Mitigating the Hetzner/Linode XMPP.ru MitM interception incident

Cloudflare is horrible for privacy. It is also a bit of a sovereignty issue for European countries to have all their citizens web habits to be MITM by a forging power (no matter how friendly they seam).

Edit: not even going in to the sovereignty issue of having an American private company effectively decide your internet regulations.

The EU regularly de-facto tries to decide regulations for other countries. All is fair in a globally connected world.

Yeah, but it generally goes in the direction of more privacy, environmental and labor standards. Less so from other countries.

Cloudflare exists out of necessity for the most part. The alternatives to shield from large scale DDoS are all US American too.

Which lets be honest isn't a problem that 99% of the sites using Cloudflare need to solve. Nobody is going to waste energy and time to attack your blog with your vacation photos.

The huge wave of DDoS extortion attacks that happened 3-4 years ago was mostly enabled by "booter" services that themselves hid from law enforcement behind Cloudflare.

Here is an example: https://therecord.media/feds-seize-ddos-booter-sites-in-late...

Feel free to punch any of the sites they mention into dns.coffee and look at the historical nameservers. All Cloudflare.

Beat me to it. More often than not, every time I run into the run-of-the-mill booter or other super blatantly illegal things, at least some portion of the infrastructure is behind CloudFlare.

I don't have enough fingers and toes to count the number of abuse reports I've personally filed that seemingly go nowhere.

OVH at least takes down the booters and other proper malicious stuff. However, copyright infringement reports go ignored to the point to where I stopped bothering--not that I had any right to care when I torrented loads, but it was a little annoying that ~$10 software, with no DRM, regional discounts, and a dozen ways to pay still ended up pirated to the point to where it wasn't worth selling

(fun story: I still have email records from when a pretty beloved multi-billion dollar tech company launched their ROG-clone sub-brand and pirated our XenForo plugins to use on their site instead of ponying up $10 -- maybe one day I'll have to ask them for a laptop).

CloudFlare, on the other hand, at best, just passed on whatever I send in, and whoever their actual providers were never cared either, so nothing gets done. It can feel like rackeetering; sign-up for protection from the people attacking you ...whom we also protect and refuse to take down.

That said, I think 99% of small sites, personal blogs, etc, really don't need any of the services offered; the most useful offering for most people is literally probably DNS.

Game servers and gaming-related communities, or at the least the ones I am most attracted to, are just about the only thing I think requires DDoS mitigation regardless of size. Our little Garry's Mod TTT server with a max player limit of like ~24 people would get attacked a couple of times a week at least.

And good lord, the RuneScape community is another breed of toxic. The way I learned to program was by reverse engineering the game, and we'd work on private servers that were essentially from-scratch MMORPG servers that just emulated the RuneScape mechanics and protocol.

One aspect of the game, though, is PvP -- when you kill another player in the wilderness, unlike in a lot of other MMOs, you get most, if not all, of their items they have on them.

I could perhaps understand DDoSing another player during combat in order to steal their gear. But what made me stunned beyond belief was that when I hosted a "spawn PKing" server (e.g., PvP-only, but you don't have to work for your gear; everything is free - it's just for fun), they'd literally lure each other into TeamSpeak to grab IP addresses and DDoS each other for.... nothing :)

(and so you can imagine also just how often we'd get hit with massive attacks ourselves)

> Cloudflare exists out of necessity for the most part.

I agree with this, there don't seem to be that much self-hosted software that someone could (easily) setup for the use cases that Cloudflare serves.

> The alternatives to shield from large scale DDoS are all US American too.

Not only that, but the WAF functionality is also pretty useful. To be honest, the same applies to something like wanting to have CAPTCHAs on your own site - not that many options out there.

