Thank you for the amazing job, as always! Cloudflare is a solid solution :)

Sure but maybe something less centralized/proprietary would be preferable
- Such as?
- That's easier said than done, DDoS mitigation requires a large amount of servers that are only really useful to persist an active DDoS attack. It's why everyone uses Cloudflare, because of the amount of customers they serve there's pretty much always an active attack to fend off. Decentralization wouldn't work great for it because you would have to trust every decentralized node not to perform man in the middle attacks. But if you know of any such solution I'd love to hear it.
- Which viable alternative could work to mitigate ddos?
  Out of my head, I think OVH offers such a service (but without free tier).
- Is “decentralised” the new “blockchain”?
- There are a couple elements that a DDOS mitigation system needs to have.
  It needs to be able to absorb the raw network traffic of the attack. A purely volumetric attack seeks to just overload the network pipes that lead to the servers. This can be with junk packets that don't even make sense to an OS kernel, but have a valid destination IP address so they get through the routers. If the DDOS mitigation system acts as a filter in front of the servers, it has to not get overloaded in the same way the routers do.
  It needs to allow good traffic through to the servers. If the attack causes the pipes to just shut down and reject all traffic, then the attack has succeeded. So the mitigation system has to distinguish attack traffic from good traffic, and keep the pipes open enough to let the good traffic through.
  For attacks trying to do expensive stuff on the database, or create spam posts, one useful reflex the system can have is to notice when an endpoint is doing those attacks, and then block it at the network layer.
  That is not necessarily easy, and it requires control of the network ingress, which arbitrary hosting providers may not be able to provide.
- The goal is to mitigate attacks, it costs a lot of money to purpose build world spanning networks than can absorb large amounts of traffic. P2P type options are not a good fit.
- Thanks to the fediverse we were all able to read and search old posts on other instances and interact freely with communities on other instances. Pretty damn great i think.
- You sound fanatical with this statement
- What a

Don't forget. Donate to them. There are no ads here. So we have to maintain the staff and servers.

Lemmy World

https://www.patreon.com/mastodonworld?utm_campaign=creatorshare_fan

Lemmy Devs

https://www.patreon.com/dessalines?utm_campaign=creatorshare_fan

Didn't the admins for Lemmy[.]world post their expenses recently-ish? I can't remember how much it would be for a single user to donate. I'd want to donate, but I'd like to know how much of my contribution would affect operation of the server.
- Wow if I'm reading their expenses correctly, the maintenance bill doubled from May to June...
- Yes. Here you go. https://opencollective.com/mastodonworld

Imagine hosting a service for anyone else to use it, free of charge, no ads, free & open API, yet some idiots think it's fair to (D)DOS it.

There are more "interesting" targets, worst case - Reddit, who thinks everyone is just a number/noise.

Just leave Lemmy alone. :(

we will all still be here when their hyperactivity wears off.
with the old Reddit simulator, personally I'm not going anywhere anytime soon. This place has a great user base and it feels so old-school.
- The new layout with old.lemmy I came back, and new apps coming out for it. It's been a good replacement. Was on tildes, but got banned for just discussing difficult topics....the admin there is just ban happy and yea he owns the site but will just ban people for no reason. Not to mention that the users over there, assuming new people are using the malicious tag as a down vote button which probably goes right to the admin. So you step out of line and you get banned. I really liked the place too, but it's not wanting to be a serious place to discuss topics with an admin like that.
I wonder if the owners of deddit, fb, tweetster, et al, might think it financially worthwhile to cause disruption in the fediverse, and even its ultimate failure.
- I wouldn't be surprised, we didn't take their whole user base of anything but it's in their interest to keep viable competitors out of the way.
Wondering if reddit or Musk are behind the attacks?
- Most likely their parasocial fans. The Reddit stans who want to be edgy and follow their meme leader. Who will never acknowledge them no matter how much they do.
  It's sad that they could target the real people making the world worse, yet only prop up the people who are oppressors.

I don't understand why people want to take down websites. Especially sites like Lemmy, which isn't exactly sticking it to anyone because no one owns it!

Are they just Reddit groupies?

