did overpay.


Well, then why bother with the large (and futile) effort of trying to associate a payment-from address?  Delegating trust to a public key (Bitcoin or otherwise) is an ordinary key management issue; and it’s orthogonal to the anti-abuse payment mechanism.


https://github.com/bitcoin/bitcoin/issues/10542 (only discusses Segwit P2WPKH-in-P2SH; generalizing a signature scheme for P2SH would be a non sequitur.)

I recently made this mistake, much to my embarrassment.

---

Anyway, this whole discussion is on the wrong thread.  The login CAPTCHA issue is distinct from the Cloudflare issue.  theymos added the login CAPTCHA sometime before 2017-10-19, and moved behind Cloudflare 2017-11-29.  The login CAPTCHA is not from Cloudflare.

Sure they can. They can sign from the private key(s) used to sign the transaction. The public key associated with the private key(s) used to sign a transaction is public information once the transaction is broadcast.

The average fee users pay is below most exchanges minimum withdrawal allowed. Any users who couldn't sign messages from an address could be given an option to associate another address with their account.




Signing from any of those addresses should be OK.





They can export the private key from their mobile or web wallet, then import it into a wallet capable of signing messages. The blockchain.info web wallet allows exporting private keys.

The Tor user may pay the fee from a bitcoin exchange account. As far as I'm aware, exchanges do not offer their customers the option of signing messages.

Also, if the Tor user's non-exchange wallet has many inputs to many addresses, and pays the fee from that wallet, which address(es) would the Tor user then have to use to sign the message? And if the Tor user pays the fee from non-P2PKH addresses (e.g., segwit P2SH addresses or multisig P2SH addresses), the Tor user can't sign the message using those addresses.

And again, not every wallet has the ability to sign messages, with mobile and web wallets being the most obvious examples.

Anyone registering through tor has to pay a small bitcoin fee, so all those users have bitcoin addresses associated with their accounts.

Not every wallet has the ability to sign messages. Also, one registers for a forum account using an email address, not a Bitcoin address.

Well how about asking tor users to sign a message from the bitcoin address they registered with instead?

Each time they log in they could be given a unique code and asked to sign a message containing it. That wouldn't cost them anything, and signing a message would be faster than going through endless cloudflare captchas.

Thank you.  As a Tor user, I admire this forum’s high-level culture of respect for privacy.

Paying a small fee to register and paying a fee every time you want to log in are two very different things (not to mention the latter being ridiculous and not sure why we should punish all legitimate tor users).

Forum is slow on loading, that is not something new I assume since the move.

But, I've never encountered an error apart from guess what, reporting a post/thread.
Tried several times this today (different reports of course) but I always get a timeout (error 524) that picture with:

Browser Working
Cloudfare Working
Bitcointalk host error

It has never happened on anything else, post/search/pm.

Theymos said he's unenthusiastically using Cloudflare to protect against DDoS attacks. I assume some of those attacks come through Tor and VPN users. Those users couldn't DDoS if they had to pay a tiny fee to login, and further fees if they make excessive HTTP requests. They are already prepared to pay a registration fee for privacy, charging small log in fees isn't much different.

Furthermore, charging a fee for excessive HTTP requests could protect against botnet DDoS attacks from regular IP addresses. Normal users wouldn't even notice because they don't make huge numbers of HTTP requests.

I guess most of the accounts involved in DDoSing are newbies. During times of excessively heavy load on the forum newbie accounts could be asked to either pay a small log in fee, or return later when there's less users accessing the system.

A fee to log in!?  Are you serious?

N.b. that (a) the move behind Cloudflare at the end of November is absolutely irrelevant to login issues, discussed separately since October; (b) everybody’s connections go through Cloudflare, for every connection to the site; and (c) Tor users (among others) are already charged a fee to create an account.

Why not charge Tor and VPN users a small bitcoin fee to log in? Most of those users would probably rather pay a  fee than use cloudflare. They already have to pay a fee to register.