Apart from running it well and keeping up to date (recent update seems to have gone well, with a nice example of instances and admins helping each other!?), some redditers seek the big instances?? Curious how communities will adapt.
@maegul@ruud@fediversenews
I wish they would make signups a little more complicated so people go to other instances. There shouldn't be two big instances and a bunch of smaller ones.
Note as well that Lemmy World is now centralized by Cloudflare. If only they woudn’t hide that fact & inform users about the consequence, perhaps more users would be steered toward a balance.
@digitalRightsNinja@md@maegul@fediversenews By the way we’re now working on a change to our signup page so it will guide people to choose from a list of other Generic instances.
@digitalRightsNinja@md@maegul@fediversenews That can be considered. As mentioned in the post, using CF was an emergency measure, because we knew it worked for some other instances. We’ll be looking into alternatives as soon as the script kiddies gives us some time to breathe
@ruud
Whenever a site starts using #Clouldflare as an attack response, they almost never mention it or the consequences. When pressed about it, the “I’m under attack” PR move is just an excuse/cover for action. A reluctant CF user should take the opportunity to fully inform users.. have statements like “we are using CF under protest & are exploring alternatives; plz be aware that your usernames, passwords, DMs will all be visible to Cloudflare Inc. until we recover, and some segments of readers will be unable to read your posts”.. etc.
In any case, I’m grateful that it was at least announced to users & that new registrants may also get the msg. It’s a shame most users don’t really grasp the consequences.
@digitalRightsNinja@md@maegul@fediversenews If you would know any alternatives, which are less problematic, that would be appreciated. Preferrably some who are large enough to handle ddos. I only know of a few like Fastly, Bunny etc and would need to do proper investigation to find a suitable replacement. I think some others in our team know a few.
@ruud
I had a list of competing commercial alternatives somewhere.. maybe I can dig it up. But I would certainly touch base with jerry@infosec.exchange because I think he dealt with attacks quite cleverly without having to use CF or any MitM of that kind. Part of his solution involves standing up an onion host & redirecting tor traffic there. But before that step, he has a way of tar-pitting suspicious traffic on the clearnet side. There is also a fedi user “tallship” who suggests having a few VPSs geographically spread out and load-balanced with some fancy DNS stuff that’s over my head.
@ruud There’s also a baby step in the right direction that can be taken to minimize CF exposure until a permanent fix is established: a site can use a Cloudflare NS service but not the reverse proxy service. When the server load hits a set threashold it can turn on the CF proxy on-the-fly until the load drops. So at least during off-peak moments users have a chance at not being exposed to or blocked by CF. This approach is used by forum.fail and kbin.social, last time i checked.
@digitalRightsNinja Well I think that wouldn’t work preventing a DDOS, as you’re exposing the IP when U don’t proxy, so the attacker will probably use that IP to attack, so then CF is useless. It will work when U only use it for CDN in case of high load.
@ruud An attacker can always get your IP from DNS history sites anyway. I guess what needs to happen is the moment the CF proxy is turned on, the firewall of the actual host would have to drop all packets from all IPs that are not CF, because only CF traffic should be coming at that point.
Add comment