For most hackers or wanna-bes (often called Script Kiddies, that is, people (generally young, even children thus the "Kiddies") who are not technologically inclined enough to be real hackers and see a tutorial online on how to run pre-written scripts that repeatedly perform various functions), the answer to "Why do you do it?" is often:
"Because I was bored."
"Because I can."
Very rarely are other reasons given.
- The ones seen on masterhacker reddit.
- More like "I get zero action, so I take my anger out on other people"
Some people enjoy causing suffering to others. On the internet they are termed trolls. Irl people usually just call them assholes. Most people have encountered them before.
I think they are far more common and likely than anyone giving two shits about reddit.
I was using voip.ms last year when they were DDoS'd for over a week, by a group demanding payment via anonymous crypto. The DDoS ended when they switched to CloudFlare (which was probably pretty difficult because they're a SIP provider.)
Almost any website with a small number of servers is vulnerable to this attack, which happens to be great business for CloudFlare. I wonder which companies are most effectively competing with CloudFlare?
- There are others, but I think the craziest thing about Cloudflare is its basic level of protection is free. Free, unmetered, DDOS protection. It's so popular because so many hobbyists use it for free, and are familiar with it. Then they convince their workplaces to adopt it when the need arises because they are already familiar with it.
  They make money by selling support to companies, and selling access to some more advanced features (that often have a free tier as well). It's honestly so impressive, it made me wonder how much they actually make because it seems unnecessary for most to pay at all. Turns out they cleared almost a billion dollars in revenue in 2022.
They're just trolls. Lemmy is popular enough that it's fun target for them, but still small and infantile enough that you don't have to be hackerman to ddos it. Reddit, twitter, etc... would be constantly getting ddos'd just for the lulz by people if they didn't have the infrastructure to make it a challenge.
Nah, it's not the 00s anymore. Hacker gangs are a real thing today.
I'm not actually in the security field so take this with a grain of salt. But I believe that these attacks play a similar role to random attacks in low level gangs. It proves that your criminal group has power and the ability to deface a website.
So if you publish that Lemmy.world will go down next week because your hackers are on it.... It's advertising. Its just business. It proves that your hackers have an ability and that you are up for sale.
- Cyberspace. A consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught mathematical concepts... A graphic representation of data abstracted from banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the nonspace of the mind, clusters and constellations of data. Like city lights, receding...
Some people just want to watch the world burn.
You don’t think just being bored is enough reason for some?
- If I'm bored I find something productive and/or fun to do.
  Launching a DDoS attack is neither.
there are some people salty at a given instances, like exploding-heads for defederation or this @lmao dude for no clear reason, there was some spammer activity, and then you have regular drama seekers with usual ensemble of suspects
With my tinfoil hat on, I'd say one concern is that Cloudfare is basically a monopoly and nothing is stopping them from DDoSing sites to force them to use their product.
- While it's good to be suspicious, I don't think we can call CloudFlare a monopoly quite yet.
  Akamai is a big, giant competitor. You also have the big cloud providers like AWS that have their own CDN systems, like CloudFront. (I don't recall GCP's or Azure's product names.) Then you have specialized CDNs like Google's AMP system.
  Now, is it possible that there could be a horizontal trust between these companies? Certainly. There's few enough players for that to happen, but so far, I haven't seen signs of it happening.
Or paid for by Reddit....
- Upvoting because this has to be satire
- Delete your account and go back to reddit
- Genius

In case you haven't considered this, some helpful advice. To keep them from the lemmy.world door after the CDN installation

Change the public IP addresses
rotate your certificates
block all traffic appart from the CDN and only allow a limited known good IP addresses (like yours and your support team). These steps will make your server harder to find, hopefully they move on.

You might have Cloudflare add a request header to the origin request, like x-cloudflare-key: <somesecret>, and then configure nginx on the server to block everything not containing that header.
- just block ingress to your server from non cloudflare IPs or use argo tunnel.

Good News

Most of these ‘attacks’ are targeted at the database

A major PostgreSQL performance issue, logic mistake, was discovered today in lemmy_server and is an easy fix. Details: https://lemmy.world/post/2008987

That's great!

