Comment by tannhaeuser

8 years ago

Holy sh*t. Is this the end of Cloudflare with the trust being absolutely destroyed and lawsuits coming in? Can't say I'm sad for them. Cloudflare sells you DDOS protection, and hosts (eg. masks the IP of) the very DDOSers to protect against themselves, which I find bordering on the criminal.

Hosters like Hetzner, OVH have for a year now offered DDOS protection (I'm guessing it's heuristic rate limiting, but they won't tell details b/c that would make it trivial to workaround it, so they say). Could someone characterize their offering and tell me if it's any good?

To those spinning a story against C programming here: it is entirely possible (trivial, even) to isolate address spaces between requests, and has been for like 25 years (CGI programming) and more. When you absolutely must use a long running, single-address space service container, OpenBSD's httpd shows how to do it right (goes to great lengths to randomize/re-initialize memory etc.). I agree, though, that using straight C isn't a good choice for the latter.

4 comments

tannhaeuser

tannhaeuser 8 years ago

From https://arstechnica.com/security/2017/02/serious-cloudflare-...:

    A while later, we figured out how to reproduce 
    the problem. It looked like that if an html page
    hosted behind cloudflare had a specific
    combination of unbalanced tags,
    [...]
    The leakage was the result of a bug in an HTML
    parser chain Cloudflare uses to modify Web pages
    as they pass through the service's edge servers.

Ahem, at the risk of sounding pedantic, but this wouldn't have happened when using a proper HTML/SGML parser ([1]).

[1]: http://sgmljs.net/blog/blog1701.html

efdee 8 years ago

Last time I checked, Hezner's DDoS "protection" basically meant they disconnected you from the network if you got an incoming DDoS. Has this changed?

tannhaeuser 8 years ago

According to https://wiki.hetzner.de/index.php/DDoS-Schutz/en, they're using Arbor and Juniper kit