zlacker

[parent] [thread] 8 comments
1. korosh+(OP)[view] [source] 2019-12-06 12:03:38
hey, i'm the author of the article

really... surprised it got submitted here

incidentally i'm running pleroma, not mastodon. minor detail but you know

replies(3): >>iampim+H1 >>dredmo+fd >>netsec+P11
2. iampim+H1[view] [source] 2019-12-06 12:24:31
>>korosh+(OP)
To avoid leaking IPs, you can use cloudflared tunnel. It might get pricy if you move a lot of bytes, but it’ll isolate you from IP leaking issues.
replies(1): >>korosh+V1
◧◩
3. korosh+V1[view] [source] [discussion] 2019-12-06 12:27:00
>>iampim+H1
oh, i found out where the leak was

it's right at the end of the article - the attacker was abusing the "create a preview card of any posted URL" feature - he'd post a link, wait for pleroma to go and grab the url to preview it, then narrow down which one was mine based on user agent

i added an upstream proxy and anonymised the user agent, so even if he were to do that, the most he'd find was my proxy box

replies(2): >>chvani+Bl >>TrueDu+HH
4. dredmo+fd[view] [source] 2019-12-06 14:14:29
>>korosh+(OP)
I'm quite active on Mastodon and HN, thought this might be of interest.

Would you prefer the title were modified? The mods can do that. I thought that specifying what the DDoS mitigation was applied to would be helpful, though my presumption of Mastodon was in error, apologies.

replies(1): >>korosh+gk
◧◩
5. korosh+gk[view] [source] [discussion] 2019-12-06 15:01:26
>>dredmo+fd
I'm not too bothered about correcting it, just thought it good to note
◧◩◪
6. chvani+Bl[view] [source] [discussion] 2019-12-06 15:09:49
>>korosh+V1
That might be what you are talking about, but just to confirm: Pleroma has an ability to proxy outbound requests via `pleroma.http` config out of the box
replies(1): >>korosh+Am
◧◩◪◨
7. korosh+Am[view] [source] [discussion] 2019-12-06 15:15:25
>>chvani+Bl
yeah that's what I'm using

I also pull-requested a user agent anonymisation setting (pleroma.http.user_agent) to make this better

◧◩◪
8. TrueDu+HH[view] [source] [discussion] 2019-12-06 17:10:31
>>korosh+V1
Did you consider using Tor to make those kind of outbound requests? I've done that in that past for a similar situation to avoid leaking IPs, there is a latency overhead but it solved my issue pretty quickly. There were some sites that were blocking Tor exits but the vast majority were successful (enough that when the feature failed it didn't really matter).
9. netsec+P11[view] [source] 2019-12-06 19:14:14
>>korosh+(OP)
I block all Tor traffic with iptables and ipset - which allows O(log n) lookup time for each request when checking it against the Tor list. I wonder if this would have been your end-all solution. http://ipset.netfilter.org/ipset.man.html
[go to top]