Hi,

I wonder what are suitable methods to protect a Lemmy instance against DDOS attacks.

For example, can we use Cloudflare? Or it could break the federation?

Any ideas/suggestions?

  • DessalinesA
    link
    fedilink
    arrow-up
    9
    ·
    3 years ago

    Unless your VPS host has good DDOS protection, there really isn’t a good answer. Cloudflare should never be considered as they are a man in the middle, who gets every web form post ( think username and passwords ), unencrypted.

    • arbocenc@collapse.cat
      link
      fedilink
      arrow-up
      1
      ·
      3 years ago

      Passwords should never go unencrypted, shouldn’t they? For example, my mail password doesn’t travel unencrypted using using tls, etc. Nor my passwords travelling using https, do they?

      So, are Lemmy passwords traveling unencrypted??

      • Arthur BesseA
        link
        fedilink
        arrow-up
        10
        ·
        3 years ago

        When a website uses cloudlfare, TLS encrypts the connection (including passwords, etc) from your web browser to cloudflare - not from your browser all the way to the actual site you’re logging in to. (Then, if the request can’t be satisfied by cloudflare’s cache, there is another TLS connection from cloudflare to the “origin server”.)

        In either case, Cloudflare sees everything sent to hostnames hosted by them.

        Some sites might have your password sent to a different hostname that isn’t hosted by cloudflare, in which case they wouldn’t see your password, but, they would typically still see the resulting session cookie which allows someone to log in as you.

        Cloudflare is like any other machine-in-the-middle attack except instead of being something everyone knows they should avoid, it somehow is a service that some people actually pay for (perhaps because they like to imagine that their website might one day be so popular that their VPS would insufficient to serve it).

        In case you actually do need a CDN (and I’d guess 99.9% of cloudflare sites don’t), the correct way to do it is to use the CDN only for static content like images and video. Ideally the CDN shouldn’t need (or have) any cookies, and, if you don’t want to give the CDN (or malicious parties acting under their authority) the ability to hijack your users accounts, then you shouldn’t rely on them for hosting javascript either.

      • pinknoise
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        3 years ago

        Websites usually use transport encryption but the password itself isn’t encrypted. There are authentication schemes that won’t send plaintext passwords (by involving some kind of challenge) but they won’t work without javascript (except http digest access authentication but thats no good) and you shouldn’t ask web-developers to implement them since they will find a way to fuck it up.

  • MrWiggles@prime8s.xyz
    link
    fedilink
    arrow-up
    1
    ·
    2 years ago

    I’ve tried using proxy protection with cloudflare, but it breaks access to the site and just about every external replication service. Maybe something about pointing a proxy at a proxy? You still get telemetry, so you’d likely still go down without that protection, but at least you get reports in the cloudflare console about what ips to blackhole in your firewall.

    YMMV