this post was submitted on 22 Jul 2023
2356 points (100.0% liked)

Lemmy.World Announcements

29157 readers
143 users here now

This Community is intended for posts about the Lemmy.world server by the admins.

Follow us for server news ๐Ÿ˜

Outages ๐Ÿ”ฅ

https://status.lemmy.world/

For support with issues at Lemmy.world, go to the Lemmy.world Support community.

Support e-mail

Any support requests are best sent to info@lemmy.world e-mail.

Report contact

Donations ๐Ÿ’—

If you would like to make a donation to support the cost of running this platform, please do so at the following donation URLs.

If you can, please use / switch to Ko-Fi, it has the lowest fees for us

Ko-Fi (Donate)

Bunq (Donate)

Open Collective backers and sponsors

Patreon

Join the team

founded 2 years ago
MODERATORS
 

Today, like the past few days, we have had some downtime. Apparently some script kids are enjoying themselves by targeting our server (and others). Sorry for the inconvenience.

Most of these 'attacks' are targeted at the database, but some are more ddos-like and can be mitigated by using a CDN. Some other Lemmy servers are using Cloudflare, so we know that works. Therefore we have chosen Cloudflare as CDN / DDOS protection platform for now. We will look into other options, but we needed something to be implemented asap.

For the other attacks, we are using them to investigate and implement measures like rate limiting etc.

you are viewing a single comment's thread
view the rest of the comments
[โ€“] ulu_mulu@lemmy.world 393 points 1 year ago (1 children)

Thank you for the amazing job, as always! Cloudflare is a solid solution :)

[โ€“] PropaGandalf@lemmy.world 67 points 1 year ago* (last edited 1 year ago) (11 children)

Sure but maybe something less centralized/proprietary would be preferable

[โ€“] woelkchen@lemmy.world 125 points 1 year ago (2 children)
[โ€“] EatMyDick@lemmy.world 95 points 1 year ago (18 children)

Nothing. DDoS mitigation is inherently an ISP or someone like cloudflare. You will not have success against anybody who knows what they are doing without their help.

load more comments (18 replies)
[โ€“] PropaGandalf@lemmy.world 25 points 1 year ago (5 children)

Well for now we'll have to stick around with cloudflare. I'd just would like to see something managed by a decentralized network. I don't know if it exists, it's more of a sentiment or a general idea.

[โ€“] Tibert@compuverse.uk 95 points 1 year ago* (last edited 1 year ago) (3 children)

If you don't know what a content delivery network is, here : https://www.cloudflare.com/learning/cdn/what-is-a-cdn/

A CND is very costly to run in an effective way. And because it is an intermediary server between the user and content server, the market is already pretty full. So competing with the CDN giants is practically impossible in a decentralised manner.

Because of what a CDN does (cache website elements closer to the user, protect the website against ddos...), it cannot be a cheap weak server, or it's the one which will get overwhelmed by the ddos, or even the users.

Another limiting factor is that in decentralisation, that means different companies, and so many separate plans to pay, which is just impossible for a company.

If it was decentralized, a company would have to go and pay 100 different companies (which is more expensive, du to the server costs and each companies having their own staff to may (even if it's just 1 person per company)) just to offer a quick access to the users around the world, which is just impossible.

[โ€“] muddybulldog@mylemmy.win 28 points 1 year ago* (last edited 1 year ago)

A CDN isnโ€™t a great comparison to DDOS mitigations. CDN spreads the load amongst multiple locations that are distinct entities. Any one can be down and the rest functions fine. They generally exist on separate domains and are not inherently codependent.

DDOS requires an inline solution. A layer acting as a man in the middle to deflect or absorb the traffic destined to Lemmy.world, for example. Thatโ€™s not something that can be readily be decentralized while thereโ€™s only one ingress to Lemmy.world.

load more comments (2 replies)
[โ€“] woelkchen@lemmy.world 20 points 1 year ago (8 children)

I think the biggest problem with such services is that they require lots of money to run which means that any well-meaning effort will eventually end up becoming a commercial service.

load more comments (8 replies)
[โ€“] Beetschnapps@lemmy.world 19 points 1 year ago (1 children)

Itโ€™s an interesting question but the knee jerk reaction towards decentralization isnโ€™t always a silver bullet. Bitcoin always screamed that concept while ignoring the role of clearinghouses. Decentralization can actually compound the issue. Not to dispel the solution but good to keep these things in mind.