Growing pains. This server and the platform will be better for it. If not for these script kids, some other attacker would eventually be motivated to try it.

old.lemmy.world still exposes your hetzner server to the internet, just a quick heads up.

Exposing your hetzner sounds fucked up
- Wait till you see Oppenheimer.

Thank you as always for the transparency. This instance is going to be the most targeted because of its size. Y’all dealing with this is hard but you’re going to figure things out that will help the other instances.

Seems like we had downtime again just a little while earlier?
- Yep

It's not. People hate large companies that have a dominant position in their industry. Usually, that's fair. However, in the case of DDoS protection, you have to have a large overbearing presence to be able to have the capacity to withstand such attacks. People don't know how to see through what's typically true for what's true in this case. Do I like having a dominant player in an industry? Not particularly. Do I understand why it's necessary in this case? Yes.

Anything we can do as "users" to help, other than donating?

Hmm, best would be if those kids find a real hobby so they stop bothering us. On the other hand, it helps us understand Lemmy better and secure it.
- That's true. Free stress testing the system I guess? Still they need to touch grass lol
If it’s the same people, they’ll probably get tired of it and move on. But the more we talk about it, the more likely it is that new people want to get in on the “fun”. I’d say to not make memes about the downtime and pretty much act like it doesn’t exist (as users, obviously the admins should take action as necessary to mitigate it and post to be transparent).

That's for for always keeping everyone up date. Sucks that you have these people wanting to DDOS a free community of people, I don't get it.

Either way thank you. Now to just somehow find a decentralized version of CloudFlare so we don't have to deal with there trackers that they have.

Commercial interest wants to see free communities like this die out. I won't name names.

Come on everyone, let's be better than this. Ruud literally said script kids, why do yall have to go and blame reddit? The Lemmy gets more attention, and chaotic dumbasses do their thing. You don't have to do any mental gymnastics to tie it back to spez.

People in here really thinking big businesses are attacking lemmy lmao its ridiculous.
- Tbf. It's not exactly the first time large companies/corporations decided to burn other companies down if legally allowed with little to no consequence when possible to reduce competition.

Excellent! CDN and DDoS protection are essential. Also would recommend looking into load balancing if you haven’t.

Load balancing applications is significantly more complex than most people anticipate. In the naive implementation it typically increases database loads and reduces site performance. Static content balancing is trivial, and cloudflare will do that by default, but implementing the hard part will require careful software development to prevent a naive implementation from bringing down the database. Sticky sessions are just the beginning.
- I mean...this take is naive. Putting a load balancer up in front of a few servers isn't going to do anything to their database? No idea where you're even getting that from, as they are completely unrelated.
  The total number of application servers accessing the database is what would affect db performance in a negative way, and load balancing doest automatically mean "do something stupid like spin up 100 app servers when we normally use 3". All you've described is a need for a db proxy in the off chance that Lemmy code has horrible access patterns for db transactions.
  You can take your uninformed nerd rage elsewhere now, thank you.

Thank you for your hard work, and for keeping us updated on the situation.

Wonder why this wasn't done earlier. Hopefully we'll see less of the 404-type pages that has plagued this instance.

It costs more money right?
- Not necessarily. I have several servers behind Cloudflare for free. I'm just limited on analytics, some advanced firewall settings, advanced cache management and maybe a few other features that I don't use. But the basic service is free.
  https://www.cloudflare.com/plans/free/
Dont understand this either, who the fck would expose real server IP in first place?
- anyone cuz it doesn't matter
- Thats not how it works

Thank you! I will donate tomorrow

Be aware that you use another server so you might consider donating to them instead.
- I have an account on yours too, but I might split it between both indeed :)

Man I would love to know how/why doing that is enjoyable to some people. Like how sad and pathetic is your life that that is what is fun to you?

- I wish you the best in life and that you will feel happy again in the future and find your inner peace! hug
- This. When you're life sucks and you don't know how to deal with it all, there's something viscerally satisfying about the idea of making other people hurt as much as you do. It's a really infectious mindset, too. I wish I hadn't found 4chan when I was in my early teens, because I'm still trying to manage that need to be cruel. As long as Lemmy.world is an easily kickable sandcastle, it will be kicked.

