Thank Jebus Bhrist.

Thundas

Now everyone and their grandmothers will know LET is weak vs L7 attacks.

jbiloh

We are still working the issue.

imgmoney

I have peeked into hostloc and lots of talk regarding LET. It seems they are jealous.

And I am surprised by seeing a screenshot. YABS screenshot is in English, it seems like the only thing they left without translating to Mandarian.

ps20090

Like when DDOS attacks against PlayStation happened those people were jailed/sentenced to prison. Can't this guy who did this can also be prosecuted/I meant prostituted/ I meant Involucrated

DP

@ps20090 said:
Like when DDOS attacks against PlayStation happened those people were jailed/sentenced to prison. Can't this guy who did this can also be prosecuted/I meant prostituted/ I meant Involucrated

No, because this is not PlayStation 😁

SirFoxy

@jbiloh said:
We are still working the issue.

Reach out to the guys at Path, I have a connection if you need it.

jbiloh

@SirFoxy said:

@jbiloh said:
We are still working the issue.

Reach out to the guys at Path, I have a connection if you need it.

Appreciate it, thanks. May just do that.

Franzkafka

I got into hostloc,they are talking about LET.It seems that they are all surprised by the shutdown of LET.Maybe this attack is personal?

dahartigan

@Hakim said:

@yoursunny said: MJJ

What does "MJJ" stand for?

mjj = ancient chinese for "boy with no penis".. it's some type of weird group of disenfranchised chinese homosexuals who use ddos attacks to express themselves sexually..

Some fucky shit there Julian

risharde

As if the earth wasn't already a messed up place ...

@dahartigan said:

@Hakim said:

@yoursunny said: MJJ

What does "MJJ" stand for?

mjj = ancient chinese for "boy with no penis".. it's some type of weird group of disenfranchised chinese homosexuals who use ddos attacks to express themselves sexually..

Some fucky shit there Julian

redcat

@dahartigan said:

@Hakim said:

@yoursunny said: MJJ

What does "MJJ" stand for?

mjj = ancient chinese for "boy with no penis".. it's some type of weird group of disenfranchised chinese homosexuals who use ddos attacks to express themselves sexually..

Is John Cena MJJ?

https://youtu.be/pqjOrsMupgg

darb

How to beat application DDoS attacks with CrowdSec & Cloudflare: https://crowdsec.net/2021/06/28/how-to-beat-application-ddos/

darb

How to beat application DDoS attacks with CrowdSec & Cloudflare: https://crowdsec.net/2021/06/28/how-to-beat-application-ddos/

TimboJones

@yoursunny said:

@stevewatson301 said:

@yoursunny said: directly accessing the IP would leak the certificate of available virtual hosts.

You could also use a webserver like caddy which only presents certificates if the ServerName in ClientHello matches one of the configured certificates, and sends a TLS alert otherwise.

As I mentioned at the bottom, the MJJ's scanning method is ineffective: the attacker should always include the target domain instead of the IP in the ClientHello, so that the TLS server would return the certificate if it exists.
Using a TLS server that validates SNI cannot protect against this improved attack.

@yoursunny said: It is possible to configure firewall to only allow Cloudflare IP Ranges, but this would require periodical updates so that it's more complex than using a random IPv6 that nobody could guess.

If the DDOS has already reached the origin, it's difficult to handle it using a firewall as it would now compete for CPU with the rest of the kernel and applications. You could consider filtering IPs in the PREROUTING tables though so that the packets get dropped without conntrack being invoked.

The firewall is not a countermeasure for DDoS.
It is to prevent finding the server by scanning global IP space, because anyone other than Cloudflare cannot reach the webserver.

@dahartigan said:

@Hakim said:

@yoursunny said: MJJ

What does "MJJ" stand for?

mjj = ancient chinese for "boy with no penis".. it's some type of weird group of disenfranchised chinese homosexuals who use ddos attacks to express themselves sexually..

Some fucky shit there Julian

I doubt they're homosexual, more likely incels.

dahartigan

@TimboJones said:

@yoursunny said:

@stevewatson301 said:

@yoursunny said: directly accessing the IP would leak the certificate of available virtual hosts.

You could also use a webserver like caddy which only presents certificates if the ServerName in ClientHello matches one of the configured certificates, and sends a TLS alert otherwise.

As I mentioned at the bottom, the MJJ's scanning method is ineffective: the attacker should always include the target domain instead of the IP in the ClientHello, so that the TLS server would return the certificate if it exists.
Using a TLS server that validates SNI cannot protect against this improved attack.

@yoursunny said: It is possible to configure firewall to only allow Cloudflare IP Ranges, but this would require periodical updates so that it's more complex than using a random IPv6 that nobody could guess.

If the DDOS has already reached the origin, it's difficult to handle it using a firewall as it would now compete for CPU with the rest of the kernel and applications. You could consider filtering IPs in the PREROUTING tables though so that the packets get dropped without conntrack being invoked.

The firewall is not a countermeasure for DDoS.
It is to prevent finding the server by scanning global IP space, because anyone other than Cloudflare cannot reach the webserver.

@dahartigan said:

@Hakim said:

@yoursunny said: MJJ

What does "MJJ" stand for?

mjj = ancient chinese for "boy with no penis".. it's some type of weird group of disenfranchised chinese homosexuals who use ddos attacks to express themselves sexually..

Some fucky shit there Julian

I doubt they're homosexual, more likely incels.

Homosexual incels at that.

TimboJones

@yoursunny said:
As I mentioned at the bottom, the MJJ's scanning method is ineffective: the attacker should always include the target domain instead of the IP in the ClientHello, so that the TLS server would return the certificate if it exists.
Using a TLS server that validates SNI cannot protect against this improved attack.

Did you typo? You have conflicting statements. Also, if the domain can't be specified using wget,curl, nc or their own tool, they'd just sed etc hosts. Trivial.

@yoursunny said: It is possible to configure firewall to only allow Cloudflare IP Ranges, but this would require periodical updates so that it's more complex than using a random IPv6 that nobody could guess.

This would be automated and I'm sure exists.

@yoursunny said: It is possible to configure firewall to only allow Cloudflare IP Ranges, but this would require periodical updates so that it's more complex than using a random IPv6 that nobody could guess.

You probably missed the whitepapers on IPv6 scanning and reconnaissance. There's an engineer who has blogged about IPv6 security and attempts at fixing in RFC's. I wish I bookmarked it. I thought you were against security through obscurity?

You're better off moving the webserver to a unique port than expecting your IPV6 IP to never get probed.

bulbasaur

@TimboJones said: You have conflicting statements.

What's conflicting about it? Just send the same public hostname in the ClientHello to the origin instead of the Cloudflare IPs?

@TimboJones said: This would be automated and I'm sure exists.

Cronjobs, yes.

@TimboJones said: You're better off moving the webserver to a unique port

As if port scans aren't a thing.

jbiloh

I appreciate everyone reaching out with their offers of help and advice. Much appreciated.

I'm working hard to keep the site online.

dahartigan

mcs

you can use combined solutions, for example on this site - https://ddos-guard.net/en/store/web . And such attacks are not scary to you in the future.