/tech/ - Technology

Buffer overflow

Posting mode: Reply

Check to confirm you're not a robot
Drawing x size canvas

Remember to follow the rules

Max file size: 350.00 MB

Max files: 5

Max message length: 4096

Manage Board | Moderate Thread

Return | Catalog | Bottom

Expand All Images

(11.34 KB 233x217 thinking-computer.jpeg)
Imageboard protection Anonymous 07/16/2020 (Thu) 09:13:43 [Preview] No. 14263
When creating an imageboard site, how do you:
1. Protect it against severe Layer 7 DDoS attacks (which are far more complicated to fight than the normal Layer 4 attacks because VPS providers only protect against the latter) without relying on Cloudflare shit
2. Protect it against spammers who use a script utilizing a paid captcha solving service, rendering (built-in) captcha protections useless
I've thought about this a long time myself and even asked imageboard software devs themselves but nobody knows an effective solution. I guess Layer 7/application layer DDoS attacks (which use the URL, not the IP) could be prevented by going .onion-only (which means it'll never become a busy site) but that still leaves the spamming problem.

Anonymous 07/16/2020 (Thu) 10:12:59 [Preview] No.14264 del
>but that still leaves the spamming problem
Set TPH limit, captcha per post, wordfilters.
Captcha at meguca is unsolvable by bots and you need to click anime characters.
Don't have /b/, /v/ or /pol/ and also don't have custom board creation.

Anonymous 07/16/2020 (Thu) 16:35:03 [Preview] No.14265 del
>Set TPH limit
You can spam random existing threads.
>captcha per post
See OP.
Random strings can be spammed.

Anonymous 07/19/2020 (Sun) 16:01:57 [Preview] No.14267 del
Websites are the mistake.

Anonymous 07/22/2020 (Wed) 05:56:30 [Preview] No.14273 del
What solution do you propose?

Anonymous 07/24/2020 (Fri) 07:53:32 [Preview] No.14277 del
Older and simpler protocols that don't have the overhead of http, and that are much easier to write clients & servers for, and where those clients & servers can run comfortably on archaic/weak hardware that isn't full botnet garbage with bloated modern cuck OS on top of it.
And something that doesn't fail when connections timeout and host isn't reachable. NNTP is a good example here. You can make batch transfers instead of needing an active connection to a server, and the whole thing is a store & forward network, so even if some servers get DoS'd, the system is still running. The cunts would have to DoS the entire network that's distributed accross many countries and backbones, so they will just waste their time if they try. And there's also the option of doing out-of-band batch transfers (not on the regular network) to mitigate DoS at any particular node. Since the medium is text and it doesn't use much diskspace or bandwidth, you have a lot of options for viable alternative OOB solutions. That way you can keep nodes up-to-date even while they're being DoS'd, and when the cunts switch to DoS'ing a different server, the one they just left can come back online fully ready.

Anonymous 08/11/2020 (Tue) 12:53:26 [Preview] No.14288 del
As someone who runs a DDoS protection service (30k+ sites) I can tell you now that rate limiting is your best friend.

Always use the latest stable version of Nginx. Learn about rate limiting in Nginx and connection limiting. This alone will stop the majority of L7 floods. You may want to have a look at OpenResty and learn a bit of LUA, it's a very powerful and very fast (when using LUAjit) way to customise Nginx to your needs.

Use hCaptcha and not Google Captcha. Not only is it actually privacy respecting (or so they claim), but almost all of the paid captcha solving services don't work with hCaptcha.
And don't think for a second that switching to Tor will block the L7 floods, because it won't. If anything. If anything, it makes it a lot easier to bring down your site because not only are you more vulnerable to L7 attacks, you are now once again vulnerable to L3/4 attacks.

Other helpful stuff:
Just block ICMP all together, it's not needed and eats up your CPU.
Look at Javapipe and their iptables blog post ti help you with blocking TCP attacks which can bypass regular L4 protection (also helps with L7 floods).
Don't waste your time trying to block L7 floods with Tor. They can still bring down your circuits.
The more threads/cores your server has, the easier it is to deal with L7 floods.

Remember that enough bandwidth will still bring your site down. If you have a 1Gbit port and someone is generating 1Gbps of L7 traffic, you will go down. If there's enough unique IP's and slow enough packets per second, you will go down.
You can have the best DDoS protection in the world but enough traffic will still bring you down.

Top | Return | Catalog | Post a reply