On the plus side watching you all tackle and solve these problems gives me confidence in the long term viability of Lemmy and the fediverse. The transparency and often detailed technical discussion definitely helps a lot too.

Cloudflare isn’t bad per se, but having huge amounts of the public internet behind a centralized provider is bad for the flexibility and resiliency of the internet as a whole.

Maybe one day we'll work out a distributed version. The upside is, they're a filter, not the actual site. If we work out better long term strats they're disposable. If they're worse than not having them at any point, it's just a dns change to kick em to the curb

Cloudflare is a solid choice IMO. Thanks again for hosting this!

You’re doing a great job so far. Thanks for the update.

Benefit of using Cloudflare CDN:

Commenting and editing took about 0.5 seconds!

Also, ping is now from 200-300 miliseconds to just between 50 and 60 (depending on your ISP):

    
64 bytes from 172.67.218.212: icmp_seq=1 ttl=64 time=56.2 ms
64 bytes from 172.67.218.212: icmp_seq=2 ttl=64 time=60.2 ms
64 bytes from 172.67.218.212: icmp_seq=3 ttl=64 time=55.8 ms
64 bytes from 172.67.218.212: icmp_seq=4 ttl=64 time=58.9 ms
64 bytes from 172.67.218.212: icmp_seq=5 ttl=64 time=60.6 ms
64 bytes from 172.67.218.212: icmp_seq=6 ttl=64 time=60.5 ms
64 bytes from 172.67.218.212: icmp_seq=7 ttl=64 time=60.1 ms
64 bytes from 172.67.218.212: icmp_seq=8 ttl=64 time=55.0 ms
64 bytes from 172.67.218.212: icmp_seq=9 ttl=64 time=60.0 ms
64 bytes from 172.67.218.212: icmp_seq=10 ttl=64 time=61.4 ms
64 bytes from 172.67.218.212: icmp_seq=11 ttl=64 time=59.3 ms
64 bytes from 172.67.218.212: icmp_seq=12 ttl=64 time=58.5 ms
64 bytes from 172.67.218.212: icmp_seq=13 ttl=64 time=56.0 ms
64 bytes from 172.67.218.212: icmp_seq=14 ttl=64 time=60.6 ms
64 bytes from 172.67.218.212: icmp_seq=15 ttl=64 time=58.7 ms

The bugs in Lemmy are such that you don't even need to touch a server for it to be vulnerable. Cloudflare does not defend against such mistakes. Other servers can trigger deep PostgreSQL logic problems within Lemmy. Growing pains, a lot of the federation code was never tested, and today's crash is due to a logic issue with lemmy_server mistakenly updating 1700 servers it knows of through federation for a delete instead of the 1 local server.

Thank you for your efforts, work and results. Those "attackers" only deserve disgust.

Maybe they don't deserve as much, pity would be enough.

I'm learning a lot by following lemmy.worlds actions. Appreciate the transparency!

Where can we donate toward server costs?

https://opencollective.com/mastodonworld
https://patreon.com/mastodonworld
- Do you prefer one or the other when it comes to donations?

What doesn't kill you makes you stronger

Sometimes what doesn't kill you leaves you with PTSD
~ Friedrich Nietzsche
- Knowledge is power. France is bacon.

Why is Cloudflare so bad?

https://wowana.me/files/cloudflare-email-template.txt

I hope lemmy.world can avoid using Cloudflare which goes against the spirit of Fediverse as it's just an objectively evil company.

Agreed. This is an emergency fix. Will look for final solution later.
Can you give some insight to this?
- There are thousands of reasons from centralizing internet, abusing their market power, implementing barriers on web automation that can only be bypassed by the priviledged to fingerprinting and tracking users across the whole internet. It's a major for-profit market capture corporation - it's evil by design.
@drmoose @ruud agree.

The more you attack a Lemmy instance, the more stronger it gets.

It's like tempering iron or steel.

Beats getting hammered by spez!

It's not ideal, but there's not a whole lot of options out there for DDoS mitigation.

Like?

ty for all ur hard work ♥️

Welcome to the internet, glad there’s a working solution

Maybe is that Reddit dude, jealous of Lemmy's increasing popularity.

