theymos (OP)
Administrator
Legendary
Offline
Activity: 5334
Merit: 13301
|
|
April 02, 2015, 05:22:27 PM |
|
Starting about 14 hours ago, there has been a large DDoS against the forum that is apparently still ongoing. The forum was down for a few hours as a result.
I'm not going to use Cloudflare for bitcointalk.org. Cloudflare is a massive central point of failure to the Internet. Tons of sites (including most large Bitcoin sites) use it. Additionally, in most cases Cloudflare can undetectably read any encrypted traffic passing through their service because they have the site's HTTPS key. Even if you use their keyless HTTPS feature, they can still read your traffic (though this is detectable with something like Certificate Patrol) because they have an agreement with a CA which allows them to issue whatever certificates they want (they are essentially a CA). Also, I've heard that Cloudflare is not especially effective at stopping many types of DDoS attack.
Instead, I purchased DDoS protection that works at a lower level. After filtering, it sends user TCP traffic to the forum's server verbatim. This eliminates the need for giving up the forum's HTTPS key. It seems to be effective at stopping this attacker's traffic, but it may be introducing some periodic downtime/slowness/latency. We're still looking into it. DDoS protection services (even the most expensive ones) are notorious for often being useless, shady, or unreliable, so who knows whether this service or any future ones I may try will end up working out... Unfortunately, the Internet is just particularly weak to DDoS attacks, and there are no great solutions available.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
Welsh
Staff
Legendary
Offline
Activity: 3304
Merit: 4115
|
|
April 02, 2015, 05:25:49 PM |
|
Nice to see something has been done, trial and error for a few months it is then. Glad you found an alternative to using Cloudfare. What's the service you are using?
|
|
|
|
Rude Boy
|
|
April 02, 2015, 05:34:11 PM |
|
Starting about 14 hours ago, there has been a large DDoS against the forum that is apparently still ongoing. The forum was down for a few hours as a result.
I'm not going to use Cloudflare for bitcointalk.org. Cloudflare is a massive central point of failure to the Internet. Tons of sites (including most large Bitcoin sites) use it. Additionally, in most cases Cloudflare can undetectably read any encrypted traffic passing through their service because they have the site's HTTPS key. Even if you use their keyless HTTPS feature, they can still read your traffic (though this is detectable with something like Certificate Patrol) because they have an agreement with a CA which allows them to issue whatever certificates they want (they are essentially a CA). Also, I've heard that Cloudflare is not especially effective at stopping many types of DDoS attack.
Instead, I purchased DDoS protection that works at a lower level. After filtering, it sends user TCP traffic to the forum's server verbatim. This eliminates the need for giving up the forum's HTTPS key. It seems to be effective at stopping this attacker's traffic, but it may be introducing some periodic downtime/slowness/latency. We're still looking into it. DDoS protection services (even the most expensive ones) are notorious for often being useless, shady, or unreliable, so who knows whether this service or any future ones I may try will end up working out... Unfortunately, the Internet is just particularly weak to DDoS attacks, and there are no great solutions available.
Yup! Internet is weak too to DDoS attack. An attacker can even use google as a DDoS tool (google search, google spreadsheet).
|
|
|
|
|
franckuestein
Legendary
Offline
Activity: 1960
Merit: 1130
Truth will out!
|
|
April 02, 2015, 06:03:34 PM |
|
Thanks for the updates. I didn't know that specific information about Cloudflare.
We don't have to worry about it because IMO: the periodic downtime/slowness/latency are going to be occasional. Also, with the current forum DDoS protection there's no need to give the forum HTTPS key to services like the one mentioned before.
|
[ AVAILABLE SIGNATURE SPACE ]
|
|
|
Bardman
|
|
April 02, 2015, 06:38:49 PM |
|
Should that be deleted? DDos is illegal and someone who is offering services to ddos others should be banned, in the rules it says that if something is forbidden in your country it is not allowed on the forum
|
|
|
|
erikalui
Legendary
Offline
Activity: 2632
Merit: 1094
|
|
April 02, 2015, 06:40:27 PM |
|
So we may have a downtime again as the attack is still ON? Internet is prone to such attacks and hence such attacks take place day in and day out due to loopholes. http://ddos-protection-services-review.toptenreviews.com/ This shows that Cloudfare is the 6th in the list compared to Incapsula DDoS Protection.
|
|
|
|
Jeremycoin
Legendary
Offline
Activity: 1022
Merit: 1003
𝓗𝓞𝓓𝓛
|
|
April 02, 2015, 06:46:45 PM |
|
I thought it was just a joke, but when I read this thread I know that it wasn't a joke. So, this is a serious problem for the site
|
faucet used to be profitable
|
|
|
Bardman
|
|
April 02, 2015, 06:49:13 PM |
|
I always wondered if making the user solve a captcha before using the site could prevent ddos, my guess its most likely not since every site would have done it already, but why wouldnt it work? Bots that solve captchas?
|
|
|
|
Welsh
Staff
Legendary
Offline
Activity: 3304
Merit: 4115
|
|
April 02, 2015, 06:50:02 PM |
|
I thought it was just a joke, but when I read this thread I know that it wasn't a joke. So, this is a serious problem for the site
Pretty much every substantial site is affected by it from time to time. You'll never stop it entirely. I always wondered if making the user solve a captcha before using the site could prevent ddos, my guess its most likely not since every site would have done it already, but why wouldnt it work? Bots that solve captchas?
