Irenes (many)this feels like a nice afternoon to just watch incoming traffic in the system log, flowing by quietly
it's interesting how the pace can be faster or slower. relaxing.
most of this is legit traffic, even if we have minor capacity issues from it. that feels good. the "default" situation with any self-hosting scenario is that most traffic is malicious.
it would be a lot of work to compare for-real, and the point of doing this is to relax, so we won't... but it feels like this is slower than before we put the 429 thing in place. so that's good.
huh. these logs also include the various outbound requests GoToSocial makes. it looks like there's a flurry of those right now, wonder why.
looks like the outbound requests come in waves. neat.
Osmose@ireneista hook it up to a noise generator and listen to your server traffic like you're relaxing at the beach
@Osmose oh that would be comparatively easy to do. hm hmm :)
Fred@ireneista I put a 302 in place for requests to .git/* to httped://hil-speed.hetzner.com/10GB.bin and it gives me a chuckle when I seem the logs :~)
@ireneista sorry I shouldn't have linked to the actual file...
@fcbsd hah, well, not a problem on our end
@ireneista I realised after I clicked reply that the link was real, so I edited in a panic, but hopefully no one followed that link!
@fcbsd ah! right, got it
@fcbsd that's a good idea, let's see what the logs do when we say https://irenes.space/
@fcbsd hm it didn't really make much of a splash. ah well :D
@ireneista I was going to telnet in but telnet doesn't do https :~(
@ireneista my netcat skills need developing, I'll practice tomorrow evening and send you a hello in the logs :~)
@fcbsd sounds nice! we'll try to remember to check :D
@fcbsd all the html on that page is written by hand and formatted to be as readable as we can manage, including the Atom feed. we recommend 80 columns wide.
@ireneista hand crafted with vi - that's the best way to create html
@fcbsd we're in full agreement
@ireneista I'm in your logs now...
John William David Thomson@fcbsd @ireneista I wonder how hard it would be to make a zip bomb type file be returned with the built in compression in http requests for anything malicious looking.
Could just expand to "403 get lost" or something a trillion times.
@jwdt @ireneista I want to play with the PNG expanding image approach, which with a carefully created deflated PNG it expands much bigger so you serve a tiny file that is unpacked much larger on the malicious server
@fcbsd @ireneista you know those git repos that have been causing all sorts of problems recently for (mostly) vibe coders?
Since they're often scraping .git or .env I wouldn't be surprised if you could have it even run ~~malicious~~ defensive code if the scraper bots are built badly enough (or the operator curious enough).
Might be a good way to get your domain flagged for malware though, ironically.
@ireneista @jwdt oh the joys of automating the wrong things
@fcbsd @ireneista or if you can keep connections open inexpensively enough, stream one byte every few seconds for as long as it'll listen.
@jwdt @ireneista there has been a few projects that take the tarpit approach, I've used one with ssh that took several hours to send the initial handshake
@fcbsd @ireneista I think I've used actual ssh servers that felt like they did that.
@jwdt @fcbsd as kids we had a 2400 baud modem
we would telnet into Unix servers and every so often there'd be a latency spike and we wouldn't be able to see what we were typing for several seconds
and if we were doing anything web-related in another window we could track the progress of the web requests by how they affected the telnet session
@ireneista building within strictly defined limits is always good, and the web should be instantaneous for everyone
@fcbsd or at least it should be the same speed for everyone, because that's justice
we think intentionally slowing down, for things that don't matter, can be defensible. like, not everything in life has to be instant gratification
@ireneista exactly. My analogy would be I'm always impatient to get a new book, but then when it arrives, it will take me a long time to read it
@fcbsd yeah we've been ordering physical books from a local co-op lately and they take a while to get here and it feels nice
@ireneista @jwdt my first modem was a 56k cardbus modem, but I did once use my Nokia 8210 as 9600 baud modem...
@ireneista @jwdt that will awaken the memories of AT command sets...
Hatkirby@ireneista for reallll, meta's bot and gptbot have been DoSing my website so much I had to take it down for a while and then install anubis
@starlight yeah. we're trying hard to avoid installing a proof-of-waste tool, though we are really super glad that Anubis exists because it's a grassroots approach (cloudlfare are the amoral mercenaries of our age)
we're learning a lot from the process of exploring other mitigations, so that's worth it to us
@ireneista yeah, it was pretty frustrating that when I was researching what to do about this situation, pretty much everyone online was saying to use cloudflare. no thanks! I'm happy your mitigations are working!
@starlight thank you! we do have more computational resources we can afford to spend on this than most self-hosters, but still it's really nice to have our head above water with it
devon|meow|alice@ireneista i like anubis’ default preact challenge, it tests for javascript without any proof-of-work component
@fractal oh! good! we didn't realize that
Klay@[email protected] @ireneista ooh how does that work? is it just like "render this div, then check if it was rendered?"
cthos 🐱@ireneista it might be fun to format the log output into a slowly winding river of text.
@cthos ooo..... yes! yes, that would be amazing
System's Twilight, by @zarfeblong had this virtual "place" within its computer-setting, the river of data. the metaphor has stuck with us through the years.
@cthos maybe the portion that's http traffic could be printed as its three-digit response code
and the portion that's attempts to brute-force the passwords of ssh accounts that don't exist despite the initial response clearly stating that password login is prohibited could be printed as * (denoting an asshole) or something like that
@cthos but hmmm it feels like a lot of it should be the
~ character and we don't know what to map that to@cthos oh, and we could map the IP spaces onto x-y. then the visualization would make it clear when a lot of traffic is coming from the same ASN, which would be an actual practical benefit lol
@ireneista everything about this idea sounds great. Maybe IP clusters are differently sized rocks that the request ~s flow around.
This might quickly become illegible but it is fun to think through
@cthos oh, yeah there's no way it would be legible, but that isn't really the point of it :)