|
Sniep posted:a problem more cheaply solved for with a varnish or nginx proxy in front of the sa origins with separate addressing vs paying cloudflare rates but *shrugs* 
|
#
?
Jul 8, 2017 23:43
|
|
|
|
| # ? Apr 19, 2024 23:24 |
|
|
akadajet posted:ya. i'd never know cloudflare existed if they didn't keep showing their poo poo to me when stuff breaks lowtax can turn that off by enabling origin error pages btw, it's optional to use cloudfront's middleman errors and they don't intend to inject them as a branding effort its more diagnostic help 💸
|
|
#
?
Jul 9, 2017 00:02
|
|
|
Sniep posted:a problem more cheaply solved for with a varnish or nginx proxy in front of the sa origins with separate addressing vs paying cloudflare rates but *shrugs* hows this gonna stand up against some kid with a tens of gbps's booter you need to hide your origin ips cos as soon as they get hit directly your upstream provider is gonna nullroute them, you cant jump behind cloudflare at that point cos its too late
|
|
#
?
Jul 9, 2017 00:23
|
|
|
Rufus Ping posted:you need to hide your origin ips cos as soon as they get hit directly your upstream provider is gonna nullroute them, you cant jump behind cloudflare at that point cos its too late lol
|
|
#
?
Jul 9, 2017 00:27
|
|
|
there's like 835915 better answers than just paying cloudflare to do it if you dont wanna have your own frontend to protect your origins fine, get a shittier cheap CDN to do it, still end of the day a DNS flip to put cloudflare in front and only pay for it when you need it i've done this multiple times, it's not hard, but hey feel free to pay cloudflare all of the money you want to
|
|
#
?
Jul 9, 2017 00:28
|
|
|
gently caress cloudflare!!!
|
|
#
?
Jul 9, 2017 00:55
|
|
|
qhat posted:gently caress cloudflare!!! 
|
|
#
?
Jul 9, 2017 01:24
|
|
|
lol blaming cloudflare for SA's origin going down because richard doesn't disable the diagnostic page on cloudflare is lol
|
|
#
?
Jul 9, 2017 01:27
|
|
|
what am i missing? ime the immediate reaction of most hosts is to promptly poo poo themselves and blackhole your ips upstream of their routers. they'd probably be pretty reluctant to give you new ips if the ddos is ongoingSniep posted:there's like 835915 better answers than just paying cloudflare to do it Sniep posted:i've done this multiple times, it's not hard, but hey feel free to pay cloudflare all of the money you want to
|
|
#
?
Jul 9, 2017 01:27
|
|
|
cloud flare is fine.
|
|
#
?
Jul 9, 2017 01:36
|
|
|
Rufus Ping posted:what am i missing? ime the immediate reaction of most hosts is to promptly poo poo themselves and blackhole your ips upstream of their routers. they'd probably be pretty reluctant to give you new ips if the ddos is ongoing isp doesn't care as you pay your bill
|
|
#
?
Jul 9, 2017 01:47
|
|
|
SmokaDustbowl posted:isp doesn't care as you pay your bill lol
|
|
#
?
Jul 9, 2017 02:08
|
|
|
Rufus Ping posted:but i'm interested what the alternatives are. i'm aware of the post-hoc ddos mitigation services that announce your routes via bgp and scrub the traffic but this isn't much use if you don't have your own AS +1 i don't get how dns fuckery alone will fix a direct attack on the actual servers
|
|
#
?
Jul 9, 2017 02:11
|
|
|
mishaq posted:+1 it wont - you flip from your own frontends or other cheaper cdn over to cloudflare via DNS as in this circumstance it's implied you've protected the IP addressing/hardware all along from attack you're just shifting to a bigger shield. the neustar / bgp angle is, as mentioned above, not applicable to many/most people's setups all im saying is there are other options vs. paying cloudflare to proxy a high hit site like this 24/7/365
|
|
#
?
Jul 9, 2017 02:41
|
|
|
Sniep posted:it wont - you flip from your own frontends or other cheaper cdn over to cloudflare via DNS as in this circumstance it's implied you've protected the IP addressing/hardware all along from attack you're just shifting to a bigger shield. i gotcha
|
|
#
?
