Today, like the past few days, we have had some downtime. Apparently some script kids are enjoying themselves by targeting our server (and others). Sorry for the inconvenience.

Most of these ‘attacks’ are targeted at the database, but some are more ddos-like and can be mitigated by using a CDN. Some other Lemmy servers are using Cloudflare, so we know that works. Therefore we have chosen Cloudflare as CDN / DDOS protection platform for now. We will look into other options, but we needed something to be implemented asap.

For the other attacks, we are using them to investigate and implement measures like rate limiting etc.

  • @[email protected]
    1162 years ago

    I don’t understand why people want to take down websites. Especially sites like Lemmy, which isn’t exactly sticking it to anyone because no one owns it!

    Are they just Reddit groupies?

    • @[email protected]
      -52 years ago

      With my tinfoil hat on, I’d say one concern is that Cloudfare is basically a monopoly and nothing is stopping them from DDoSing sites to force them to use their product.

      • @[email protected]
        42 years ago

        While it’s good to be suspicious, I don’t think we can call CloudFlare a monopoly quite yet.

        Akamai is a big, giant competitor. You also have the big cloud providers like AWS that have their own CDN systems, like CloudFront. (I don’t recall GCP’s or Azure’s product names.) Then you have specialized CDNs like Google’s AMP system.

        Now, is it possible that there could be a horizontal trust between these companies? Certainly. There’s few enough players for that to happen, but so far, I haven’t seen signs of it happening.

    • @[email protected]
      112 years ago

      I was using voip.ms last year when they were DDoS’d for over a week, by a group demanding payment via anonymous crypto. The DDoS ended when they switched to CloudFlare (which was probably pretty difficult because they’re a SIP provider.)

      Almost any website with a small number of servers is vulnerable to this attack, which happens to be great business for CloudFlare. I wonder which companies are most effectively competing with CloudFlare?

      • @[email protected]
        192 years ago

        There are others, but I think the craziest thing about Cloudflare is its basic level of protection is free. Free, unmetered, DDOS protection. It’s so popular because so many hobbyists use it for free, and are familiar with it. Then they convince their workplaces to adopt it when the need arises because they are already familiar with it.

        They make money by selling support to companies, and selling access to some more advanced features (that often have a free tier as well). It’s honestly so impressive, it made me wonder how much they actually make because it seems unnecessary for most to pay at all. Turns out they cleared almost a billion dollars in revenue in 2022.

    • @[email protected]
      1452 years ago

      For most hackers or wanna-bes (often called Script Kiddies, that is, people (generally young, even children thus the “Kiddies”) who are not technologically inclined enough to be real hackers and see a tutorial online on how to run pre-written scripts that repeatedly perform various functions), the answer to “Why do you do it?” is often:

      1. “Because I was bored.”

      2. “Because I can.”

      Very rarely are other reasons given.

    • @[email protected]
      62 years ago

      Nah, it’s not the 00s anymore. Hacker gangs are a real thing today.

      I’m not actually in the security field so take this with a grain of salt. But I believe that these attacks play a similar role to random attacks in low level gangs. It proves that your criminal group has power and the ability to deface a website.

      So if you publish that Lemmy.world will go down next week because your hackers are on it… It’s advertising. Its just business. It proves that your hackers have an ability and that you are up for sale.

      • @[email protected]
        12 years ago

        Cyberspace. A consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught mathematical concepts… A graphic representation of data abstracted from banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the nonspace of the mind, clusters and constellations of data. Like city lights, receding…

    • @[email protected]
      352 years ago

      Some people enjoy causing suffering to others. On the internet they are termed trolls. Irl people usually just call them assholes. Most people have encountered them before.

      I think they are far more common and likely than anyone giving two shits about reddit.

    • @[email protected]
      112 years ago

      They’re just trolls. Lemmy is popular enough that it’s fun target for them, but still small and infantile enough that you don’t have to be hackerman to ddos it. Reddit, twitter, etc… would be constantly getting ddos’d just for the lulz by people if they didn’t have the infrastructure to make it a challenge.

  • @[email protected]English
    22 years ago

    http://crimeflare.eu.org list reasons why not to use Cloudflare, though IDK if it’s just ultra-privacy oriented warnings or something else…

    Not sure if I should be upset, although the claim of CF potentially sniffing passwords/credit card details/other sensitive information across various websites sounds plausible to me (some websites even have a TLS cert verified by “Cloudflare, Inc.”!) 🤷‍♂️

    • @[email protected]English
      92 years ago

      They would be completely ruined if they were doing any of these things and proven to be doing them. Nothing to worry about for now.

