Slashdot Mirror

CloudFlare blocks any IP address that sends an insane number of page hits in a short period of time

Then it blocks search engines and reduces the SEO of its customers' sites on search engines that aren't big enough to get whitelisted the way Google and Bing are.

CloudFlare was treating Amazon's web crawler bot's IP range as a potential spammer and showing it a captcha page for every result

If any other CloudFlare customer sees behavior like this, try whitelisting each smaller search engine on which you want your site to appear.

[CloudFlare's CAPTCHA] is trivial for end users to get around and thus is not a true block

Even for blind users?

no legit company uses CloudFlare

These companies use CloudFlare services. Names I recognize include Reddit, eHarmony, Bain Capital, League of Legends developer Riot Games, Cisco Systems, Quicksilver, Y Combinator, NASDAQ Stock Market, Eurovision Song Contest, Massachsetts Institute of Technology, and Metallica. I've also seen CloudFlare services in use on Stack Exchange (the Stack Overflow company). If you can explain what you mean by "legit" and show how all of these companies fail tests for being "legit", I'll believe you.

There's talk that they influenced the decision of some recommended constants for Elliptic Curve Cryptography.

You'll want to use constants that ensures the cryptographic strength of the algorithm, so picking them are non-trivial and hence a recommended set was published. This is the same for most algorithms. AES has constants and they are part of what makes the algorithm AES and not some other variant.

Anyway, here's what Bruce Schneier said about ECC:

I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry.

https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929

And here's a nice background on ECC:
https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/

Comodo, not to be confused with the similarly named Komodia from yesterday, are the world biggest issuer of SSL certificates.

Hardly. They give away a bunch of worthless email certs that aren't trusted by anyone, allow me to make wanking motions. No one that matters uses them and no browser that matters trusts their free certs by default.

Ahh, the post of someone who's riled up but doesn't actually understand what they are talking about.

Email certs != SSL server certs. Are you sure you aren't thinking about CAcert instead, which does offer free email and server certs, but which isn't included in browsers? Obviously, CAcert's lack of inclusion in browsers makes it less useful for mose uses. Comodo, however, is a major certificate authority.

Various surveys, including this one (daily updates available here), scan HTTPS-enabled and report on the share of CAs.

Comodo recently overtook Symantec, which was probably helped by CloudFlare enabling TLS for all their customers (including free ones) using Comodo-issued certs -- that single action essentially doubled the number of HTTPS sites on the internet.

CloudFlare? (Or using the same techniques in other networks, CDNs, DNS providers, etc.)

https://blog.cloudflare.com/cloudflares-architecture-eliminating-single-p/
http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/
https://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet/
https://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho/
http://blog.cloudflare.com/65gbps-ddos-no-problem/
http://blog.cloudflare.com/when-the-bad-guys-name-malware-after-you-you/

CloudFlare? (Or using the same techniques in other networks, CDNs, DNS providers, etc.)

https://blog.cloudflare.com/cloudflares-architecture-eliminating-single-p/
http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/
https://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet/
https://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho/
http://blog.cloudflare.com/65gbps-ddos-no-problem/
http://blog.cloudflare.com/when-the-bad-guys-name-malware-after-you-you/

CloudFlare? (Or using the same techniques in other networks, CDNs, DNS providers, etc.)

https://blog.cloudflare.com/cloudflares-architecture-eliminating-single-p/
http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/
https://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet/
https://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho/
http://blog.cloudflare.com/65gbps-ddos-no-problem/
http://blog.cloudflare.com/when-the-bad-guys-name-malware-after-you-you/

CloudFlare? (Or using the same techniques in other networks, CDNs, DNS providers, etc.)

https://blog.cloudflare.com/cloudflares-architecture-eliminating-single-p/
http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/
https://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet/
https://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho/
http://blog.cloudflare.com/65gbps-ddos-no-problem/
http://blog.cloudflare.com/when-the-bad-guys-name-malware-after-you-you/

CloudFlare? (Or using the same techniques in other networks, CDNs, DNS providers, etc.)

https://blog.cloudflare.com/cloudflares-architecture-eliminating-single-p/
http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/
https://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet/
https://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho/
http://blog.cloudflare.com/65gbps-ddos-no-problem/
http://blog.cloudflare.com/when-the-bad-guys-name-malware-after-you-you/

CloudFlare? (Or using the same techniques in other networks, CDNs, DNS providers, etc.)

https://blog.cloudflare.com/cloudflares-architecture-eliminating-single-p/
http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/
https://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet/
https://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho/
http://blog.cloudflare.com/65gbps-ddos-no-problem/
http://blog.cloudflare.com/when-the-bad-guys-name-malware-after-you-you/

One of the easiest ways to get HTTPS is to use CloudFlare: http://blog.cloudflare.com/int...

