zlacker

[return to "Mitigating a DDoS on Mastodon"]
1. pjc50+RJ[view] [source] 2019-12-06 15:34:01
>>dredmo+(OP)
Decentralisation fans take note: despite wanting to remain independent, the only effective solution was in this case to re-insert a giant global intermediary (Cloudflare) and block all the anonymous unaccountable Tor users.

If a decentralised system is to stay decentralised, it needs to consider spammy bad actors.

◧◩
2. zzzcpa+If1[view] [source] 2019-12-06 18:27:09
>>pjc50+RJ
It was far from the only effective solution. Probably just an easy path for someone who has no idea about DDoS attacks, but influenced by advertisement and propaganda. Volumetric attacks don't actually require centralized global intermediaries to mitigate, there are other ways to do it, and Layer 7 attacks are even application specific and should be handled by applications or by someone running them who understands all the specifics, but most definitely not by a global intermediary, as unaware of the specifics intermediary will reject plenty of legitimate traffic. And blocking Tor to mitigate Layer 7 attacks is pretty silly.

Also, it was only up to like very early 2000s when researchers of decentralized systems mostly ignored the existence of malicious actors, but later everyone became well aware of them and started considering how to deal with them.

◧◩◪
3. voidwt+xh1[view] [source] 2019-12-06 18:40:12
>>zzzcpa+If1
Can you provide an example of how to mitigate a volumetric attack without significant reliance on intermediaries?
◧◩◪◨
4. zzzcpa+7n1[view] [source] 2019-12-06 19:20:14
>>voidwt+xh1
Say you have a few nodes behind a few different ISPs sharded to clients. Once one node becomes unavailable it gets replaced by another node and back when it becomes available again. This means either all nodes at once can get attacked, but with lower volume or one by one, but affecting only one shard of users for a short period of time it takes to failover.

But in practice datacenters, uplinks and internet exchanges often are able to do flowspec, firewall rules, block all UDP for a subnet in all networks they have relationships with, etc. So plenty of those nodes can be behind ISPs that mitigate volumetric attacks automatically, so even simple DNS failover might be good enough to protect from such attacks. It's not that hard. Layer 7 is where the hard part is.

[go to top]