Ruud

Lemmy.world update: Downtime today / Cloudflare

https://lemmy.world/post/1998212

Lemmy.world update: Downtime today / Cloudflare - Lemmy.world

Today, like the past few days, we have had some downtime. Apparently some script kids are enjoying themselves by targeting our server (and others). Sorry for the inconvenience. Most of these ‘attacks’ are targeted at the database, but some are more ddos-like and can be mitigated by using a CDN. Some other Lemmy servers are using Cloudflare, so we know that works. Therefore we have chosen Cloudflare as CDN / DDOS protection platform for now. We will look into other options, but we needed something to be implemented asap. For the other attacks, we are using them to investigate and implement measures like rate limiting etc.

Jul 22, 2023 at 9:12pmWeb
Show threadmordredJul 22, 2023
Thank you for your efforts, work and results. Those “attackers” only deserve disgust.
Show threadA_AJul 22, 2023
Maybe they don’t deserve as much, pity would be enough.
Show threadCAVOKJul 22, 2023
Anything we can do as “users” to help, other than donating?
Show threadTheAndrewBrownJul 22, 2023
If it’s the same people, they’ll probably get tired of it and move on. But the more we talk about it, the more likely it is that new people want to get in on the “fun”. I’d say to not make memes about the downtime and pretty much act like it doesn’t exist (as users, obviously the admins should take action as necessary to mitigate it and post to be transparent).
Show threadJacktheladJul 22, 2023

I don’t understand why people want to take down websites. Especially sites like Lemmy, which isn’t exactly sticking it to anyone because no one owns it!

Are they just Reddit groupies?

Show threadBz2486Jul 22, 2023
Or paid for by Reddit…
Show threadRightHandOfIkarosJul 22, 2023

For most hackers or wanna-bes (often called Script Kiddies, that is, people (generally young, even children thus the “Kiddies”) who are not technologically inclined enough to be real hackers and see a tutorial online on how to run pre-written scripts that repeatedly perform various functions), the answer to “Why do you do it?” is often:

  • “Because I was bored.”

  • “Because I can.”

    • Very rarely are other reasons given.

    Show threadAnaralah_Belore223Jul 22, 2023
    The ones seen on masterhacker reddit.
    Show threadHeavenAndHellJul 23, 2023
    More like “I get zero action, so I take my anger out on other people”
    Show threadCandelestineJul 22, 2023

    Some people enjoy causing suffering to others. On the internet they are termed trolls. Irl people usually just call them assholes. Most people have encountered them before.

    I think they are far more common and likely than anyone giving two shits about reddit.

    Show threadgalaxies_collideJul 22, 2023
    Some people just want to watch the world burn.
    Show threadAdoJul 22, 2023
    You don’t think just being bored is enough reason for some?
    Show threadJacktheladJul 22, 2023

    If I’m bored I find something productive and/or fun to do.

    Launching a DDoS attack is neither.

    Show threadAdoJul 23, 2023
    You, sure. It’s not difficult to imagine a teen who’s not you
    Show threaduhvaygaJul 22, 2023
    My guess: lemmy.world is attacking itself to make people believe that it is more popular enough than Reddit to be attacked so hard.
    Show threadWhatASaveJul 22, 2023
    Upvoting because this has to be satire
    Show threadEyesInTheBoatJul 23, 2023
    It’s coming from someone over on Kbin. Wonder if that’s the motivation.
    Show threadMarsAgainstVenusJul 23, 2023
    You have more faith in people than I do…
    Show threadHeavenAndHellJul 23, 2023
    Delete your account and go back to reddit
    Show threadp1mrxJul 22, 2023

    I was using voip.ms last year when they were DDoS’d for over a week, by a group demanding payment via anonymous crypto. The DDoS ended when they switched to CloudFlare (which was probably pretty difficult because they’re a SIP provider.)

    Almost any website with a small number of servers is vulnerable to this attack, which happens to be great business for CloudFlare. I wonder which companies are most effectively competing with CloudFlare?

    Show threadDaveJul 22, 2023

    There are others, but I think the craziest thing about Cloudflare is its basic level of protection is free. It’s so popular because so many hobbyists use it for free, and are familiar with it. Then they convince their workplaces to adopt it when the need arises because they are already familiar with it.

    Cloudflare operates free, unmetered, DDOS protection. They make money by selling support to companies, and selling access to some more advanced features (that often have a free tier as well).