As far as I can tell as a hobbyist, if you wanted to host everything yourself:

  - dealing with load: at best you can probably just run multiple nodes with round robin DNS and something like HAProxy, or even just live with Nginx/Apache/Caddy, though all of those would crumble under attack; probably with some resource limits in place so the software getting overloaded just crashes it (with automatic restarts) and doesn't grind the entire server down to a halt
  - WAF: you could get a basic WAF running with something like Apache2 and mod_security, or if you can compile it for Nginx and get it working (a bit annoying to do, also apparently slower than Apache2 version), or something like Coraza (still new), but even then you need sets of rules, OWASP has some, but they're not updated as often as whatever Cloudflare uses, so the effectiveness of it all is debatable; there's also something like fail2ban, but some people really don't like it for some reason
  - there's also additional stuff you can use, like LibreCaptcha for CAPTCHAs, something like Keycloak or Authentik for SSO and managing your users on prem (especially with mod_auth_openidc), stuff like Matomo Analytics instead of GA, Uptime Kuma for uptime monitoring, even your own self-hosted mail servers if you feel brave; but all of those take effort and need maintenance

And even then, certain things are not an option - you won't be shrugging off huge DDoS attacks and you probably won't be running your own CDN (easily), unless you have bunches of money to spend and the know-how. So of course people would rely on external orgs for whatever they can.

That is how American tech monopolies like to paint what the EU does. Lol

DDoS protection is standard among hosting providers now, including budget ones like OVH.

The fact that Cloudflare is allowed to continue hosting websites which are obviously illegal, some notorious, is deeply strange. As I wrote in my article on the subject, it makes no sense when you consider the way the US responds even just to copyright infringement; see how they nuked Megaupload's business without trial because they saw them as knowingly enabling piracy. However, it's a known fact that US authorities will keep illegal or disreputable services up if they see them as a source of more intelligence. I can't really see any other explanation for how Cloudflare is allowed to host some of the sites it does without pressure from the US unless it's basically funnelling all of the data to the NSA.

Most sites don't get DDoSed. https://immibis.com/ has been running without DDoS protection for a long time now. It's as simple as nobody caring to do so. Why would they? What's in it for them?

And if someone does knock it offline, I still don't care. I can wait until they get bored. The site isn't important to me, either.

And if I really do care, Cloudflare encourages people to sign up whilw they are actively under attack. Of course, it costs money, because you aren't paying with your access logs all the times you aren't under attack.

In this aspect, Cloudflare should be viewed similarly to an ISP. Why are ISPs allowed to host illegal sites? Well, they aren't supposed to pay much attention to what they're hosting - it's not their job. But they aren't supposed to protect what they're hosting, either. If they get a court order asking for the details of the subscriber hosting some website, they turn those details over. If they get a court order asking to turn off the service, they will. Governments are fine with this, because they can easily get the details upon request.

Cloudflare should be viewed the same way - they shield you from DDoS, not from the government. They allow everything to be hosted until proven otherwise. Cloudflare doesn't have to police what's hosted through it, because the police can do it easily enough.

There are lots of pirate websites, explicitly designed for piracy, but saying the opposite on their terms and conditions page to create a little plausible deniability. I can't tell you if Megaupload was one of those and I don't know what evidence the government had.

dumb question: why do I have the option to downvote your comment, but not many other comments in this thread?

As a hobbyist, dealing with load consists of upgrading your $5 VPS to a $10 VPS or even a $50 dedicated server from Hetzner(!) - note that *no* other provider has dedicated servers at this price point.

WAFs are heuristics at best. If what you're running on your server is actually secure, you don't need a WAF. If it's not secure, the WAF is guaranteed to let through at least one attack.

CAPTCHAs are difficult. Try to avoid depending on them, but it's fair to use a third-party service if you need one. hCaptcha is pretty easy to integrate right now.

If someone tries to send you more traffic than your link supports, your only way to survive it is if your provider can filter it. Cloudflare will actually do a decent job of that even on the free plans.

"Survive" is hyperbolic. If someone DDoSes your $5 website and it is down for a day until you sign up for Cloudflare, you do not literally die. You do not need to sell everyone's 24/7 browsing history to Cloudflare to keep your heart beating.

Downvoting is only available for comments that are less than 24h old and not replies to you.

OVH absolutely does have dedicated servers at this price point, and below - check out their Eco range (previously SoYouStart) or even Kimsufi. Leaseweb often does as well, although they have not been as good a deal recently from my perspective (and can cost more for transfer).