Hi,

I wonder what are suitable methods to protect a Lemmy instance against DDOS attacks.

For example, can we use Cloudflare? Or it could break the federation?

Any ideas/suggestions?

  • Arthur Besse@lemmy.ml
    link
    fedilink
    arrow-up
    10
    ·
    3 years ago

    When a website uses cloudlfare, TLS encrypts the connection (including passwords, etc) from your web browser to cloudflare - not from your browser all the way to the actual site you’re logging in to. (Then, if the request can’t be satisfied by cloudflare’s cache, there is another TLS connection from cloudflare to the “origin server”.)

    In either case, Cloudflare sees everything sent to hostnames hosted by them.

    Some sites might have your password sent to a different hostname that isn’t hosted by cloudflare, in which case they wouldn’t see your password, but, they would typically still see the resulting session cookie which allows someone to log in as you.

    Cloudflare is like any other machine-in-the-middle attack except instead of being something everyone knows they should avoid, it somehow is a service that some people actually pay for (perhaps because they like to imagine that their website might one day be so popular that their VPS would insufficient to serve it).

    In case you actually do need a CDN (and I’d guess 99.9% of cloudflare sites don’t), the correct way to do it is to use the CDN only for static content like images and video. Ideally the CDN shouldn’t need (or have) any cookies, and, if you don’t want to give the CDN (or malicious parties acting under their authority) the ability to hijack your users accounts, then you shouldn’t rely on them for hosting javascript either.