    Show threadPerfideJul 23, 2023
    They’re just trolls. Lemmy is popular enough that it’s fun target for them, but still small and infantile enough that you don’t have to be hackerman to ddos it. Reddit, twitter, etc… would be constantly getting ddos’d just for the lulz by people if they didn’t have the infrastructure to make it a challenge.
    Show threadtomatolJul 23, 2023
    With my tinfoil hat on, I’d say one concern is that Cloudfare is basically a monopoly and nothing is stopping them from DDoSing sites to force them to use their product.
    Show threadTheBeegeJul 23, 2023

    While it’s good to be suspicious, I don’t think we can call CloudFlare a monopoly quite yet.

    Akamai is a big, giant competitor. You also have the big cloud providers like AWS that have their own CDN systems, like CloudFront. (I don’t recall GCP’s or Azure’s product names.) Then you have specialized CDNs like Google’s AMP system.

    Now, is it possible that there could be a horizontal trust between these companies? Certainly. There’s few enough players for that to happen, but so far, I haven’t seen signs of it happening.

    Show threadskillissuerJul 23, 2023
    there are some people salty at a given instances, like exploding-heads for defederation or this @lmao dude for no clear reason, there was some spammer activity, and then you have regular drama seekers with usual ensemble of suspects
    Show threadsilentashesJul 22, 2023
    commondreams.org/…/oligarchs-against-democracy
    Why Oligarchs Don't Just Want to Be Rich, But Kill Democracy Too | Common Dreams

    Why are America’s plutocrats funding efforts to weaken our democracy and replace it with plutocracy and oligarchy? Is it just about money? Or is there something much deeper that most Americans rarely even consider?

    Common Dreams
    Show threadfence_prudeJul 22, 2023
    Where can we donate toward server costs?
    Show threadRuudJul 22, 2023

    opencollective.com/mastodonworld

    patreon.com/mastodonworld

    Mastodon.world - Open Collective

    Providing Fediverse instances to be used by anyone. (Mastodon, Lemmy, Calckey/Firefish etc)

    Show threadTheSpookiestUserJul 22, 2023
    Do you prefer one or the other when it comes to donations?
    Show threadRuudJul 22, 2023
    I prefer OpenCollective.
    Show threadHandsHurtLoLJul 22, 2023
    Tagging @ernest in case instance owners don't have a larger community in which they share news like this with each other.
    Show threadirotsomaJul 22, 2023
    Yeah, this is just growing pains for any website. Get popular enough for it to be “fun” to target. Then get enough data that it’s “profitable” to target. Etc. And the usual way to deal is to first use an external solution at least until it becomes too expensive due to traffic volume. Then make your own solutions for problems you can solve yourself and pay external companies for the ones you can’t.
    Show threadzazasertyJul 22, 2023
    Damn these script kiddies… I don’t like Cloudflare at all but it does its job well. It may just be my paranoia, but putting a single entity in control of so many websites seems dangerous. I think we have all learned about the intentions of big corporations. But hey, it’s better than being taken down tbf.
    Show threadPropaGandalfJul 22, 2023
    Exactly my words. I’d love to see a decentralized network to do the job instead. No single point of failure and people can actually earn a bit of money instead of big corpos enriching themselves.
    Show threadSprouxJul 23, 2023
    What are your reasons for hating cloudflair? Best i can tell they run a good service and their free offerings have been great (1.1.1.1)
    Show threadlemming741Jul 23, 2023
    We said the same thing about chrome 10 years ago. It’s not the quality of the product, which is excellent. It’s the concentration of control.
    Show threaduhvaygaJul 22, 2023
    Isn't there a possibility that Cloudflare is making the script kids do DDoS attacks against lemmy.world to sell its CDN? :D
    Show threadRuudJul 22, 2023
    Maybe CF and spez are paying the script kids… damn…
    Show threadDeucesJul 22, 2023

    It’s highly unlikely. Cloudflare is (I think) the biggest CDN provider and one of the biggest domain registrars. Whatever lemmy.world is paying them it’s inconsequential to their books. For a sense of scale, they own the IP address 1.1.1.1. (as an aside, 1.1.1.1 is a DNS host, but unlike the other popular ones it has a webpage so it’s very convenient for checking if your internet is down or if you’re having DNS issues)

    Basically, the cost reward is way out of whack for them to consider ddosing such a small site.

    Show threadAS200950Jul 22, 2023
    No, but Cloudflare is providing services to those kids too.
    Most of the services that provide DDoS attacks as a service use Cloudflare themself and Cloudflare is absolutely okay with it.
    Show threadsaucylogginsJul 22, 2023

    Lol. Just for shits and giggles I want to entertain this for a second.

