the problem is that nowadays it's very easy to take down services that don't have enough buffer to absorb traffic shocks. It's not just about Cloudflare's marketing-through-fear strategy.
It's not just a matter of "my service is too important to have downtime". It's that renting botnets capable of at least couple of Gbps of traffic has become very cheap, and all it takes is for you to publish something on your site/instance that annoys someone motivated enough to make you pay for it, and you can forget your service coming back online any time soon.
And I'm also in the situation where most of my services literally run in my utilities room. My home network connectivity can barely handle someone pulling a container image or a Nextcloud video, let alone a Russian botnet pouring 100 Gbps on my humble BananaPi router. Many other Fediverse admins are in situations similar to mine. All it takes is some random dude who spends $1000 to rent a botnet from the darkweb for a couple of hours, and most of the small/medium instances on the Fediverse can literally crumble like sand. And those who host services on AWS or Vercel clouds, or any alternative cloud provider, will probably just get a monthly bill of a couple of thousands of bucks.
And, besides all this, there's also an environmental factor in DDoS attacks that often slips from the conversation. DDoS attacks can push network, CPU and memory usage of thousands physical machine through the roof for hours or days. The earlier they are caught, the less the flood propagates through the network, the better.
I'm definitely not a fan of CF, but it's undeniable that the product that they sell is something that the Internet needs. People's privacy is as important as the integrity of the infrastructure, especially if you have attacks that impact people's own connectivity or monthly bills. And nobody said that in order to preserve the integrity of the infrastructure you need to compromise people's privacy.
Cloudflare's business isn't that hard to replicate. It's just a huge nginx server optimized to handle zillions of concurrent requests, combined with iptables rules and a sprinkle of basic machine learning to detect anomalous connectivity patterns. Just take this simple idea, buy enough machines and network equipment to scale it up to the point where it can absorb 3.5 Tbps attacks with billions of packets per second, and you can compete with them. I wonder why, instead of ignoring the pressing demand for a shield against the increasingly cheaper bots and DDoS attacks, we as a community don't advocate for more competitors against CF's monopoly - or, better, get to the whiteboard and come up with solutions and protocols to build such a network in a way that is open, scalable and distributed.
Fabio Manganiello /
npub1s9…jdnmu
2024-10-02 19:48:32
in reply to nevent1q…efde
Author Public Key
npub1s9uc08n58mxqk5umvapqulwzng0sja635q86r36d8n4rr9r9ygaskjdnmuPublished at
2024-10-02 19:48:32Event JSON
{
"id": "77ed89378794cac83f80f0966a6f5df062e76c2e7c478745ff7bc3f6b9658083",
"pubkey": "8179879e743ecc0b539b67420e7dc29a1f097751a00fa1c74d3cea319465223b",
"created_at": 1727898512,
"kind": 1,
"tags": [
[
"e",
"320c274abc99ef079eccb592e62d00fad252faff9d8e514df329b6b5c035ae60",
"",
"root",
"8179879e743ecc0b539b67420e7dc29a1f097751a00fa1c74d3cea319465223b"
],
[
"p",
"974c805d2bbf75ae98c9026e1e18cfe6312b2c384610916cb002123ef906e2f5"
],
[
"p",
"8179879e743ecc0b539b67420e7dc29a1f097751a00fa1c74d3cea319465223b"
],
[
"e",
"860e8d943039d86560d2a01ba4fd8c8cb95e879d6448faba69b2ea05f7f88788",
"",
"reply",
"974c805d2bbf75ae98c9026e1e18cfe6312b2c384610916cb002123ef906e2f5"
],
[
"proxy",
"https://manganiello.social/objects/7940db89-5053-4ca5-a8e9-33621212c50b",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://manganiello.social/objects/7940db89-5053-4ca5-a8e9-33621212c50b",
"pink.momostr"
],
[
"-"
]
],
"content": "the problem is that nowadays it's very easy to take down services that don't have enough buffer to absorb traffic shocks. It's not just about Cloudflare's marketing-through-fear strategy.\n\nIt's not just a matter of \"my service is too important to have downtime\". It's that renting botnets capable of at least couple of Gbps of traffic has become very cheap, and all it takes is for you to publish something on your site/instance that annoys someone motivated enough to make you pay for it, and you can forget your service coming back online any time soon.\n\nAnd I'm also in the situation where most of my services literally run in my utilities room. My home network connectivity can barely handle someone pulling a container image or a Nextcloud video, let alone a Russian botnet pouring 100 Gbps on my humble BananaPi router. Many other Fediverse admins are in situations similar to mine. All it takes is some random dude who spends $1000 to rent a botnet from the darkweb for a couple of hours, and most of the small/medium instances on the Fediverse can literally crumble like sand. And those who host services on AWS or Vercel clouds, or any alternative cloud provider, will probably just get a monthly bill of a couple of thousands of bucks.\n\nAnd, besides all this, there's also an environmental factor in DDoS attacks that often slips from the conversation. DDoS attacks can push network, CPU and memory usage of thousands physical machine through the roof for hours or days. The earlier they are caught, the less the flood propagates through the network, the better.\n\nI'm definitely not a fan of CF, but it's undeniable that the product that they sell is something that the Internet needs. People's privacy is as important as the integrity of the infrastructure, especially if you have attacks that impact people's own connectivity or monthly bills. And nobody said that in order to preserve the integrity of the infrastructure you need to compromise people's privacy.\n\nCloudflare's business isn't that hard to replicate. It's just a huge nginx server optimized to handle zillions of concurrent requests, combined with iptables rules and a sprinkle of basic machine learning to detect anomalous connectivity patterns. Just take this simple idea, buy enough machines and network equipment to scale it up to the point where it can absorb 3.5 Tbps attacks with billions of packets per second, and you can compete with them. I wonder why, instead of ignoring the pressing demand for a shield against the increasingly cheaper bots and DDoS attacks, we as a community don't advocate for more competitors against CF's monopoly - or, better, get to the whiteboard and come up with solutions and protocols to build such a network in a way that is open, scalable and distributed.",
"sig": "0f661f893d6c51c6341a117fb844a3a4406c78e8d62fc704bc3ae996938e9d1da72e4630bd2938a2d5f6f298b1bc54164624a48a84177d91af0b335bbc62ee62"
}