Are you under an active layer 7 DDoS...

[John connor]

or what?

Sorry but you cannot use search at this time. The server has high load. Please try again later.

I know phpBB has that option to shut down the search feature on high load, but what the hell are you paying for? A Pentium?

[RJARRRPCGP]

I saw that message some days ago, too.

[New Tobin Paradigm]

Well there have been some on going syn based attacks.. Especially targeting the forum but also every other Pale Moon server including Regolith. Mitigations have been put in place but in general.. Just have to deal with it or in F22 Simcity's case.. Kill yourself.

[Moonchild]

by F22 Simpilot » 10-11-2019 22:41

Timestamp marked on the graph.

[John connor]

This is because you're not using CloudFlare for the forum IP which is fucking stupid. I use CloudFlare on my forum and have no issues at all. Plus I pay for layer 7 DDoS protection.

[John connor]

Just have to deal with it or in F22 Simcity's case.. Kill yourself.

Problem?

[Moonchild]

If you're just here to critique my choices of server administration, then you can just fuck off.
The forum is not on CF because, among other things, CF doesn't provide the security setup I want, and because I want the forum to be reachable even if there is a CF problem. It's an independent setup for a whole list of very good reasons. I'll handle DDoS attacks when they crop up, like I always have. I'm not going to compromise my setup because boohoo you couldn't search for 30 minutes of heavy load. Search is just processor and DB heavy (and often a target for DoS processing attacks) so to prevent the rest of the forum from being impacted by the load, I have phpBB shut it down automatically as long as load is high.

[athenian200]

I can speak only for myself here, but I'd just like to raise three points...

1. CloudFlare goes down locally for me all the time, I've had several instances where I couldn't even access a website because that was down. I believe that hosting this site on CloudFlare would actually reduce uptime from intermediate service problems more than it would mitigate downtime from preventing attacks. This site has been accessible during those times while many others were offline. The cure really is worse than the disease, in this case.

2. CloudFlare letting you use their cloud for content delivery means they set the terms and conditions of service, and if they don't like something you're doing, something you're talking about, they can pull the plug even if your host is otherwise fine with it. There are only a few hosting providers that can do what CloudFlare does, so admins allowing themselves to become dependent on them for attack mitigation means centralizing power in the hands of a few infrastructure providers. It means control over how the website is operated is ceded to yet another middleman aside from the hosting provider. You do understand why that's a bad idea and why people in this community in particular might be against those kind of solutions, right? I can tell you that CloudFlare has leaned on people to run their site a certain way before, so it's not like this has never happened.

3. "Layer 7 DDoS" isn't some new, dangerous, shocking thing that is impervious to any existing mitigations. To translate that unsettling jargon into English for everyone else following this, it means an automated program tries to mimic human behavior while interacting with the website's interface so that it isn't detected as an obvious bot while attempting to place a heavy load on the server and bring down the site. Really scary, innovative, and unlike anything the Internet has ever seen before, right? Only a huge cloud provider with near-infinite resources can save us from such an unprecedented threat, right? Nope, that's just what CloudFlare's marketing people want you to think.

All in all, I feel that the OP has failed to consider the big picture of what this entire project is about. One of the big ideas behind it, as far as I can tell, is mitigating security risks in a way that leaves the user in control rather than asking us to put our safety in the hands of an external agent. The fact that people here believe in doing things that way is why we are called "old and insecure" by those who accept the consensus of engineers working for big tech companies that are invested in creating a cloud-based future.

If one accepts your initial premise, that websites not hosted in the cloud by CDNs with lots of infrastructure are almost by definition inadequately protected, then one must also conclude that users who don't rely on cloud services like Google Safe Browsing or who trust their data to their own machines rather than the cloud are also inadequately protected. In effect, your criticism must necessarily belie a belief that people are foolish to try and learn how to protect themselves and their stuff rather than trust well-paid experts. There is no path of reasoning I can perceive where your initial reasoning could be accepted as valid without following that train of thought to the conclusion that a major goal of this project was ill-conceived to start with, at least not if you're honest with yourself and avoid hypocrisy.