      • @[email protected]English
        32 years ago

        Yeah, you’re right. Just because they can doesn’t mean they have to. We might not know what they’re up to behind doors and for me it’s horrifying to know the potential damage but hopefully it’s in good faith.

  • @[email protected]
    1682 years ago

    Imagine hosting a service for anyone else to use it, free of charge, no ads, free & open API, yet some idiots think it’s fair to (D)DOS it.

    There are more “interesting” targets, worst case - Reddit, who thinks everyone is just a number/noise.

    Just leave Lemmy alone. :(

      • @[email protected]
        72 years ago

        Most likely their parasocial fans. The Reddit stans who want to be edgy and follow their meme leader. Who will never acknowledge them no matter how much they do.

        It’s sad that they could target the real people making the world worse, yet only prop up the people who are oppressors.

    • @[email protected]
      422 years ago

      we will all still be here when their hyperactivity wears off.

      with the old Reddit simulator, personally I’m not going anywhere anytime soon. This place has a great user base and it feels so old-school.

      • @[email protected]
        22 years ago

        The new layout with old.lemmy I came back, and new apps coming out for it. It’s been a good replacement. Was on tildes, but got banned for just discussing difficult topics…the admin there is just ban happy and yea he owns the site but will just ban people for no reason. Not to mention that the users over there, assuming new people are using the malicious tag as a down vote button which probably goes right to the admin. So you step out of line and you get banned. I really liked the place too, but it’s not wanting to be a serious place to discuss topics with an admin like that.

    • @[email protected]
      182 years ago

      I wonder if the owners of deddit, fb, tweetster, et al, might think it financially worthwhile to cause disruption in the fediverse, and even its ultimate failure.

      • R0cket_M00se
        212 years ago

        I wouldn’t be surprised, we didn’t take their whole user base of anything but it’s in their interest to keep viable competitors out of the way.

        • @[email protected]
          82 years ago

          Every account they lose hits them in the pocketbook. The bigger the fediverse gets, the more adherents, the greater the momentum it will have and the harder it will be to stop.

          Nipping it in the bud is the best, easiest, and least expensive place to nip it.

          The downvotes suggest their operatives are reading the comments.

          • TheSpookiestUser
            122 years ago

            The downvotes suggest their operatives are reading the comments.

            Let’s not do this. People are allowed to downvote without being a paid operative. This was a very common mentality on Reddit I would like to avoid here.

            • @[email protected]
              32 years ago

              What makes Lemmy interesting is that you can see the combined upvotes and downvotes. It’s not a “net” votes system like some shithole site whose name I will not mention. So I think people can read into the voting system much more than they might have been able to do on some other awful and alienating place.

              But, I too disagree with the conspiratorial comment that there are operatives downvoting people on Lemmy, as if that could do anything meaningful. I think the notion that Lemmy is being hacked because the major social media companies are afraid of it, is also very extreme and conspiratorial.

              I agree we should support this community and people’s ability to react positively or poorly to a post or comment.

          • Cris
            272 years ago

            Counterpoint- people are down voting because they think its unlikely and many people are inherently gaurded against conspiratorial thinking- especially if they think it’s unrealistic.

            Whether you think its happening or not, the idea that the only reason anyone would downvote is because they’re “opperatives” of the big social platforms is kind of out of touch with the fact that there are lots of people who don’t think like you do. I’m a real person, love open source, and love the fediverse (have 3 lemmy accounts, plus an account for mastodon and pixelfed each) and I was tempted to down vote certain comments just because they seemed silly and a bit like fearmongering that there’s a big bad boogey man out to get us.

            I hope I’m being clear, communicating on the internet devoid of tone or facial expressions is hard- my point isn’t that your perspective is silly, my point is that there are lots of people who would sincerely see it that way and disagree with you. Assuming that being disagreed with is a sign of the sort of conspiratorial situation you’re describing is a self fulfilling prophecy. I hope I’m not coming across as hostile, that isn’t my intent

            Personally I think the other platforms are unlikely to see the fediverse as a problem until it proves it can be, because CEOs are stupid, and after eons of not having meaningful competition in this space I think they’re likely to be overly proud and look down on our nice little platform. I think its far more likely its just the internet being shitty because lots of people on the internet like breaking or ruining anything they can, regardless of whether its a good thing to have exist. I could very easily be wrong, and perhaps other platform’s owners do want to kill what we have before it can manifest into something bigger, but either way there are lots of sincerely held perspectives that might drive someone to down vote some of the comments here just because they think the situation being described is unrealistic.

