this post was submitted on 04 Aug 2023
4 points (100.0% liked)

Cloud Security

16 readers
1 users here now

Preventing storms.

Rules

  1. Be excellent to each other!
  2. Use the article title as the submission title. Do not editorialize the title or add your own commentary to the article title.
  3. No vendor spam. Zero tolerance for content marketing.

founded 1 year ago
MODERATORS
 

cross-posted from: https://lemmy.dbzer0.com/post/1491194

I would love if just once an admin of a fedi host under DDoS attack would have the integrity to say:

“We are under attack. But we will not surrender to Cloudflare & let that privacy-abusing tech giant get a front-row view of all your traffic while centralizing our decentralized community. We apologize for the downtime while we work on solving this problem in a way that uncompromisingly respects your privacy and does not harm your own security more than the attack itself.”

This is inspired by the recent move of #LemmyWorld joining Cloudflare’s walled garden to thwart a DDoS atk.

So of course the natural order of this thread is to discuss various Cloudflare-free solutions. Such as:

  1. Establish an onion site & redirect all Tor traffic toward the onion site. 1.1. Suggest that users try the onion site when the clearnet is down— and use it as an opportunity to give much needed growth to the Tor network.
  2. Establish 3+ clearnet hosts evenly spaced geographically on VPSs. 2.1. Configure DNS to load-balance the clearnet traffic.
  3. Set up tar-pitting to affect dodgy-appearing traffic. (yes I am doing some serious hand-waving here on this one… someone plz pin down the details of how to do this)
  4. You already know the IPs your users use (per fedi protocols), so why not use that info to configure the firewall during attacks? (can this be done without extra logging, just using pre-existing metadata?)
  5. Disable all avatar & graphics. Make the site text-only when a load threshold is exceeded. Graphic images are what accounts for all the heavy-lifting and they are the least important content. (do fedi servers tend to support this or is hacking needed?)
  6. Temporarily defederate from all nodes to focus just on local users being able to access local content. (not sure if this makes sense)
  7. Take the web client offline and direct users to use a 3rd party app during attacks, assuming this significantly lightens the workload.
  8. Find another non-Cloudflared fedi instance that has a smaller population than your own node but which has the resources for growth, open registration, similar philosophies, and suggest to your users that they migrate to it. Most fedi admins have figured out how to operate without Cloudflare, so promote them.

^ This numbering does /not/ imply a sequence of steps. It’s just to give references to use in replies. Not all these moves are necessarily taken together.

What other incident response actions do not depend on Cloudflare?

top 6 comments
sorted by: hot top controversial new old
[–] muddybulldog@mylemmy.win 8 points 1 year ago* (last edited 1 year ago) (1 children)

People are seriously confusing the fact that Lemmy being open source means all the admins are privacy evangelists that are going to do everything they can to protect privacy. That’s absolutely not the case. Pick and choose your instances based on those measures but you are going to be hard pressed to find many, if any, who are going to offer anything close to perfect privacy due to the huge overhead involved.

I’m not going to engage every point here but on #3, mitigating a DDOS is not just simply closing down firewall ports. As a matter of fact without a distributed IP space for you’re more than likely going to assist the attack by shutting out your own users. You need methods to absorb and deflect that traffic. That’s a lot of infrastructure that is NOT available to last typical VPS.

[–] diyrebel@lemmy.dbzer0.com 4 points 1 year ago* (last edited 1 year ago) (2 children)

People are seriously confusing the fact that Lemmy being open source means all the admins are privacy evangelists that are going to do everything they can to protect privacy.

It’s not just a privacy problem. #Cloudflare is:

  • anti- #privacy
  • anti- #netneutrality
  • anti-software freedom
  • anti-bot (incl. beneficial bots)
  • detrimental to democracy (petitions & voter reg. access made exclusive)
  • pro- #CAPTCHA (thus insensitive to impaired people)
  • pro- #centralization
  • pro-censorship

Pick and choose your instances based on those measures but you are going to be hard pressed to find many,

Pick an instance that’s aligned with the list above, and you would be hard-pressed to find one. Esp. w.r.t. centralization. The core mission of fedi servers is to support a #decentralized paradigm.

who are going to offer anything close to perfect privacy

When Cloudflare is involved, we are waaay beyond talking about “perfection”. Privacy is 100% in the shitter at that point.

[–] muddybulldog@mylemmy.win 3 points 1 year ago* (last edited 1 year ago)

It’s not a matter of finding instances that are on board with those things so much as You’ll be hard pressed to find an instance that cares either way.

While I’m a huge advocate on many of these topics the correct answer is still select your instance based on your criteria. Your evangelism is wasted on 99% of the populace.