Bots can solve captchas, and as far as I'm aware Satoshi created the capacha that the forum is using. (May of been changed since, I read this a very long time ago) Which is immune to most known OCR captcha solvers. But, if someone can't solve a certain captcha they just send it to a service which uses humans instead. Captchas are useful, that's why they are used nearly on every single website. They have limitations and only prevents certain users. Although, captchas are mainly used to reducing spam and not for protection against DDOS. DDOS is sending a huge amount of requests to the server.
|
|
|
|
IDKwhatimdoing
|
|
April 02, 2015, 06:55:52 PM |
|
Didnt even catch the forum offline hehe:) And you are right cloudfare isn't bulletproof. Nice of u to find a solution! And a good one. Keep it up theymos
|
|
|
|
Lorenzo
|
|
April 02, 2015, 06:58:37 PM |
|
Actually, I was kind of relieved to find out that it was "just" a DDoS and not a site hack that could have actually endangered the site. I know a few people probably thought that the avatars were at fault too. It didn't really look like a DDoS attack at first until I saw the post on Twitter since most of the DDoS'd websites that I've encountered either timed out or loaded very slowly rather than not connecting at all.
|
|
|
|
RocketSingh
Legendary
Offline
Activity: 1662
Merit: 1050
|
|
April 02, 2015, 07:00:27 PM |
|
I thought it was just a joke, but when I read this thread I know that it wasn't a joke. So, this is a serious problem for the site
Pretty much every substantial site is affected by it from time to time. You'll never stop it entirely. Is Google prone to DDOS as well ? Has Google search ever been down due to DDOS ?
|
|
|
|
b!z
Legendary
Offline
Activity: 1582
Merit: 1010
|
|
April 02, 2015, 07:03:20 PM |
|
So we may have a downtime again as the attack is still ON? Internet is prone to such attacks and hence such attacks take place day in and day out due to loopholes. http://ddos-protection-services-review.toptenreviews.com/ This shows that Cloudfare is the 6th in the list compared to Incapsula DDoS Protection. toptenreviews.com is not a reliable source of information.
|
|
|
|
Bardman
|
|
April 02, 2015, 07:09:59 PM |
|
I thought it was just a joke, but when I read this thread I know that it wasn't a joke. So, this is a serious problem for the site
Pretty much every substantial site is affected by it from time to time. You'll never stop it entirely. Is Google prone to DDOS as well ? Has Google search ever been down due to DDOS ? I was curious and i investigated a little: http://security.stackexchange.com/questions/73369/how-do-major-sites-prevent-ddosSeems like it would be pretty hard almost impossible to ddos google
|
|
|
|
Welsh
Staff
Legendary
Offline
Activity: 3304
Merit: 4115
|
|
April 02, 2015, 07:13:14 PM |
|
Not only that, there wouldn't be much incentive to do it for a long period of time. Not that I think someone will ever achieve it. Just the statistics of google is daunting enough.
|
|
|
|
Lorenzo
|
|
April 02, 2015, 07:18:18 PM |
|
I thought it was just a joke, but when I read this thread I know that it wasn't a joke. So, this is a serious problem for the site
Pretty much every substantial site is affected by it from time to time. You'll never stop it entirely. Is Google prone to DDOS as well ? Has Google search ever been down due to DDOS ? Google is highly resistant to DDoS attacks since they have thousands of servers distributed around the world that can handle massive amounts of bandwidth. The amount of traffic that sites like Google and Facebook get every day would probably kill most other sites. It would be difficult but not impossible to launch a successful DDoS attack on sites like these although doing so would probably require the cooperation of multiple parties.
|
|
|
|
redsn0w
Legendary
Offline
Activity: 1778
Merit: 1043
#Free market
|
|
April 02, 2015, 07:26:04 PM |
|
Thanks for the clarification, so at the end it seems that it doesn't exist a real solution for prevent the ddos attack (also with cloudflare, that it is much expensive).
|
|
|
|
xDan
|
|
April 02, 2015, 08:11:04 PM |
|
I'm not going to use Cloudflare for bitcointalk.org. Cloudflare is a massive central point of failure to the Internet. Tons of sites (including most large Bitcoin sites) use it. Additionally, in most cases Cloudflare can undetectably read any encrypted traffic passing through their service because they have the site's HTTPS key. Even if you use their keyless HTTPS feature, they can still read your traffic (though this is detectable with something like Certificate Patrol) because they have an agreement with a CA which allows them to issue whatever certificates they want (they are essentially a CA). Also, I've heard that Cloudflare is not especially effective at stopping many types of DDoS attack.
THANK YOU for being one of the few website owners far-sighted enough not to use CloudFlare. It's especially annoying for any VPN user, as it means they get a goddamn CAPTCHA every visit. I've taken to simply closing the tab on any CloudFlare using website, the captcha is so annoying. Ya here that, other website owners?
|
HODLing for the longest time. Skippin fast right around the moon. On a rocketship straight to mars. Up, up and away with my beautiful, my beautiful Bitcoin~
|
|
|
Pushtheghost
|
|
April 02, 2015, 08:51:27 PM |
|
Site was down most of last night in the early hours here in the UK. I say down, what I mean is access was intermittent and incredibly slow, so yep I knew immediately the most likely cause was an attack on the site. Good to see you are taking measures to keep the site online as much as is possible.
|
|
|
|
|