I'm not associated with them, but I have used their free service and it works just fine. As well as HTTPS you get free caching on a CDN for faster load times, especially for overseas customers.

I imagine that now Google is pushing it we will see more free offerings. The EFF is going to offer a free, easy set-up option next year too. By the time it comes around you won't have any problem implementing HTTPS, or have to pay anything.

Cloudflare offers a fake SSL service called "Flexible SSL". Cloudfront gets a cert generated with a long list of domains. Users connect to Cloudfront, Cloudflare sets up a secure connection from the user's browser to Cloudflare, acts as a man-in-the-middle, and makes an unencrypted connection to the destination host.

And, of course, there's an exploit for this.

Even if you buy Cloudflare'ss "most secure" option, and have SSL to your own server using your own certificate, you have to give Clouldflare your SSL cert's private keys. Does Clouldflare take responsiblity for the security of your private keys? No.

So do not use Cloudflare for sites which handle any valuable data, such as credit card numbers.

Cloudflare offers a fake SSL service called "Flexible SSL". Cloudfront gets a cert generated with a long list of domains. Users connect to Cloudfront, Cloudflare sets up a secure connection from the user's browser to Cloudflare, acts as a man-in-the-middle, and makes an unencrypted connection to the destination host.

And, of course, there's an exploit for this.

Even if you buy Cloudflare'ss "most secure" option, and have SSL to your own server using your own certificate, you have to give Clouldflare your SSL cert's private keys. Does Clouldflare take responsiblity for the security of your private keys? No.

So do not use Cloudflare for sites which handle any valuable data, such as credit card numbers.

See https://blog.cloudflare.com/inside-shellshock/.

They discuss origin server encryption (the plaintext issue) in a follow-on blog post: https://blog.cloudflare.com/or...

CloudFlare is a f.ing nightmare for anonymity

Not only anonymity, but privacy as well.

Try browsing around with your browser's Referer header disabled (or spoofed to be empty/google/etc). You'll run into sites that either (1) won't load at all, only showing a "CloudFlare security page" that totally blocks access, or (2) have content that won't load due to CloudFlare's default referrer blocking settings. I assume (2) is to prevent "hotlinking" (aka - "using the Web"), but it prevents scripts, styles, etc from loading. However the first behavior (blocking anyone without a Referer header) is complete bullshit.

Using NoScript on a CloudFlare site can also be a nightmare. They have their own absolutely batshit absurd scripting thing call Rocket Loader. The only impression I've gotten from it so far is that it makes script whitelisting difficult and user-scripts even worse.

I can appreciate the primary selling points of CloudFlare (CDN, DDoS protection), but they do a lot more to interfere with site web traffic. The default settings for a site are also probably too aggressive.

CloudFlare isn't a host, it's a sort of advanced CDN with extra features. You still need to have the website hosted on another server somewhere. Their website explains how it works better than I can, so you might as well read it there: https://www.cloudflare.com/ove...

CloudFlare has also announced that they're planning to roll out free SSL to customers in the coming months.

Just setup a CloudFlare account and host your dns through them for free. Then use their api on your server whenever your ip changes.

An example of using the API is as follows... taken from https://www.cloudflare.com/doc...

curl https://www.cloudflare.com/api... \

    -d 'a=rec_edit' \

    -d 'tkn=8afbe6dea02407989af4dd4c97bb6e25' \

    -d 'id=9001' \

    -d 'email=sample@example.com' \

    -d 'z=example.com' \

    -d 'type=A' \

    -d 'name=sub' \

    -d 'content=1.2.3.4' \

    -d 'service_mode=1' \

    -d 'ttl=1'

Just setup a CloudFlare account and host your dns through them for free. Then use their api on your server whenever your ip changes.

An example of using the API is as follows... taken from https://www.cloudflare.com/doc...

curl https://www.cloudflare.com/api... \

    -d 'a=rec_edit' \

    -d 'tkn=8afbe6dea02407989af4dd4c97bb6e25' \

    -d 'id=9001' \

    -d 'email=sample@example.com' \

    -d 'z=example.com' \

    -d 'type=A' \

    -d 'name=sub' \

    -d 'content=1.2.3.4' \

    -d 'service_mode=1' \

    -d 'ttl=1'

The raw sockets deal - Windows added raw sockets, or more simply said the ability to manipulate Internet packets at a very low level. Mr Gibson acted as if the entire Internet was about to collapse. In theory it was a bit easier to make fake packets and try to mess with other computers, in practice malware that is embedded in the kernel could already do this, and the bad machines could only mess with poorly configured machines anyway. If you know networking, fake packets don't help TCP that much anyway, mostly fun to mess with UDP. There is a lot of damage you can do without raw sockets.

