Long term DDoS protection

SC uses Cloudflare, largely because it offers protection against DDoS attacks. These are a serious threat specifically to Buddhist sites. There is a significant cyberwar underway, where extremist Muslims from Myanmar and possibly elsewhere have brought down many Buddhist and related websites. It doesn’t have to be specifically Buddhist; anything is fair game, personal pages, government sites of Sri Lanka or Myanmar, and so on. I’m aware of two monk friends of mine whose sites were brought down.

DNS service providers such as Cloudflare provide protection against such attacks. The idea is that as a large distributed networks they’re too big to be brought down.

This is no longer the case; yesterday much of the internet was crippled by a DDoS attack on another DNS service provider, Dyn.

https://www.washingtonpost.com/news/the-switch/wp/2016/10/21/someone-attacked-a-major-part-of-the-internets-infrastructure/

The reason this has changed is the Internet of Things (IoT). Millions, perhaps billions, of unmonitored and unsecured devices have been taken over by botnets and used to launch these attacks. This is only the beginning. Such attacks will increase in scale and sophistication.

This changes the landscape drastically. From today we should seriously consider the possibility that using a DNS service provider increases the chance of being taken down. At the very least, it’s no longer a bulletproof solution.

For now, we can wait and see. But we might want to consider the option of avoiding such services entirely.

4 Likes

Bhante, should additional protection measures be needed please kindly let us know if whether SC will need any extra financial help to fund it. I will be indeed pleased to be of any help.

1 Like

Thanks so much. We’ll keep an eye on the situation.

That’s a good idea. From now on we should just serve the site from https://104.25.120.17
</sarcasm>

You can’t avoid using a DNS service because that’s what maps a domain name like “suttacentral.net” into the server’s IP address which is bunch of meaningless numbers. All you can do is use a DNS service which is as robustified as possible. So far I am extremely happy with Cloudflare’s DNS service, one of the nice thing about Cloudflare’s DNS is it uses something called Anycast, Cloudflare has over 20 DNS servers around the world, not only does this mean that your browser can contact the nearest one to perform a DNS lookup (reducing page load times), but if one or more of Clouldflare’s DNS servers are taken down there is lots of redundancy, making Cloudflare’s DNS extremely difficult to disrupt. Cloudflare actually uses Anycast for all of it’s network services, meaning just taking down a few of Cloudflare’s servers can’t stop browsers getting content from alternative servers, being behind such a service is certainly much better than not in terms of general robustness to DDOS.

2 Likes

I don’t know, that seems kinda cool. It’s a sort of punk IP.

Having said which, I was thinking of something like rolling our own DNS, or whatever. But I’m not really proposing anything, actually, just wanting to be aware of the potential issues.

Sure, Cloudflare seems fine. Last week Twitter and Paypal thought Dyn was fine, too.

There’s been a lot of chatter about this at slashdot etc., and the drift seems to be that we are entering a new era of DDoS attacks, and no-one really knows what it will hold.

1 Like