[โ€“] PropaGandalf@lemmy.world 4 points 1 year ago

It isn't a silver bullet but in this case it is particularly suitable. I mean, the architecture of CDN is decentralised, but all these servers are controlled by ONE company. So why not leave the whole task to an independent network?

[โ€“] johntash@eviltoast.org 12 points 1 year ago (1 children)

You're being down voted, but a p2p cdn is something that sort of already exists. IPFS is probably the most mature. As far as I know, it'd only work for static content though. It's also an entirely different protocol so you'd have to use some sort of local gateway or plugin to make use of it.

I have several vms and dedicated servers that I sort of use as a DIY cdn. No where near as spread out or capable as something like cloudflare, but its also not incredibly expensive to do on a small low performance scale. DDOS mitigation is another story though, generally that is best handled by large networks that can soak up the throughput.

[โ€“] PropaGandalf@lemmy.world 4 points 1 year ago (3 children)

Yeah it's also more of a potential that I wanted to point out. Over the years that I have been involved with blockchain projects, I have developed a feeling for where blockchains and decentralised networks are suitable and where they are not. In this case, however, it seems very feasible to me. In the end, CDNs are nothing more than a server network that caches the data locally and distributes the bandwidth. This is exactly what an independent network could do with the advantage of the blockchain to remunerate the contributions of the individual node operators. But I see that the notion of blockchain triggers a great aversion in most people.

load more comments (3 replies)
[โ€“] SpezCanLigmaBalls@lemmy.world 5 points 1 year ago (2 children)

Wanna know the beauty of Lemmy? If you donโ€™t like how instances are ran you can create your own๐Ÿ™‚

load more comments (2 replies)
[โ€“] ClamDrinker@lemmy.world 44 points 1 year ago* (last edited 1 year ago) (1 children)

That's easier said than done, DDoS mitigation requires a large amount of servers that are only really useful to persist an active DDoS attack. It's why everyone uses Cloudflare, because of the amount of customers they serve there's pretty much always an active attack to fend off. Decentralization wouldn't work great for it because you would have to trust every decentralized node not to perform man in the middle attacks. But if you know of any such solution I'd love to hear it.

[โ€“] PropaGandalf@lemmy.world 6 points 1 year ago (6 children)

Yeah I see the issue but on the other side you would get a more robust network which could also be incentivised by some sort of underlying blockchain technology. The man in the middle attack could also be mitigated on a technical level.

[โ€“] doeknius_gloek@feddit.de 57 points 1 year ago

Oh man, you lost me at blockchain.

[โ€“] Xeknos@lemmy.world 43 points 1 year ago (1 children)

I block anyone who mentions a blockchain.

[โ€“] SatansMaggotyCumFart@lemmy.world 20 points 1 year ago (1 children)
[โ€“] sv1sjp@lemmy.world 4 points 1 year ago (2 children)
[โ€“] TheBeege@lemmy.world 14 points 1 year ago

Chances are that you're being sarcastic, but in the event you're not or if others want to learn...

Interesting tech. Almost zero practically useful applications.

Blockchains are effectively reproducible, verifiable ledger systems. But if the ledger grows infinitely, your storage and compute costs also grow infinitely. I've heard this has been solved, but I haven't seen an implementation yet. (If anyone knows of one, please share!)

Another issue is the proofing system. Bitcoin uses proof of work, which means you need to do more computational work to produce new blocks on the chain. If the computational work grows, that means you need more and more powerful computers. This means increased cost which means centralization as participants with less money to pay for compute get pushed out. Alternatively, there's proof of stake, where having some amount of a token or some similar value/stake allows you to write new blocks. This does reduce the computation cost but still causes those with lots of tokens/stake to get even more tokens/stake, which in turn allows them to spend more for new blocks... which creates a loop towards centralization.

So basically, the technology that preaches decentralization naturally centralizes in practical use over time.

Blockchains are bullshit.

[โ€“] ClamDrinker@lemmy.world 33 points 1 year ago

You can't mitigate a man in the middle attack on a technical level... Because they are a man in the middle... That's the point of using DDoS mitigation. Nothing's stopping them from just sending incoming traffic to a phishing site if a bad actor was in control of it.

[โ€“] Raccoonsteer@lemmy.world 20 points 1 year ago (3 children)

Dunno if this guy is just so stupid or is trolling at this point. Using random tech buzzwords that have no relevance to the issue.