The knock against Steve on this wasn't so much the initial panic about raw sockets, but that he stuck to his guns once people explained how this wasn't a big deal. Either he Just Didn't Get It, or he wanted to fearmonger, or both. He sounded a bit chicken little here, and never really seemed to get why he was wrong.

Winders XP Steve hates 8, fine, we all do. But instead of going to 7, for a long time he wanted to stick with XP. His reasoning, i don't go to any bad websites, i have a firewall, etc. This is shortsighted. Malware advertising on random ad networks is a big deal now, can Steve vet EVERY ad that he sees on the net? Can he vet that every website that he visit has never been pwned and had malware inserted? Can he vet that every machine on his LAN is clean? The worse thing is that he keeps talking about how he runs XP over and over on his podcast. He kind of implies "this is safe for me to do" but never really says "nobody else in their right mind should do this".

Assembly for a long time he was crazy about assembly, kind of showing how cool he was by using it. I learned assembly/machine code from a book when i was in 7th grade or so. I think it's cool in theory to write some assembly code now. in practice I'd never use it for a real app. Why not? Partially because of time; most libraries and tools are for C or other higher-than-assembly-level languages - you'd need to reinvent a lot of wheels and hope you did them right. And partially for static checking tools which would have a much harder time with assembly checks.

Mr Gibson's podcast has some good factual info, but his opinions are occasionally off and sometimes even dangerous. It's like the story of the broken watch - a broken watch is right twice a day, but you'd need another watch to tell you when. Steve's right a lot of times, but you need to know enough already to know when he's not right, and when he's not right RUN.

Good points on pricing! But like I mentioned, advertising is bringing in a lot of funds as well. Bandwidth is cheaper than ever these days and a lot of it is "subsidized" by Cloudflare which don't charge for bandwidth. 4chan also doesn't run on AWS/VMs (you can find pics of 4chan servers on 4chan blog). And we can tell how much Cloudflare costs: http://www.cloudflare.com/plan...

So I still don't see why, after all this revenue, the site would be unprofitable. It's not like moot has a large dev team behind it.

For some reason I can't get to that page (DDOS'd? Taken offline?)

Here's the results on their blog:
http://blog.cloudflare.com/the...

Private key grabbed. Game over.
One successful attempt took >2.5M requests over a day. Second successful attempt was something like 100k requests.

http://blog.cloudflare.com/the...

It's all in the luck of the draw. When you don't have any logging of this, you've got no idea how long people have been poking at this and literally no idea what anyone has made off with.

CloudFlare has retracted their statement that private key compromise is very hard. They started a challenge and at least 2 people successfully got private keys from their Heartbleed-enabled server with as few as 100K requests. (I am sure that with some optimization, the number could be even lower.)

Why does it always take a team of tech to manually block the spamming IP numbers? Why isn't this automated? When this sort of flooding action takes place it should be pretty obvious... respond.

Yeah, CloudFlare should learn how set up a Linux box with iptable in front of their server.. How hard can this be?

Simply put -- consumers can't be trusted to be able to deal with complex secure authentication schemes. That's why there's so many easy-to-guess "What city did you grow up in?" password-reset functions. There are so many weak links in the chain of trust, it takes a concerted effort on the individual's part to secure it.

The CEO of Cloudflare fell victim to this when someone CONVINCED AT&T TO REROUTE HIS VOICEMAIL, starting a chain of events that wound up with the interloper having complete control over Cloudflare and the myriad of sites that use CF (and therefore trust it to send legitimate data).

It's a bit exciting/fascinating to read about the chain of events, (particularly the timeline):

http://blog.cloudflare.com/the...

http://blog.cloudflare.com/pos...

Simply put -- consumers can't be trusted to be able to deal with complex secure authentication schemes. That's why there's so many easy-to-guess "What city did you grow up in?" password-reset functions. There are so many weak links in the chain of trust, it takes a concerted effort on the individual's part to secure it.

The CEO of Cloudflare fell victim to this when someone CONVINCED AT&T TO REROUTE HIS VOICEMAIL, starting a chain of events that wound up with the interloper having complete control over Cloudflare and the myriad of sites that use CF (and therefore trust it to send legitimate data).

It's a bit exciting/fascinating to read about the chain of events, (particularly the timeline):

http://blog.cloudflare.com/the...

http://blog.cloudflare.com/pos...

Just to add to this, if you want a good primer on Elliptic Curve Cryptography in general (and not just this exploit), this article from Cloudflare is pretty great even if you don't have a mathematical background. It also explains RSA quite well, so it's a good general crypto primer:

http://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography

I'll also add webapp firewall's actual rules engine - needs quite a bit of performance and profits quite a bit from dynamic compilation.