It seems like you made this comment in jest, but I wouldn't say it's outside the realm of possibility. We can't fly off the handle and lob accusations absent any sort of proof, but it would hardly be the first example of a corporation targeting an up-and-coming disruptive service run by amateurs.
- I agree. Kind of a joke, but also kind of serious.

I put this site behind cloudflare in response to this post. Other than having to change SSL/TLS encryption mode to Full, it seemed easy. I turned on bot fight mode and I'm using the managed WAF ruleset that comes with the free tier. Any configuration recommendations anywhere in the panel?

If your site was already accessible by HTTPS before you put it behind Cloudflare, try Full (Strict).
- yep had to do that was initially getting "too many redirects."

Damn these script kiddies.. I don't like Cloudflare at all but it does its job well. It may just be my paranoia, but putting a single entity in control of so many websites seems dangerous. I think we have all learned about the intentions of big corporations. But hey, it's better than being taken down tbf.

What are your reasons for hating cloudflair? Best i can tell they run a good service and their free offerings have been great (1.1.1.1)
- We said the same thing about chrome 10 years ago. It's not the quality of the product, which is excellent. It's the concentration of control.
Exactly my words. I'd love to see a decentralized network to do the job instead. No single point of failure and people can actually earn a bit of money instead of big corpos enriching themselves.

I wonder now with the semi-adversarial/semi-cooperative nature between lemmy instances, if wer'e not going to see more DDOS and other types of raids happening because a different instance has an ax to grind against yours. Say between you defederated them, or they consider your instance too big etc.

I saw a post "Lemmy seems to have way more leftists than xyz." So I wouldn't be surprised to find it's political nonsense, people attacking a site they see as "the left."
- I can see it now, a lemmy cold war of sorts where the "leftists" and "socialists" and "communists" are arguing non-stop over the definition of those terms and who is worst amongst them

Hmmm, we're getting a fuckload of web requests on our Lemmy too... I think I'll enable CloudFlare too! :)

Just make sure you do your research before you do - people have broken federation by enabling it without due care in the past.
- people have broken federation by enabling it without due care in the past
  Any links regarding this? It sounds concerning and my instance admin uses Cloudflare as well.

Is it just me, or is old.lemmy.world still using its old IP address?

`lemmy.world` and `m.lemmy.world`

    
64 bytes from 104.21.53.208 (104.21.53.208): icmp_seq=1 ttl=56 time=46.9 ms
64 bytes from 104.21.53.208 (104.21.53.208): icmp_seq=2 ttl=56 time=50.3 ms
64 bytes from 104.21.53.208 (104.21.53.208): icmp_seq=3 ttl=56 time=48.0 ms
64 bytes from 104.21.53.208 (104.21.53.208): icmp_seq=4 ttl=56 time=50.1 ms
64 bytes from 104.21.53.208 (104.21.53.208): icmp_seq=5 ttl=56 time=50.1 ms
64 bytes from 104.21.53.208 (104.21.53.208): icmp_seq=6 ttl=56 time=50.2 ms
64 bytes from 104.21.53.208 (104.21.53.208): icmp_seq=7 ttl=56 time=47.0 ms
64 bytes from 104.21.53.208 (104.21.53.208): icmp_seq=8 ttl=56 time=54.0 ms
64 bytes from 104.21.53.208 (104.21.53.208): icmp_seq=9 ttl=56 time=50.1 ms
64 bytes from 104.21.53.208 (104.21.53.208): icmp_seq=10 ttl=56 time=49.8 ms
--- lemmy.world ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9010ms
rtt min/avg/max/mdev = 46.893/49.635/54.048/1.956 ms

old.lemmy.world should be cloudflared, too

Yeah we will fix that soon

If you decide to use Akamai, hmu. I'm not an Alamai guru, but I do it professionally.

I joined July 1 for obvious reasons, I love it here.

I'm asking how many times has lemmy had to deal with these kinds of attacks prior to the "Date shall not be named"

Cause it kinda seems pretty coincidental for the amount of times I've been forced to be "offline" on this platform is gd laughable.

I thumbs up good content always.