Jul 9, 2017 03:14
|
|
|
Sniep posted:lol blaming cloudflare for SA's origin going down because richard doesn't disable the diagnostic page on cloudflare is lol i'm just a clueless end user
|
|
#
?
Jul 9, 2017 03:25
|
|
|
akadajet posted:i'm just a clueless end user me too now and it owns
|
|
#
?
Jul 9, 2017 03:33
|
|
|
Sniep posted:me too now and it owns https://www.youtube.com/watch?v=OLv6ycYcpGI&hd=1&t=21s
|
|
#
?
Jul 9, 2017 04:10
|
|
|
Sniep posted:it wont - you flip from your own frontends or other cheaper cdn over to cloudflare via DNS as in this circumstance it's implied you've protected the IP addressing/hardware all along from attack you're just shifting to a bigger shield. biggest concern here is knowing you can do this switchover effectively and w/o any unintended behavioral changes. though if this is really a lifesaver type of situation then why the heck not
|
|
#
?
Jul 9, 2017 05:46
|
|
|
if they have your origin ip it doesnt matter
|
|
#
?
Jul 9, 2017 05:49
|
|
|
the point is the only "origin" ips that should be exposed are your front end which you switch over in the event of an attack they can keep attacking the old front end as long as they want
|
|
#
?
Jul 9, 2017 05:56
|
|
|
thats not how it works you loving morons. cloudflare is literally your domain ns. your A record to your 'front end' would have to be in cloudflare, served through their servers. you can't 'switch over' without waiting for the propagation and everyones dns cache to expire which makes what youre all describing utterly pointless
|
|
#
?
Jul 9, 2017 06:01
|
|
|
are you maintaining a secret 'front end' which is a different ip and completely unused ??
|
|
#
?
Jul 9, 2017 06:03
|
|
|
pram posted:are you maintaining a secret 'front end' which is a different ip and completely unused ?? that's the only way it could work, yeah have the second front end in aws or whatever and only break glass in emergency
|
|
#
?
Jul 9, 2017 06:04
|
|
|
of course it makes sense to have a second unused load balancer instead of using a free cloudflare account. you are all unironically great consultants lol
|
|
#
?
Jul 9, 2017 06:07
|
|
|
i dont know why youd bother with all that convoluted poo poo when you can just use free cloudflare (with all the caching features disabled if you want) and then turn "im being attacked" mode on should you need it
|
|
#
?
Jul 9, 2017 06:10
|
|
|
|
|
#
?
Jul 9, 2017 06:10
|
|
|
i just go with whatever weird premise people are working off of
|
|
#
?
Jul 9, 2017 06:11
|
|
|
Rufus Ping posted:i dont know why youd bother with all that convoluted poo poo when you can just use free cloudflare (with all the caching features disabled if you want) and then turn "im being attacked" mode on should you need it because theyre idiots
|
|
#
?
Jul 9, 2017 06:19
|
|
|
im just trying to decipher how what sniep is talking about would work 
|
|
#
?
Jul 9, 2017 06:30
|
|
|
its fundamentally dumb. you switch over your NS records, guess what: 1) your main frontend is still getting hammered, and your backend systems are obviously STILL affected 2) your backup frontend is still proxying to the hammered systems 3) your DNS is now in limbo, who knows when your customers caches expire 4) you can shut your old frontend off but your site is now literally dead for everyone resolving to the old NS 5) the attackers still know your old frontend IP so lol
|
|
#
?
Jul 9, 2017 06:34
|
|
|
go ipv6 only and constantly rotate through a billion different ips, like when they alternate shield frequencies in star trek 
|
|
#
?
Jul 9, 2017 06:36
|
|
|
mishaq posted:go ipv6 only and constantly rotate through a billion different ips, like when they alternate shield frequencies in star trek my isp gives me a new ip6 ip like every day. makes vandalizing wikipedia a piece of cake
|
|
#
?
Jul 10, 2017 01:03
|
|
|
|
| # ? Apr 19, 2024 23:24 |
|
|
wow you guys weren't kidding you really are a bunch of nerds
|
|
#
?
Jul 10, 2017 01:38
|
|
