Conversation

twitter.com/DanielMicay/st This started happening again but github.com/GrapheneOS/inf has deterred it for the time being per

@damienmiller

's suggestion. It's a stopgap for now and will need to be made stricter for IPv6 along with deploying a better solution to this new annoyance.

Quote Tweet

Daniel Micay

@DanielMicay

Sep 5, 2021

Our ns1.grapheneos.org DNS server was targeted by a DoS attack yesterday. They didn't target the DNS service but rather... SSH. That's a new one. Can see the traffic spike but it was hardly anything compared to the usual attacks. Still, SSH buckled. nodeping.com/reports/status

Replying to

and

what the fuck why would somebody ddos you

Replying to

and

The C*pp*rh**d dude has an army of skript kiddies with nothing better to do.

Replying to

and

We've pretty much won that now. Unfortunately, many of the people involved with that moved on to a different community and have gotten even more aggressive bothering us in even more ways than before. It really never ends. They aren't very good at DoS / DDoS attacks at least.

Replying to

They've been trying to do those attacks where you send a POST request and then trickle through the content body at super slow speed... to static web servers not accepting POST requests. Setting lower size limits, per-IP limits, etc. has dealt with most low-hanging fruit now.

Replying to

Part of why we use OVH is because they have a nice DDoS mitigation system for IPv4 based on FPGAs: hal.archives-ouvertes.fr/hal-01740903/d bittware.com/resources/case It would be nice if they extended the proper DDoS mitigation to IPv6. It's nice not needing to use something like Cloudflare.

4:16 AM · Sep 7, 2021Twitter Web App

Replying to

They also let you set up to 20 manual IPv4 firewall rules for the DoS firewall which get enforced on the super high bandwidth DoS firewall system rather than on your dedicated server / VPS so it doesn't hurt your bandwidth. It also only slows down incoming bandwidth for that.

Replying to

and

It seems to me you'd be best served by routing all traffic to the box (except public DNS traffic) through another host whose address isn't public, and allow-listing only that for TCP.

Replying to

and

are they using P4 for the ddos mitigation?

Replying to

and

I'm not sure. They've gone through multiple generations of their VAC anti-DDoS and it's more complicated now since they have ovh.com/world/anti-ddo. I think they're particularly focused on stuff like protecting Minecraft servers right now. Pretty sure it's a big earner for them.

Show replies