Alright who actually ARE cloudflare? I’m seeing them on every website but idk who they are
if you can provide me a better way to keep my homelab from getting DDoSed every five minutes then by all means, please share it
Just put it behind a wireguard server and don’t expose any ports?
If you absolutely must expose some stuff, get a cheap 3$/mo vps that connects via wireguard to your home and setup a reverse proxy? They almost all come with DDoS protection.
How do I stop a DDOS attack of my website without having port 80 or 443 open, so you can access the website?
Don’t expose the website. That’s the point. Only connect remotely via wireguard.
If you must expose the website, I also provided options in my original post.
I think you misunderstood; if I run a publicly accessible website (like a Lemmy instance), those ports need to be opened.
A cheap VPS hosting
https://anubis.techaro.lol/docs/admin/installation/
as a reverse proxy may work. The VPS will do the work of verifying requests and stopping bad requests from hitting the target resource. Though certainly if the DDoS is a matter of a massive botnet raiding your domain it may not work as well as something like cloudflare
Anubis does not prevent a ddos attack and only shifts the saturation point to your VPS. Anubis is the answer for bots and ai scrappers, not DDoS.
Sure, but to someone running a website out of their house, 100,000 bots trying to hit the site at the same time to scrape it is going to have the same effect. So yes, you’re correct, Anubis has nothing to do with stopping a literal DDoS attack, but it does help smaller websites stay alive by avoiding responding to requests from scrapers or one-off malicious agents.
Yes, I’ve addressed this in my original message.
Get yourself a 3$/month VPS, they almost all come with DDoS protection, and reverse proxy from there. Either restrict the ports on your home network to only that IP, or better yet tunnel all the traffic via Wireguard.
Obviously if you’re hosting a large server this is another matter, but nevertheless almost all serious hosting services offer in house DDoS protection.
But the comment I was originally replying to specifically refered to homelabs.
What would be a good resource to, like, relearn modern networking stuff cuz some of these solutions are totally new ideas to me? I was CISCO and A+ certified way back in 2003; but the only thing I ever really used from those classes and training since then was making cables and setting up smaller, simple networks for home or small businesses. I get the sense a fuckton has changed and this exchange made me want to brush up.
A fuckton is an understatement.
I found just doing it the best for me. Start with proxmox hypervisor on some old pc. Start running a bunch of services. Some documentation mentions “heres how you set it up behind a reverse proxy”. “Hmm…whats that” is pretty much how i learned it.
Then compare with people in the homelab communities who are doing differently and find out why.
deleted by creator
There is no point in hosting a website if it’s not accessible from the Web.
Again, this thread replying to the original comment is talking about homelabs.
But also, again, this is addressed in the second half of my comment.
Conservatives will get really upset once they realize you are changing genders
What’s a good VPS provider for privacy enthusiasts?
I use Hetzner. Its fine. Boring/10 would use it again I guess?
@DaPorkchop_@lemmy.ml @memes@lemmy.world Is that an actual issue or a hypothetical one? I’ve never had an attack in 10 years of publicly hosting stuff.
As someone else who used to host via an open port, you get random connections all the time. Almost constantly and the request paths make it obvious they are scanning for vulnerabilities. Via cloud flare the number of those requests is much lower, as they have to know at least the DNS to do so, (and can’t guess it from a presented SSL cert.)
Yeah, I see random https and other connections all the time blindly scanning for vulnerabilities. Not enough to cause any real problems though. One time I publicly exposed redis or rabbitmq (can’t remember which) and didn’t set a password, so someone set a password for me :). That’s about the worst that’s happened to me.
It’s the reason I set up cloudflare in the first place, so yeah. I was getting SYN flood-ed to the point that my router would just crash almost immediately, and after rebooting it the attack would resume after a minute or two.
@DaPorkchop_@lemmy.ml @memes@lemmy.world Hm weird, I don’t see why they would spend their resources attacking random people without any kind of demand. Even at work I’ve never seen one happening.
I still believe Cloudflare has most of its customers because of fearmongering tbh.It’s a bit like saying “having a password on your account is fearmongering, why would anyone try to access your data”.
It’s only fearmongering until you get attacked, and it’s already too late when you do. Better to be proactive.
@Alaknar@sopuli.xyz @memes@lemmy.world Being proactive doesn’t mean you have to hide your personal service behind a billion dollar company. That is precisely the kind of overreaction triggered by fearmongering. If you don’t know how to secure access points or harden configurations, no service will be able to do it for you as if by magic. Not to mention your responsibility towards your users, who may not want to be tracked by a third-party company without their knowledge every time they visit your site (or half of the internet by now).
If you don’t know how to secure access points or harden configurations, no service will be able to do it for you as if by magic
That’s the point. Cloudflare does this as if by magic.