The OP has in fact challenged the entire set of assumptions and values behind this project with his suggestion in a very subtle way that seems innocent to anyone who doesn't fully understand the implications of the worldview being implied by that seemingly off-hand statement.

[John connor]

I can speak only for myself here, but I'd just like to raise three points...

1. CloudFlare goes down locally for me all the time, I've had several instances where I couldn't even access a website because that was down. I believe that hosting this site on CloudFlare would actually reduce uptime from intermediate service problems more than it would mitigate downtime from preventing attacks. This site has been accessible during those times while many others were offline. The cure really is worse than the disease, in this case.

2. CloudFlare letting you use their cloud for content delivery means they set the terms and conditions of service, and if they don't like something you're doing, something you're talking about, they can pull the plug even if your host is otherwise fine with it. There are only a few hosting providers that can do what CloudFlare does, so admins allowing themselves to become dependent on them for attack mitigation means centralizing power in the hands of a few infrastructure providers. It means control over how the website is operated is ceded to yet another middleman aside from the hosting provider. You do understand why that's a bad idea and why people in this community in particular might be against those kind of solutions, right? I can tell you that CloudFlare has leaned on people to run their site a certain way before, so it's not like this has never happened.

3. "Layer 7 DDoS" isn't some new, dangerous, shocking thing that is impervious to any existing mitigations. To translate that unsettling jargon into English for everyone else following this, it means an automated program tries to mimic human behavior while interacting with the website's interface so that it isn't detected as an obvious bot while attempting to place a heavy load on the server and bring down the site. Really scary, innovative, and unlike anything the Internet has ever seen before, right? Only a huge cloud provider with near-infinite resources can save us from such an unprecedented threat, right? Nope, that's just what CloudFlare's marketing people want you to think.

All in all, I feel that the OP has failed to consider the big picture of what this entire project is about. One of the big ideas behind it, as far as I can tell, is mitigating security risks in a way that leaves the user in control rather than asking us to put our safety in the hands of an external agent. The fact that people here believe in doing things that way is why we are called "old and insecure" by those who accept the consensus of engineers working for big tech companies that are invested in creating a cloud-based future.

If one accepts your initial premise, that websites not hosted in the cloud by CDNs with lots of infrastructure are almost by definition inadequately protected, then one must also conclude that users who don't rely on cloud services like Google Safe Browsing or who trust their data to their own machines rather than the cloud are also inadequately protected. In effect, your criticism must necessarily belie a belief that people are foolish to try and learn how to protect themselves and their stuff rather than trust well-paid experts. There is no path of reasoning I can perceive where your initial reasoning could be accepted as valid without following that train of thought to the conclusion that a major goal of this project was ill-conceived to start with, at least not if you're honest with yourself and avoid hypocrisy.

The OP has in fact challenged the entire set of assumptions and values behind this project with his suggestion in a very subtle way that seems innocent to anyone who doesn't fully understand the implications of the worldview being implied by that seemingly off-hand statement.

You're so fucking wrong it ain't even funny. Thousands of websites use CloudFlare for a variety of reasons. If you don't have a website and never used CloudFlare then you have no idea what you're talking about. And I NEVER had CloudFlare go down on me unless my host didn't stay up to date with the firewall whitelisting.

I have free DDoS protection, my IP origin isn't exposed, you can't Nmap me and see my SSH and FTP ports since you have no idea what my origin is. I also pay for layer 7 DDoS mitigation. Showdan and Censys knows all.

[John connor]

If you're just here to critique my choices of server administration, then you can just fuck off.

I don't give a big fat, black dick how you Admin. You wanna get owned and tea bagged that's on you.

And I saw your tweet a few months back about people crawling up you ass on the SSH port. All could have been mitigated. Since you are an enemy in the browser world expect people to want to take you down.

[Moonchild]

You wanna be excessively rude about having valid arguments thrown at you, then that's on you.
Go crawl back to your "perfect" little board and leave my adminning to me. If the forum goes down due to DDoS, then that'll be my worry, and you get to say "I told you so" for however short that will be lived, because it won't be down for long, I promise you that.