My biggest problem with CloudFlare is that very often they don't play nicely with VPN.

Whats the motivation to DDOS? How mutch is specific malice to lemmy or lemmy.world itself and how much is genaric.

The kinds of people who do these things can have different motivations.
Some DDOS operators are "hired goons" who will DDOS whomever they're paid to. However, in order to demonstrate their capabilities, they need to do some damage first. If they can cause a big outage, they can later point to that outage and say "we did that" as proof that they're capable of doing damage.
Some DDOS operators are ideological or identity/drama-driven. They decide that they have a Cause, and that this justifies doing some damage. The same groups might do DDOS and also harassment, doxxing, spamming, etc. — their goal is to cause misery to the Bad People and "drive them off the Internet" by whatever means they find handy.
Some DDOS operators are just plain extortionists. They crash a site once or twice, then threaten to keep doing it forever until the site owner pays them off.
Some DDOS operators are bored kids making trouble.
Some DDOS operators are nation-state agencies trying to censor foreign sites that say things they don't like. In one case, the China government attacked GitHub to get at the anti-censorship site GreatFire.
- The Chinese do their best to make everyone hate them, don't they?

It went down again, lol. For like an hour or so, right after I claimed it was working for me. Go figure. :B

I assume you are rotating ip addresses after swapping to cloudflare?

CloudFlare IP ranges can be found here. The DNS entry can point to any one of those IP addresses.
- I think Ryan is referring to the usual requirement that the server's IP address is changed if switching to a CDN to avoid DDoS, since otherwise the attackers can usually just bypass the CDN by sending requests to the original IP of the server.

Nice try, Mr. Huffman.

Yeah, first make sure it doesn't show anywhere anymore

Yeah, this is just growing pains for any website. Get popular enough for it to be "fun" to target. Then get enough data that it's "profitable" to target. Etc. And the usual way to deal is to first use an external solution at least until it becomes too expensive due to traffic volume. Then make your own solutions for problems you can solve yourself and pay external companies for the ones you can't.

Not sure if it’s related, but today on Mastodon, I’m unable to upload photos. Also can’t see pics from other users. Profile pics are mostly greyed out too.

Script Kiddies are definetely some of the saddest people on the internet. If you're gonna be an unethical hacker at all, actually do it. Don't be a sissy.

It's about skills. Script kiddie can download and run a script written by someone else but that's pretty much it.
- Downloads Uber hax. Run script. Computer dies. "Heh, I am a god."

Thanks a lot for all the work you folks are doing to keep this instance up.

What solution were you using before Cloudflare?

None
- Oh.

thank you guys for your work! is it possible to disable the cloudflare analytics/telemetry aka cloudflareinsights?

Obviously cloudflares ddosing lemmy just to get some extra money

This might not be a joke as CloudFlare employs lots of woke types that just might do that.
- woke bots lol. I seriously don't doubt, It's a logical step for a business like cloudflare. Won't ever really be proven or disproven though.
- What do you mean by woke types?

Thank you for the update!

Any news? I'm still seeing empty pages sometimes (db errors I think), s6 wonder if the kiddies are somehow getting through despite cloudflare.

Do you run a reverse proxy infront? Eg. nginx is pretty performant at dropping unwanted traffic.

That doesn't help with volumes of otherwise legit looking traffic right? The problem that Cloudflare and Akamai etc address is usually content that is otherwise static that can be cached. Say the front page of hot lemmy.world is updated every few minutes with the newest hot item. That page is otherwise distributed by the CDN so the CDN can just direct the traffic to access it, and no requests are made to lemmy.world.
nginx would be helpful for any attacks located from a single address trying to making large numbers of connections, but without reading more into the attack I can suspect that this isn't what the attacker did.

Thank you❤️❤️

How does cloudflare work? Do you install the private SSL certificate there and so cloudflare can see all traffic, including passwords, in plain text or is the path from browser through to your server still encrypted?

