Privacy

789 readers

59 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

Chat rooms

[Matrix/Element]Dead
Discord

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

Google has been DDoSing SourceHut for over a year (drewdevault.com)

submitted 2 years ago by whou@lemmy.ml to c/privacy@lemmy.ml

7 comments fedilink hide all child comments

Is anyone surprised Google doesn't even try to fix issues that are damaging its users?

top 7 comments

sorted by: hot top controversial new old

[–] X_Cli@lemmy.ml 7 points 2 years ago (1 children)

I don't get it. Public endpoints are public. Go proxies (there are alternatives to direct mode or using Google proxy, such as Athens) are legitimate to query these public endpoints, as aggressively as they want. That's not polite, but that's how the open Internet works and always has.

I don't get why SourceHut does not have any form of DDoS protection, or rate-limiting. I mean HTTP status 503 and the retry-after header are standard HTTP. That Drew chose a public outcry over implementing basic anti-applicative DDoS seems to be a very questionnable strategy. What would happen to the Sourcehut content if tomorrow attackers launch a DDoS attack on SourceHut? Will Drew post another public outcry on their blog?

SourceHut is still in alpha. This feels like a sign that it is still not mature enough to be a prod service for anyone.

[–] ndarwincorn@lemmy.ml 4 points 2 years ago (1 children)

Google refuses to respect a robots.txt here, seems awful naive to assume they will respect a 503 response or retry-after header.

Similarly naive to assume there's no ddos mitigation in front of sourcehut, given that Drew explained why he allows the proxy traffic through unabated.

To then take that naive assumption and leap off it to conclusions about the production readiness of alpha software is some wild FUD.

[–] X_Cli@lemmy.ml 4 points 2 years ago* (last edited 2 years ago) (2 children)

I don't think that a robots.txt file is the appropriate tool here.

First off, robots.txt are just hints for respectful crawlers. Go proxies are not crawlers. They are just that: caching proxies for Go modules. If all Go developers were to use direct mode, I think the SourceHut traffic would be more, not less.

Second, let's assume that Go devs would be willing to implement something to be mindful of robots.txt or retry-after indications. Would attackers do? Of course not.

If a legitimate although quite aggressive traffic is DDoSing SourceHut, that is primarily a SourceHut issue. Returning a 503 does not have to be respected by the client because the client has nothing to respect: the server just choose to say "I don't want to answer that request. Good Bye". This is certainly not a response that is costly to generate. Now, if the server tries to honor all requests and is poorly optimized, then the fault is on the server, not the client.

I have not read in details the Go Proxy implementation, to be truthful. I don't know how it would react if SourceHut was answering 503 status code every now and then, when the fetching strategy is too aggressive. I would simply guess that the server would retry later and serve the Go developers a stale version of the module.

[–] X_Cli@lemmy.ml 1 points 2 years ago

https://github.com/gomods/athens/blob/723c06bd8c13cc7bd238e650a559258ff7e23142/pkg/module/go_get_fetcher.go#L145-L148 https://github.com/gomods/athens/blob/723c06bd8c13cc7bd238e650a559258ff7e23142/pkg/module/go_get_fetcher.go#L163-L165

So two infos:

Github does have a rate limiter; why should SourceHut be better?
Athens has GitHub specific code, which, I think, is pretty horrific

[–] X_Cli@lemmy.ml 1 points 2 years ago

(I would appreciate if the down voters were able to express their disagreement with words. Maybe I'm wrong, but then, please do me the favor of explaining me how. Also, I'm not a SourceHut hater; I even give money to Drew every month, because I like the idea of SourceHut. I just think Drew is wrong on that matter)

[–] kevincox@lemmy.ml 7 points 2 years ago* (last edited 2 years ago)

Funny, I am also being DoSed by Google, although much more mildly: https://kevincox.ca/2022/05/08/google-websub-dos/

[–] nomemory@lemmy.ml 1 points 2 years ago

And Drew is ddosing himself sometimes.