[โ€“] Tubamajuba@lemmy.world 18 points 1 year ago (1 children)

Youโ€™ve never blockchained your decentralized DDoS backend with a bi-duplex CDN enumerator?

[โ€“] Raccoonsteer@lemmy.world 12 points 1 year ago

Well I did mitigate an attack before using quantum entanglement calibrated against the cosmological constant to mitigated carbon decay. Does that count? Oh and, blockchain and decentralized. Haha

load more comments (2 replies)
[โ€“] EatMyDick@lemmy.world 17 points 1 year ago

You are smoking crack. You clearly do not know what you are talking about.

[โ€“] SergioFLS@feddit.cl 4 points 1 year ago (1 children)

You had me until you mentioned blockchain technology. How would a blockchain system help in that regard, anyway?

load more comments (1 replies)
[โ€“] nitefox@lemmy.world 27 points 1 year ago (6 children)

Is โ€œdecentralisedโ€ the new โ€œblockchainโ€?

[โ€“] ellesper@lemmy.world 32 points 1 year ago (2 children)

Well, no. Unlike the blockchain, decentralized platforms aren't snake oil.

[โ€“] BuiltWithStolenParts@lemmy.world 15 points 1 year ago* (last edited 1 year ago) (1 children)

This explains nothing. It's literally saying "one thing is bad, the other thing isn't". Try to explain why instead, if you do happen to have an explanation.

load more comments (1 replies)
[โ€“] Schooner@lemmy.ml 5 points 1 year ago (2 children)

Why are the Lemmy devs asking for snake oil on their Donate page then?

Sitting comfy in a country where the financial system works for you elites is the real snake oil.

[โ€“] TheBeege@lemmy.world 4 points 1 year ago* (last edited 1 year ago) (1 children)

Just because you're smart at writing code doesn't mean you're smart at other things :) Or more likely, maybe they're ideology-driven rather than by practicality.

Lemmy is an unusual but fortunate example of where ideology and practicality line up.

If you can find an entire nation state that runs on crypto currency with a functional, stable economy, I'll eat my words.

load more comments (1 replies)
[โ€“] HeavenAndHell@lemmy.world 4 points 1 year ago (1 children)

........what are you even talking about? Your sentence makes zero sense.

load more comments (1 replies)
load more comments (5 replies)
[โ€“] zeograd@lemmy.world 21 points 1 year ago (4 children)

Which viable alternative could work to mitigate ddos?

Out of my head, I think OVH offers such a service (but without free tier).

[โ€“] kalepa@lemmy.world 11 points 1 year ago

OVH is cheap but their anti-spam/abuse departments are ineffective. Too often they do not action blatant spam reports so in effect OVH is part of the problem with network abuse on the Internet. I've had to blackhole many of their netblocks while the people who run mxroute (solid email providers) have written about doing the same.

OVH needs to clean up their act.

load more comments (3 replies)
[โ€“] fubo@lemmy.world 13 points 1 year ago* (last edited 1 year ago) (1 children)

There are a couple elements that a DDOS mitigation system needs to have.

It needs to be able to absorb the raw network traffic of the attack. A purely volumetric attack seeks to just overload the network pipes that lead to the servers. This can be with junk packets that don't even make sense to an OS kernel, but have a valid destination IP address so they get through the routers. If the DDOS mitigation system acts as a filter in front of the servers, it has to not get overloaded in the same way the routers do.

It needs to allow good traffic through to the servers. If the attack causes the pipes to just shut down and reject all traffic, then the attack has succeeded. So the mitigation system has to distinguish attack traffic from good traffic, and keep the pipes open enough to let the good traffic through.

For attacks trying to do expensive stuff on the database, or create spam posts, one useful reflex the system can have is to notice when an endpoint is doing those attacks, and then block it at the network layer.

That is not necessarily easy, and it requires control of the network ingress, which arbitrary hosting providers may not be able to provide.

load more comments (1 replies)
[โ€“] Raccoonsteer@lemmy.world 8 points 1 year ago* (last edited 1 year ago) (2 children)

This isn't a helpful reply. There's no reason to just call someone a name without even explaining why you think what he said is moronic.

load more comments (1 replies)
[โ€“] thews@lemmy.world 8 points 1 year ago

The goal is to mitigate attacks, it costs a lot of money to purpose build world spanning networks than can absorb large amounts of traffic. P2P type options are not a good fit.

load more comments (4 replies)