Cloudflare decrypts to do the ddos protection, then reencrypts to the server.
If you are worried about security, cloudflare is provably more secure than any lemmy server.
- But it still is a really bad idea to route big parts of the internet through one proprietary system. There have to be other ways to solve this.
Cloudflare is a proxy, so by its very nature it has to decrypt traffic. (I believe their enterprise plans may offer a way around this, but don't quote me.)
I wouldn't worry, however. If someone wanted to attack this site (or any site, really) they're almost certainly going to have an easier time going after the origin rather than trying to take on a juggernaut like Cloudflare.
Other posters are correct that cloudflare decrypts traffic. BUT it is highly unlikely that they will see your password in plaintext, since it is best practice to hash the password first on the front-end.

It's been feeling sluggish all day long as well. I've been trying to post from my phone and PC, and it seems it's really slow from time to time.

Also when will CloudFlare drop lemmy as a 'Nazi' site?

Cloudflare makes the website feel dirty, but it'll protect the site until a better option is found.

Cloudflare makes the website feel dirty, but it'll protect the site until a better option is found.
Can you elaborate what you mean by this? Lots of sites use cloudflair and most users of those sites would never even know. What makes it dirty?
- Its not. I explained in the below comment why Cloudflare and others like them helps you decentralise. And other benefits.
- Cloudflare definitely has a great service and the positives probably overweight the negatives in this situation. But the potential for an attack from within cloudflare itself via trackers or a probably very low chance of a letter man being in the middle can feel a little tense. It boils down to not trusting the company. I especially do not like those outages, captchas, cookies and a centralized web. Cloudflare will help Lemmy stay on top of everything and keep stability though.
  Maybe being addicted to uBlock having only green and no detections makes me worried. It's like a little bit of dirt on the floor.

You should change the public IP of the server if you haven't already

What happens tomorrow? Change the IP again? And again? It's not a long term solution.
- Cloudflare masks the origin IP address and has DDoS protection. Unless it's a DoS against the software, yes, it is a long term solution.

Lmaooo Cloudflare is in the comments downvoting criticism

So many hackers targeting lemmy huh.

Script kiddies*

I had a hard time signing in the other day as I got confused in the instances but otherwise I'm enjoying the experience browsing here using the summit app.

https://www.commondreams.org/opinion/oligarchs-against-democracy

I would like to know the answer too.

Tagging @ernest in case instance owners don't have a larger community in which they share news like this with each other.

now I'm convinced that that cunt spez paid those brats to sabotage us

I wish we are better than this ..

I've been having lots of connection errors today

Went back up for me again only an hour ago

I could swear, and also could be wrong, but someone said Cloudflail doesn't handle ddos attacks. Which adds more to your comment if true lol

http://crimeflare.eu.org list reasons why not to use Cloudflare, though IDK if it's just ultra-privacy oriented warnings or something else...

Not sure if I should be upset, although the claim of CF potentially sniffing passwords/credit card details/other sensitive information across various websites sounds plausible to me (some websites even have a TLS cert verified by "Cloudflare, Inc."!) 🤷‍♂️

They would be completely ruined if they were doing any of these things and proven to be doing them. Nothing to worry about for now.
- Yeah, you're right. Just because they can doesn't mean they have to. We might not know what they're up to behind doors and for me it's horrifying to know the potential damage but hopefully it's in good faith.

Well I signed today and I got an error saying rate limit earlier for using these types of symbols "î¦âö)ééäë((ºÜÝ¨¿ã¿ï" I'm assuming It has nothing to do with this but just In case I'm making a comment about it edit:also just realized It may have been from how long the password was (33 characters)

This might be related. Encrypting passwords is resource intensive, and longer passwords need more resources.
Specifying really long passwords, repeatedly, is one way to DDoS a server. Maybe they're blocking unnecessarily long passwords.

There mfs are paid by Spez

I'm getting an error when trying to login to the old version.

they have a bad habbit of getting Brain bleeds

Here is an alternative Piped link(s): https://piped.video/watch?v=DDe-S3uef2w
https://piped.video/watch?v=GEbn3nHyKnA
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I'm open-source, check me out at GitHub.
- Im sorry, but

meanwhile it was giving me incorrect login error and I had thought someone got into my account lol

Why don't you close the subscription to Lemmy.world so new people will subscribe to smaller server so that if one has problem, not the majority of the people are affected by it? Isn't this supposed to be one of the main characteristic of the fediverse?