[–] nromdotcom 2 points 1 year ago (1 children)

Okay, you've doubled down on hating Cloudflare, which is fair.

Do you see why maybe instance admins are reaching for the Cloudflare button, though? They are often individuals or small teams with relatively little expertise, time, or financial resources. Plus a lot to lose financially if an attack blows out their bandwidth budget or gets them kicked off their hosting. And they're under extreme pressure to keep their instances available and reliable because that's what users expect from web services these days, whether it is realistic or not. Saying "the instance will be offline for two weeks while I work on this haproxy config a couple hours each evening after work that may or may not effectively mitigate this attack" isn't really a reasonable expectation.

Throwing out "just move to tor," "jusy build a firewall rule with the last-known IPs of your users," "just do tarpitting," and "just turn off images." Are nice ideas (except for maybe the known IP thing which has a lot of problems in an age of mobile devices and VPNs), but none are yet solutions.

So presenting it as "I can't believe people are doing [this incredibly easy thing that I have an ethical problem with] rather than [this series of complicated ideas that have not yet been proven to actually solve the issue] this is a disaster in every way" is not conducive to open conversation and instead makes people who did [incredibly easy thing you have a problem with] defensive and/or just straight up annoyed and dismissive.

Ideas are good and having ideas for instance admin tools for things like moderation, ddos mitigation, etc is good because we need to start somewhere. But you can't jump right to "I had this great idea it's an absolute travesty that nobody has already implemented it" and expect people to take you seriously.

Now that's not to say that your post is bad unless it comes along with "Intro to Tor for Lemmy Admins" or "how to configure rate limiting with tarpitting in your reverse proxy" or "here's a PR I made for Lemmy that implements an optional text-only emergency mode." But if you aren't coming with those things you should instead come from a place of collaboration, education, and curiosity.

[–] diyrebel@lemmy.dbzer0.com 2 points 1 year ago* (last edited 1 year ago) (1 children)

Plus a lot to lose financially if an attack blows out their bandwidth budget

All the more reason to get your security house in order before rolling out service. If security is an afterthought, you’re doing it wrong.

And they’re under extreme pressure to keep their instances available and reliable because that’s what users expect from web services these days, whether it is realistic or not.

Users don’t even know they’re being pawned to a US tech giant, so their expectations are not even being realized at this point. IOW, these user /expectations/ that are driving your point are that of uninformed users.

ideas that have not yet been proven to actually solve the issue

This instance that you are posting to is in fact run by a guy who has proven to thwart DDoS attack without resorting to CF using methods 1 and 3 (confirmed), perhaps more.

is not conducive to open conversation

On the contrary, it’s the “let’s have Cloudflare centralize everything” attitude that’s “not conducive to open conversation”. You are crashing in on a constructive discussion just to piss in the wind and stifle a constructive discussion.

and/or just straight up annoyed and dismissive.

The folks who would be annoyed or dismissive of efforts to counter attacks without being pawned by Cloudflare are not the intended audience here.

But if you aren’t coming with those things you should instead come from a place of collaboration, education, and curiosity.

Yikes. Telling people “bring a PR or GTFO” is very much the non-constructive shitty attitude we need to avoid. Discussion happens before implementation. Only a fool implements before design. Design is best when it has community feedback.

[–] nromdotcom 1 points 1 year ago

This instance that you are posting to is in fact run by a guy who has proven to thwart DDoS attack without resorting to CF using methods 1 and 3 (confirmed), perhaps more.

I'm glad to hear it. Did they share these solutions in an easy-to-consume manner for other instance admins who may not have the same expertise, resources, or time? As I said before, I'm not suggesting they must do the work to share these things in an easy-to-consume manner - I'm just saying if these solutions aren't available in an easy to consume manner, then you shouldn't be so surprised and upset that other people are reaching for the easy-to-use solutions instead.

Telling people “bring a PR or GTFO” is very much the non-constructive shitty attitude we need to avoid.

The sentence you quoted very specifically did not say "bring a PR or GTFO," so I'll ask that you try to not put words in my mouth. In fact, I went to great lengths to make it clear I wasn't saying that because I happen to agree with you - it is an unconstructive attitude.

I very specifically did say "bring a PR or don't get mad that other people aren't immediately doing the work for you." If you aren't bringing a PR then you are bringing an idea. If you aren't bringing solutions but are bringing a sensationalist and confrontational attitude, don't be surprised when you have a confrontation rather than a conversation.

Maybe it would be more constructive to identify barriers to adopting privacy-respecting solutions rather than getting judgemental about using other solutions. What makes Cloudflare easier than tarpitting? How could the barrier to adopting tarpitting be lowered to make it a reasonable solution to adopt? Are there any Lemmy admins that can weigh in on the conversation and share their challenges?