[athenian200]

You're so fucking wrong it ain't even funny. Thousands of websites use CloudFlare for a variety of reasons. If you don't have a website and never used CloudFlare then you have no idea what you're talking about. And I NEVER had CloudFlare go down on me unless my host didn't stay up to date with the firewall whitelisting.

I don't currently have one, but I did run a website in the past. It was mostly about technology and sociology, and I was studying the question of how new technologies affect social organization. Anyway, I know that regardless of whether CloudFlare actually hosts your content or not, you are dependent on their infrastructure to obscure your website's IP and act as a reverse proxy (apologies to everyone else in advance for using that kind of jargon, but he's giving me little choice here). In other words, you are not protecting your own website, you are relying on them to do it for you. How can you possibly be proud of that, relying on someone else to protect you? You're like an average man who has hired a band of mercenaries and then boasted about how strong your mercenaries are, as if their accomplishments and their strength were your own.

Maybe CloudFlare itself, as a network, didn't go down, but the individual nodes go down all the time. Hence I can't access sites using it from my region even if from the perspective of the admin, it is working. You wouldn't necessarily know there was a problem on that end. I don't automatically get rerouted to a working IP that is still up, once I get directed to that CloudFlare IP, the site is down for me if that node is down. It can take a while for CloudFlare to heal that damage, and often the admin and other users will be totally unaware of my problems and insist on blaming my ISP rather than CloudFlare. I know because every site using it gets the same problem, and it's not site-specific, it's region-specific. You don't have to own a website to understand how CloudFlare's DDoS protection is setup, you can determine it from a pattern of odd service outages that people have difficulty diagnosing, and user complaints.

I have free DDoS protection, my IP origin isn't exposed, you can't Nmap me and see my SSH and FTP ports since you have no idea what my origin is. I also pay for layer 7 DDoS mitigation. Showdan and Censys knows all.

I know what all of those things are. Your IP origin is the server that is using the reverse proxy so that people using the site don't know where traffic is coming from. nmap is a Linux tool used to enumerate ports and yield a lot of information about any system it's targeted at, and it's often used by black-hat hackers, as well as aggressive "white-hat" hackers running questionable block lists. That last part of the statement, referencing shodan and censys, refers to search engines capable of finding most devices connected to the Internet, which is possibly your justification for all of this. You seem to be saying in a rather cavalier way that because such sites exist and reveal so much information to hackers, we have no choice but to rely on the digital equivalent of mercenaries to protect our stuff, and should just accept that as reasonable.

I don't think we're focused on the same thing here at all, then. You focus on the immediate results. Yes, having them protect you does yield the immediate results you desire, but now you are dependent on an organization that could withdraw their support for whatever you're doing at any time. I'm not questioning the effectiveness of using it, anymore than I would question the effectiveness of using Google as a search engine. I'm questioning whether the ends justify the means, what the long-term consequences are of so many people depending on a third-party for something they used to do themselves, and hence empowering that third-party in a potentially harmful way. Maybe I have trouble understanding your perspective because it deals with the pragmatic and the short-term. All you've really offered me are pragmatic, short-term benefits with no assessment of long-term consequences to yourself or others.

Also, as an aside... I think the forms of argument and self-expression you've adopted would be more suited to Discord or some form of in-game chat than to a discussion forum. I am concerned that perhaps you are unaware of how you come across to people expressing yourself this way on a forum versus a chatroom. I'm not saying that there's anything wrong with your conduct in and of itself, but that you seem to lack awareness of context. If I were playing Call of Duty or Halo with you and I'd screwed something up and I got your team killed due to a newbie mistake, I would totally expect you to talk to me this way and be fine with it. But this is a discussion forum, the format is intended for serious discussions, sharing information, debates, etc. Your posts get saved here for possibly years on end. They're here for people to search through looking for a sense of what people here generally think on a given topic and how their views might have evolved over time. Do you really want everyone to remember you as someone that replied to every argument against yours with nothing but indignant rage and proud use of the most elite technical jargon you could think of at the moment?