            • @[email protected]
              62 years ago

              Points well made and taken, thanks. No hostility perceived at all.

              Reasonable minds can differ and frequently do. And it could be that people may think my suggestion is unrealistic or even silly.

              There’s no shortage of miscreants out there who just like to mess with things, thrown wrenches into spokes, etc. And these types could well be behind the daily local issues.

              But here’s an important point, and no offense intended. Corporations are like The Terminator. But instead of getting Sarah Connor, they purse profits. And regardless of CEO intelligence or accumen, every Fortune 500 company has a department that deals in these areas. They all have their skunk works and use them. It’s been this way for centuries. A primer: https://en.m.wikipedia.org/wiki/Industrial_espionage

              So whether they’re operating here atm or not, there is nothing paranoid about assuming they are. If they’re not, they will be. It’s what they do.

              Thanks for the input. :)

              • Cris
                42 years ago

                But here’s an important point, and no offense intended. Corporations are like The Terminator. But instead of getting Sarah Connor, they purse profits. And regardless of CEO intelligence or accumen, every Fortune 500 company has a department that deals in these areas. They all have their skunk works and use them. It’s been this way for centuries. A primer: https://en.m.wikipedia.org/wiki/Industrial_espionage

                Lol, all very fair, corporations suck and are prone to doing anything shitty they can think of to even marginally improve their bottom line. Its an understandable sentiment.

                I’m glad I was able to convey what I meant without it coming across as my being a dick :)

                Take care! ❤️

                • @[email protected]
                  42 years ago

                  It’s an important life skill, being able to plant a thought in the mind of another and in a way that is likely to be accepted.

                  It crossed my mind since my last writing that, in the 80s, I got a money back guarantee for any counter-surveillance equipment purchased that didn’t reveal surveillance equipment in a Fortune 100 facility. It was that pervasive back then. And my perception is that morals and business ethics have not improved in the interim. Far from it.

                  Good luck and thanks for the valuable, respectful input.

            • @[email protected]
              22 years ago

              I agree, many of them appear to be edgy script kiddies upset that people don’t wanna use their precious reddit anymore

  • M-Reimer
    62 years ago

    How does cloudflare work? Do you install the private SSL certificate there and so cloudflare can see all traffic, including passwords, in plain text or is the path from browser through to your server still encrypted?

    • @[email protected]
      152 years ago

      Cloudflare decrypts to do the ddos protection, then reencrypts to the server.

      If you are worried about security, cloudflare is provably more secure than any lemmy server.

      • M-Reimer
        22 years ago

        But it still is a really bad idea to route big parts of the internet through one proprietary system. There have to be other ways to solve this.

        • @[email protected]
          02 years ago

          Not if you want to provide a website accessible through modern web browsers.

          If you want stable and distributed resources you need tech like bittorrent which survived everything the entertainment industry had to throw at it.

          If you want a website, you need cloudflare.

    • @[email protected]
      42 years ago

      Other posters are correct that cloudflare decrypts traffic. BUT it is highly unlikely that they will see your password in plaintext, since it is best practice to hash the password first on the front-end.

    • @[email protected]
      102 years ago

      Cloudflare is a proxy, so by its very nature it has to decrypt traffic. (I believe their enterprise plans may offer a way around this, but don’t quote me.)

      I wouldn’t worry, however. If someone wanted to attack this site (or any site, really) they’re almost certainly going to have an easier time going after the origin rather than trying to take on a juggernaut like Cloudflare.

  • @[email protected]English
    402 years ago

    It’s not. People hate large companies that have a dominant position in their industry. Usually, that’s fair. However, in the case of DDoS protection, you have to have a large overbearing presence to be able to have the capacity to withstand such attacks. People don’t know how to see through what’s typically true for what’s true in this case. Do I like having a dominant player in an industry? Not particularly. Do I understand why it’s necessary in this case? Yes.