It's a bit of a pain having your account on a different instance to the one you most use, you can't browse local communities the way you can if you were on the "home" instance, you can't delete posts.
- I didn't mean that.I meant that if the whole Lemmy users where spread over n servers, when one is down, not all the users will be affected

This would probably be less useful than you think.
Firstly, changing the default doesn't matter - the attackers will just switch to targeting whichever URL causes the most pain.
Secondly, in comparison to prerendered pages of live content, js files are incredibly cheap and easy to chuck on a CDN. They don't change often, so you don't need to worry about cache invalidation, and even at a server level they're probably hosted by a simple file server rather than hitting the DB.

Am I the only one who'd have no issue with ads in lemmy? As long as they dont use too much space. Amount in ads in RiF was good for me, don't know if they earned much from it.

Money could go to app creator and instance owner, i don't care, as long as it helps running the community.

I absolutely refuse to use a service with ads unless I can block them. I'm very strongly opposed to any kind of advertising, and I absolutely despise the fact that everything on the internet is ad or sponsor-driven these days.
Paying for an ad-free service, however, is fine with me.
- Then what about ads by default but you can pay to remove it? I think it's important to think about the cost structure of these "free" spaces so that they have the proper support for longevity. That being said, I feel Wikipedia is a fine example of how we could also do it, donations with some transparency on what's needed to keep things running. But iono, I'm pretty ignorant about the true cost of running something like lemmy at scale.

We was behind Cloudflare since day one 😀 And even on Cloudflare there is not the origin IP its again reverse proxied, and we are small site compared to lemmy.world 😜

ah, rate limits. something twitter was absolutely blasted for but makes sense here because we love lemmy :) even though it serves the same purpose.

Probably because Twitter is big, and LemmyWorld is small and also the fact that the rate limits are probably reasonable in LemmyWorld, compared to twitter.
There is nothing in theory wrong with a rate limit as long as its not set so absurdly low or to such a long amount of time as to impact actual users. The problem is implementing them stupidly.
- so what is the issue?

Maybe CF and spez are paying the script kids.... damn....
It's highly unlikely. Cloudflare is (I think) the biggest CDN provider and one of the biggest domain registrars. Whatever lemmy.world is paying them it's inconsequential to their books. For a sense of scale, they own the IP address 1.1.1.1. (as an aside, 1.1.1.1 is a DNS host, but unlike the other popular ones it has a webpage so it's very convenient for checking if your internet is down or if you're having DNS issues)
Basically, the cost reward is way out of whack for them to consider ddosing such a small site.
No, but Cloudflare is providing services to those kids too.
Most of the services that provide DDoS attacks as a service use Cloudflare themself and Cloudflare is absolutely okay with it.
Lol. Just for shits and giggles I want to entertain this for a second.
You’d probably want to pay hackers in a country that isn’t friendly with the US to do this. Russia, North Korea, China, Iran.
Three of those countries are heavily sanctioned right now. I wouldn’t want sketchy money flowing to Russia at the moment even if it didn’t technically fall under sanctions since money flow is being scrutinized. Same with NK and Iran.
So that would leave China. I think you could get away with it there pretty easily.
And lo and behold….
https://techcrunch.com/2020/04/28/cloudflare-partners-with-jd-to-expand-its-network-in-china/amp/
:tinfoilhat:
With that said though. Getting that info leaked out would be extremely damaging and totally not worth the risk.

Wouldn't be surprised if Cloudflare itself was hiring out blackhats to DDoS attack certain websites in order to get them into the fold, like racketeering. I mean this is America, I wouldn't put it past any company here, even ones pretending to be "virtuous"

Other companies I'd believe, but Cloudflare has never seemed slimy
- Cloudflare houses and has housed many shady and downright awful websites without any problems from their "morality department"
  This is like saying Microsoft isn't slimy either because so many people use their product

It is obviously not. Why would it be?

Yet another sloppy, yet aggressive approach to TRYING to fix your once great website.

Good News

lemmy.world and m.lemmy.world

they have a bad habbit of getting Brain bleeds

`lemmy.world` and `m.lemmy.world`