New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Is there a reason why this forum is anti VPN?
Hi,
I use Mullvad, which is a pretty popular VPN, and Cloudflare instantly bans my ip.
When I'm not on a VPN, cloudflare redirects like 5 times before finally shows the forum page.
Is there a good reason for setting up Cloudflare to be so restrictive?
There are other ways to protect from DDOS, like nginx rate-limit, firewall rules, etc.
Comments
you're cute!
As a person who has operated other websites that were essentially DDOS magnets, a fair bit of abuse does come from hosting IP ranges, which are the same places where VPNs are hosted.
In addition, VPNs tend to be hosted on providers who are willing to look past a few abuse notices and copyright infringement notices. This is good for the VPN provider because they won't be booted out, but it also makes for a good haven for those willing to DDoS. M247, Servermania and OVH are well known examples.
It is in the interest of the provider to make the website available for as many people as possible, so usually hosting IP ranges are the one to get the boot.
VPN is the new evil.
That's why. They claim to provide privacy but what they do is sell your info to bidders.
I have not encountered any issue while using expressvpn. The hosting servers at popular locations are pretty much same across all vpn providers. May be there is another variable at play which you have not factored.
The VPN disguises your source address. While you may not be using this for nefarious purposes, in fact you might not care about your source address (using the VPN to get around ISP monitoring perhaps, and the host address thing is just a side-effect), filters can't tell the difference between you and the other people using that VPN provider to disguise their source address, some of who are doing so for nefarious purposes.
Lots of DoS attempts, both amateur and effective, come from the same addresses ranges you appear to come from over the VPN, it is a choice between not blocking them and blocking you, as you don't look any different.
Two possible ways around this: set your network routing so that access to LET doesn't go through the VPN, or setup your own VPN (Wireguard, OpenVPN, ...) on a host somewhere (though you have to make sure it isn't a host that also plays host to public VPN services or you'll likely hit the same problem).
Unfortunately all of which take more admin time (and therefore cost) than using CF, are often less effective, would require more resources (and therefore cost) at LET's end, and might just as well block your VPN provider for exactly the same reason CF do anyway.
It isn't anti-VPN directly. It is anti-some-of-the-people-who-use-those-VPNs. And it is not possible to distinguish between you and those other sorts (that would defeat part of the point of the VPN).
This forum (or rather: its' members) is not anti-vpn. Check my signature. Firewall rules may have been put in place to prevent abuse.
I connect to M247. I used Torguard previously and it was using the same M247 provider with the same server country, yet I had no issue with this forum. Is it something specific with Mullvad maybe?
Is it possible to configure cloudflare on the DDOS settings, or is it a one shoe fits all all type of deal?
You think nginx rate-limit is not effective?
I'm using this config and it works pretty good when testing with
siege
limit_req_zone $binary_remote_addr zone=www:10m rate=10r/s; limit_req zone=www burst=50;
@juupiner
It works, but it quickly stresses out when DDoSed at scale. In addition, since you have multiple users connecting over VPNs, you might effectively get the same result once you implement these restrictions in nginx.
Looking at the source of blog and other spam as well as attacks of all sorts some prominent ones that come up again and again are servermania, Tor, and pretty much all VPNs - so I block all of them.
Well noted, I'm pro VPNs but running my hobby stuff, some of it not anymore small, all by myself I simply can't (and don't want to) afford to clean up after all the thugs so I block them.
I think @Falzo is absolutely right. Simple reason: [D]DOS attacks must be caught early in the chain where they have really big pipes. Once it reaches your dedi or VPS it's game over because you are but a small leaf (1 Gb/s, maybe 10 Gb/s) on the network "tree" while the attacking traffic sometimes even overwhelms the provider or even the DC (typ. 40 - 400 Gb/s).
Your nginx "protection" is simply worthless against a [D]DOS attack. It's like wearing a T-shirt to protect from a bullet.
TL;DR When [D]DOS attack traffic reaches your system they already won and you lost.
It's not just mullvad. I use two good vpns and have never had problems (for years) accessing LET until the past couple weeks.Now many vpn locations are blocked (I've tried dozens). You need to try other cities/countries until you find one that's not blocked. FYI, LES still works normally.
im swapping around on my self-hosted vpns all the time, no issues here. However, i havent been here for long
its a very peepeepoopoo situation
some say peepee while others say poopoo
i can confirm that VPN unlimited by keepsolid does not work on LET. i get cloud flare warning that IP is not allowed or something.
In some cases the benefits of blocking VPNs at the edge will be greater than the effort required by you to turn off your VPN. In those cases, the loss of your traffic/business is likely an acceptable loss as well.
As far as nginx rate limiting to deal with DDOS attacks, I’d like you to do an experiment for me:
Fill your mouth with cotton balls until not a single one more can fit in. Now eat a chicken sandwich and make sure to limit your consumption so that you don’t choke on any of the chicken. Don’t take the cotton balls out.
If you're looking for anti ISP spying, host your own VPN.
this is the error
LowEndTalk gets attacked viciously over and over. We have to put up defenses because of that.
If you are blocked please share what VPN/proxy service you are using.
VPN unlimited [KeepSolid] -=- > Protocol wisetcp
Reminds me a conversation where someone mentioned DDoS and a guy replied "well, I run mod_evasive so I'm not worried about that".
Blocking a single attacking host is easy. Blocking thousands is not something your webserver/firewall can do. Difference between DoS and DDoS.
Windscribe as well.
I will see what we can do!