this post was submitted on 03 Aug 2024
7 points (60.0% liked)

Selfhosted

46676 readers
395 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
7
Best Privacy DDOS Blocking? (lemmy.world)
submitted 11 months ago by secretlyaddictedtolinux@lemmy.world to c/selfhosted@lemmy.world
17 comments fedilink hide all child comments
 

I am considering hosting something and am concerned about DDOS attacks.

I am morally opposed to cloudflare because I think they are an unethical and shitty company.

What privacy focused solutions are there to reduce the likelihood of a successful DDOS attack?

all 21 comments
sorted by: hot top controversial new old
[–] just_another_person@lemmy.world 18 points 11 months ago* (last edited 11 months ago) (1 children)

You're being downvoted because you're asking another "I want everything, but works exactly to my needs, only the way I want it, and cheap." kind of question.

Cloudflare exists for a reason, as does every other DDOS mitigation platform. If there was a better or cheaper solution, they would be out of business already.

Best you're probably going to do for self-hosting is going to be blackholing abusive connections, but even then you're only going to be able to mitigate so much. Differentiation of mass amounts traffic still takes a massive amount of time and compute.

[–] schizo@forum.uncomfortable.business 18 points 11 months ago

To add for people who might not be up on the technical aspects: DDOS mitigation works only if you have absolutely enormous amounts of bandwidth and compute resources to intercept and scrub the traffic.

It's not some magic wand someone is waving at a server and poof the DDOS disappears; it still comes into a datacenter, hits a server and is then mitigated before making it to your actual host.

So you have to invest in enough bandwidth and hardware to outscale the largest DDOS you're expecting, which is going to be far less than what's going to REALLY happen, and it has to be available even when nothing is going on.

It's expensive to offer, expensive to run, and only really gets "affordable" at the scale of someone like Cloudflare or Akamai or a hyperscaler.

It's either private, good, or cheap: pick one, maybe two.

[–] lemmyvore@feddit.nl 7 points 11 months ago* (last edited 11 months ago) (1 children)

You don't have to worry about DDoS:

  • DDoS is an advanced technique and the people who can do that spend a lot of time and effort putting malware on machines that can be ordered to perform DDoS on command. They usually sell that attack capability and it ends up getting used against worthy targets, we're talking attacks that disrupt entire industries, elections, warfare etc. Do you really think what you'll be hosting will attract that kind of attention and be impossible to take down with simpler methods?
  • To survive a DDoS attack you need a lot of resources, from a professional platform (like CloudFlare). The stuff they offer for free is not going to get you through a DDoS. If you'll read their terms you'll see it's worded just ambiguously enough to mean nothing. If you ever actually get targeted by an actual DDoS and you haven't paid a lot of money to a platform like that, everybody will simply drop you instantly (your ISP, your VPS provider, your tunnel provider, your VPN provider etc.) and possibly kick you off their service too.

If the stuff you'll be hosting is static files you can use a CDN service. CDN's are designed to be distributed and redundant so they're somewhat resilient to DoS attacks by default. They'll still kick you off if it gets to be too much but maybe you can weather shorter/moderate attacks.

If you're hosting a dynamic/interactive service forget about it.

[–] Shadow@lemmy.ca 5 points 11 months ago (1 children)

What's your budget?

[–] secretlyaddictedtolinux@lemmy.world -3 points 11 months ago (4 children)

As little as possible. This will probably be a low traffic site. I just want something cheap and not cloudflare.

[–] Shadow@lemmy.ca 8 points 11 months ago

I don't think there is anything else free. Best you can do is host with someone like ovh that has enough resources to provide basic protection.

[–] MangoPenguin@lemmy.blahaj.zone 7 points 11 months ago

You're not really at risk of DDOS in that case, I wouldn't worry about it.

[–] shekau@lemmy.today 4 points 11 months ago

Why would someone want to ddos ur small site, real ddos is extremely expensive attack,

[–] lemmyvore@feddit.nl 1 points 11 months ago

Make your website all static files (if you can) and host on a CDN like Bunny.net. It's $1/month and your website might actually be able to get through some large traffic spikes. It won't work against a targeted sustained DDoS but like the other comments said that's not likely to happen.

[–] vk6flab@lemmy.radio 5 points 11 months ago

I'd set-up a static website on an AWS S3 bucket. Then you can use AWS Cloudfront to distribute access around the planet.

Cost is mostly negligible unless you are serving big files.

[–] Decronym@lemmy.decronym.xyz 3 points 11 months ago* (last edited 11 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CF CloudFlare
HTTP Hypertext Transfer Protocol, the Web
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)
nginx Popular HTTP server

4 acronyms in this thread; the most compressed thread commented on today has 9 acronyms.

[Thread #906 for this sub, first seen 4th Aug 2024, 21:15] [FAQ] [Full list] [Contact] [Source code]

[–] abominable_panda@lemmy.world 2 points 11 months ago* (last edited 11 months ago) (1 children)

Crowdsec?

[–] NocturnalEngineer@lemmy.world 2 points 11 months ago

It wouldn't stop against volumetric attacks...

They'd still fully consume the WAN bearer regardless of Crowdsec protecting the endpoint. For that you need a scrubbing centre to dump the traffic onto.

[–] yogsototh@programming.dev 1 points 11 months ago

If you don’t want to go full Cloudflare you can mitigate DDOS using these kind of technique locally.

https://blog.nginx.org/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus

Cloudflare will be a lot more effective in case of attack. But I don’t think most people need more than a few mitigation rules. If DDOS really come, there are very few things you could do to mitigate anyway.

[–] kionite231@lemmy.ca -2 points 11 months ago

why downvote 🤔