← Back to context

Comment by buro9

6 years ago

Cloudflare EM for DDoS Protection here.

If a customer wants to hide their IP then the best way to do it:

1. Onboard onto Cloudflare

2. Audit your app and ensure you aren't leaking your IP (are you sending email directly? making web calls directly? - make adjustments to use APIs of other providers, i.e. send emails via Sendgrid API, etc)

3. Change your IP (it was previously public knowledge in your DNS records)

At this point your IP should be unknown, so...

4. Use `cloudflared` and https://www.cloudflare.com/en-gb/products/argo-tunnel/ to have your server call us, rather than us call you (via DNS A / AAAA records)

Because this connects a tunnel from your server, you can configure iptables and your firewall to close everything :)

Here's the help info: https://developers.cloudflare.com/argo-tunnel/quickstart/

PS: to the OP I tried to contact you via keybase, feel free to ping my email. We are working to improve the DDoS protection for attacks in the range you were impacted by and the product manager would enjoy your feedback if you're willing to share them in the new year.

7 comments

buro9

Reply
bloopernova  6 years ago

Is cloudflare affordable for an open source and low-funds project? (I honestly don't know the pricing, this isn't meant to be argumentative)

  • buro9  6 years ago

    We have a free tier, and the caching and firewall is good enough on that tier - I use it :)

    The DDoS protection is the same across all tiers - it's built in and you aren't charged for that. You even see other features (like the Rate Limit feature cited in the article) explicitly structure their pricing so that you are not charged for attack traffic even if you are on a paid plan or feature.

    For small denial of service attacks the Security Level switch is very good at stopping the vast majority of attack traffic, and then the IP blocking and User Agent blocking is good too - this is available on the free plan, as are a handful of Firewall Rules that can allow complex expressions to match and drop traffic.

    So you can get a very long way on the free plan.

    Paid features I'd recommend if you want to stay on the free plan month-to-month yet go paranoid for a small cost:

    1. Rate Limit, configure it on your dynamic endpoints to minimise the costs to you but have it highly effective against attacks. Predicted cost is relative to how many requests for dynamic endpoints you have... you can be smart here and combine with Firewall Rules to drop traffic that does not have auth credentials.

    2. Argo Tunnel, to hide your IP.

    There are other plan level benefits, and the most notable is the quantity of Firewall Rules per plan level and the complexity they allow: https://www.cloudflare.com/en-gb/plans/

koroshitekure  6 years ago

hey, OP here

I'm no longer on keybase, deleted it a few days ago - but I'm more than happy to share what I found if you want

pretty sure it's nothing groundbreaking though

other contact methods are listed on my profile

(edit: by OP I mean article author)

  • jabot  6 years ago

    On an unrelated note: why are you no longer on keybase? Are there any problems with the service?

    • koroshitekure  6 years ago

      the guy that was attacking me attempted to dox me, so I shut down all non-essential accounts to prevent anything similar happening in the future

  • somehnguy  6 years ago

    Nobody cares if you're on keybase my dude, share what ya got here instead of behind private messages