    You’d probably want to pay hackers in a country that isn’t friendly with the US to do this. Russia, North Korea, China, Iran.

    Three of those countries are heavily sanctioned right now. I wouldn’t want sketchy money flowing to Russia at the moment even if it didn’t technically fall under sanctions since money flow is being scrutinized. Same with NK and Iran.

    So that would leave China. I think you could get away with it there pretty easily.

    And lo and behold….

    techcrunch.com/2020/04/28/…/amp/

    :tinfoilhat:

    With that said though. Getting that info leaked out would be extremely damaging and totally not worth the risk.

    TechCrunch is part of the Yahoo family of brands

    Show threadM-ReimerJul 22, 2023
    How does cloudflare work? Do you install the private SSL certificate there and so cloudflare can see all traffic, including passwords, in plain text or is the path from browser through to your server still encrypted?
    Show threadecho64Jul 22, 2023

    Cloudflare decrypts to do the ddos protection, then reencrypts to the server.

    If you are worried about security, cloudflare is provably more secure than any lemmy server.

    Show threadM-ReimerJul 23, 2023
    But it still is a really bad idea to route big parts of the internet through one proprietary system. There have to be other ways to solve this.
    Show threadecho64Jul 24, 2023

    Not if you want to provide a website accessible through modern web browsers.

    If you want stable and distributed resources you need tech like bittorrent which survived everything the entertainment industry had to throw at it.

    If you want a website, you need cloudflare.

    Show threadcolonialJul 22, 2023

    Cloudflare is a proxy, so by its very nature it has to decrypt traffic. (I believe their enterprise plans may offer a way around this, but don’t quote me.)

    I wouldn’t worry, however. If someone wanted to attack this site (or any site, really) they’re almost certainly going to have an easier time going after the origin rather than trying to take on a juggernaut like Cloudflare.

    Show threadthemusicmanJul 22, 2023
    Other posters are correct that cloudflare decrypts traffic. BUT it is highly unlikely that they will see your password in plaintext, since it is best practice to hash the password first on the front-end.
    Show threadkratoz29Jul 22, 2023
    What solution were you using before Cloudflare?
    Show threadRuudJul 22, 2023
    None
    Show threadkratoz29Jul 23, 2023
    Oh.
    Show threadBlaze (he/him)Jul 22, 2023
    Thank you! I will donate tomorrow
    Show threadRuudJul 22, 2023
    Be aware that you use another server so you might consider donating to them instead.
    Show threadBlaze (he/him)Jul 22, 2023
    I have an account on yours too, but I might split it between both indeed :)
    Show threadZetaphorJul 23, 2023
    I’m curious, why bother with multiple accounts? It seems counterintuitive when taking federation into account
    Show threadBlaze (he/him)Jul 23, 2023
    Taking some load from the biggest servers such as LW. I still have a community on LW however, and mod with my local account
    Show threadjijiJul 23, 2023
    Well, I can’t answer for them but this situation in particular makes it nice to have accounts on different instances. If I can’t log on to/load my lemmy.world account then I can switch to my lemm.ee account and load content there.
    Show threaddanieltonJul 23, 2023

    I have accounts on both lemmy.world and outpost.zeuslink.net. I have had a lot of problems with seeing posts from the smaller instance, while lemmy.world has been overloaded due to the massive Reddit exodus and script kiddies.

    I created the account on the smaller instance first, but I’m still having a ton of issues with federation on that one (many communities still come up blank there, while lemmy.world has enough users that I can see everything when it isn’t down).

    Show threadrussjr08Jul 23, 2023
    So far federation seems to be a lot better since the fix from last week - I can’t say that I’ve seen anything out of place or out of sync myself, but I am trying to keep a vigilant eye out for anything that’s been overlooked!
    Show threadphoenix591Jul 23, 2023
    since 0.18.2 I havn’t noticed any federation issues with my own personal instance, nothing obvious anyway.
    Show threadkrayjJul 23, 2023

    I do it for the following reasons:

  • The big main lemmy servers can and do go down regularly. having accounts on other instances still gives me the ability to log in and participate on the communities I care about. I sure do wish the underlying federation logic allowed for associating selected logins on various instances together somehow.
  • Testing: often, I will create a post or comment into a community hosted on a different lemmy server and not see it update. When this happens, I’ll log in on the other instance to see what that post or comment looks like from there.
  • Insurance against defederation: I participated/followed some beehaw.org communities before they defederated, and then I was forced to open an account there to continue participating in those communities.