Cloudflare likes them their Lua, what with their LuaJIT's sponsorship and, IIRC, Nginx's Lua module author's now working for them.

It's certainly not 2007 any more and still no competent engineers who are serious about performance and scalability are selecting ruby.

My point stands, these kids aren't writing server side code and if they were then there would saner choices.

This, plus the main component is going to be your caching and use of a CDN. While I'm not a fan of Cloudflare I do use them and they do offload a bit from your server, and MaxCDN can handle all your other distributed CDN needs reasonably. Easy to integrate into Wordpress with W3 Total Cache. This will help immensely when Slashdot takes an interest in your site. - HEX

IMHO, the next step is to block referrer information to third party sites. E.g. if example.com loads a script from gstatic.com, then the HTTP_REFERER header is not sent to gstatic.com. There's almost zero collateral damage (one captcha service doesn't work), and companies like Facebook and Google no longer get to know every site that most internet users visit.

I agree whole-heartedly with this sentiment, but it might cause more grief that most would guess.

Over the last year or so I've played around with blocking the referer header from being sent at all, to any websites. 99% handle this just fine, but every now and then I'll come across sites that fail, and in various ways. Sometimes I get a useless error message from CloudFlare, and sometimes the page will simply render blank, like this one (in this case because TypeKit issues a 403 when requesting the CSS if the referer is missing).

I have no idea why some sites rely so heavily upon an HTTP header which is not required to be present at all. I'd love to see a browser start to do what you suggest and exclude the header in 3rd party requests because it would force sites to treat the header as it was intended (advisory only) and would also make it easier for those who want to block sending it entirely.

Google offers a *great* service, for free (or now, for a very low price of $50/year if you're a small business).

That's $50/year per user. Still not a bad price (particularly if you're a small business).

However, when something goes *wrong* it can be very difficult to actually get Google to give you real honest-to-goodness end-user support.

That's wait the $50/year per user gets you, in addition to more storage. The now-deprecated free version of Google Apps doesn't have support. The paid version does. Evidently they don't suck when it comes to support and fixing stuff that's broken.

I've been using Cloudflare for my DNS hosting since the beta days and they are an outstanding group of individuals. Their free DNS hosting is top-notch, with no pressure to upgrade to the paid option. They are some of the same people behind Project Honeypot. It's good to see firms like Cloudflare stand up and be counted when free and open access to information is threatened.

I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.

The key thing to know is that phone based password recovery on Gmail has been used to hack accounts and that that has been widely publicised. In other words, giving your phone number over is less secure than not giving it over. In this case, Google is either stupid for continuing something they should know doesn't work or is evil for lying about why they want your phone number.

P.S. They have no intention on using the phone number to call you; Phone calls are much more expensive than the various other ways that Google has to contact you. What your phone number could potentially do is link together different accounts with different names and link you to friends who have that phone number in their uploaded phone directories.

DNS is great, except I'm sure the bastards at ISP headquarters will still charge a monthly fee for a static ipv6 addy and more for a block.... simply because they CAN... and is there a free dynamic dns solution? Last i checked (some years back), no.

Sure. They even specifically support IPv6.

I've also had good luck with CloudFlare, who includes DNS as part of their free service. That includes dynamic DNS.

Afraid.org also does free DNS, including dyanmic DNS and IPv6.

DNS is great, except I'm sure the bastards at ISP headquarters will still charge a monthly fee for a static ipv6 addy and more for a block.... simply because they CAN... and is there a free dynamic dns solution? Last i checked (some years back), no.

Sure. They even specifically support IPv6.

I've also had good luck with CloudFlare, who includes DNS as part of their free service. That includes dynamic DNS.

Afraid.org also does free DNS, including dyanmic DNS and IPv6.

cloudflare is already doinf that for free : http://blog.cloudflare.com/introducing-cloudflares-automatic-ipv6-gatewa

For anyone that wants to easily enable his website to answer ipv6 request, use cloudflare, in addition to the many benefits of cloudflare, you can enable ipv6 by checking a checkbox : http://blog.cloudflare.com/introducing-cloudflares-automatic-ipv6-gatewa

On average, a website on CloudFlare ...
... loads twice as fast
... uses 60% less bandwidth
... has 65% fewer requests
... is way more secure

How can CloudFlare afford to offer a free CDN?

"We built our network from the ground up for a single purpose: making any website faster and safer."

accidentally, right?

it isnt a CDN per-se its a DNS proxy that caches a static page of your site when it goes down, the data from this is insignificant than when every users loads an image.
see How can CloudFlare afford to offer a free CDN?