Not to mention your responsibility towards your users, who may not want to be tracked by a third-party company
Cloudflare doesn’t track your users.
As a sidenote - am I reading you correctly? Your main issue with Cloudflare is “they’re large”? Like, if they were “two dudes in a basement” and provided the same quality product as they do now, you’d be happy to use their service?
Get a router that has flood protection? This is like… Extremely basic network protection.
OpenWRT has had configurable syn-flood protection (enabled by default) since like 2010.
Even if the SYN packets were being ignored, the connection would still be unusable if there’s enough incoming traffic for most legitimate packets to get dropped. And as mentioned in other comments, the router in question is a shitty ISP router which can’t be replaced (although I do have a much fancier router with OpenWRT running behind that).
You don’t need Cloudflare.
That doesn’t help against a SYN flood.
From what I understand elsewhere in the thread, I believe that’s just a matter of router configuration.
Awesome project, but that’s just one of many features CF offers. Most people I suspect rely on tunnels more than bot protection.
Anubis:3
Host your own cloud worthy anti DDOS solution with fail2ban /s
Honest question, why the /s?
fail2ban is good for preventing spam and DDOS on authenticated endpoints, but it’s harder to prevent attacks on public endpoints against a botnet or even a lazy proxy chain spam, which is why cloudflare adds some cookies and a buffer to handle a wave of new connections and maintain an address rank to drop any bad clients.
Although that being said, cloudflare can be bypassed via other timing tricks and even just using a specific request chain to get fresh cf cookies to avoid getting blocked.
There was a pretty bad CVE a while back I vaguely recall
The fact that a CVE was found doesn’t make it bad
In fact I’d say if it is handled well, fixed in an appropriate way & communicated correctly, having a fixed CVE should be seen as a good thing.
The alternative, lying to yourself and all your users that your code is perfectly sculpted and reviewed by each godly entity, is not the way.
Could you shell out for a decent firewall? It should be able to protect against majority of ddos attacks unless someone is paying for something big.
But it really is fine to use cloudflare if you want the ddos protection. I wouldnt feel bad at all.
Crowdsec+pangolin maybe? I would actually like to hear people’s thoughts on this.
If you didn’t piss off one of the big bot groups, then you have likely a configuration issue.
i dont understand why people hate cloudflare so much. Do they see the cloudflare logo when a server is down and assume its CFs fault?
I deadass got a cloudflare error after reopening this post:
the people on selfhost would be very upset if they could read this.
Though I’m not a big fan of centralization, I use cloudflare. Their DDoS protection is unmatched, they have scraping protection, and just in case they decide to screw their users over, switching to another service is trivial.
I don’t know what cloud flare is and at this point im afraid to ask
Basically they work as a bouncer in front of your website and stop all the undesirables getting in. I.e. AI scrapers. Also if somebody decides they want to try and hack you or otherwise cause problems the bouncer beats them up and you never have to hear about it.
If you use a VPN the bouncer is very suspicious of you and you have to jump through all sorts of hoops to get in, which is why some people don’t like websites using it. Unfortunately there isn’t really a solution since there are a lot of illegitimate uses for having a VPN connection as well, so you have to be suspicious of them.
Ah, thanks, I was wondering this too. What shady stuff are they up to?
Well mostly it’s AI scrapers at the moment (I wouldn’t mind as much if they just chilled out, but it’s like hundreds of connection attempts per second).
The other thing is DDoS which I don’t really have to deal with, but it’s nice to have just in case.
I can stop drinking whenever I want.
If switching is trivial, why not do it now?
Their DDoS protection is unmatched
Is it? Try switching and see how often you are DDoSed.
cloudflare ddos protection is cetralization?
Yes, use a competitor at least.
Don’t forget your SSL certificate to prevent man-in-the-middle attacks. 🤪
Don’t forget to have the SSL certificate supplied and managed by Cloudflare, of course 🤫
mTLS would solve your entire man in the middle problems.
Mole vpn
I unfortunately use cloudflare. They apparently charge the same price they pay for domain names.
What better options do we have? I really want to know.
I mean I don’t really have a choice because i don’t see a better way to put my home server on a url because I live in a dorm and can’t port forward or get a static ip
If you don’t have a static IP, how did you get a domain?
I use cloudflares tunneling service cloud flared which allowes me to have the service running on my home server and then cloudflare will automatically make the subdomains point towards the ip
Yeah well if it weren’t for all of the LLM bots and scrapers in general and of course all the Russian and Chinese hackers (they may mostly be script kitties, but they’re still annoying), we wouldn’t need cloud flare. But they do exist so we don’t really have a choice.
moms 🙄
I use Cloudflare Turnstile because hosting without it is just begging for bots to join my service.
