Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Amazon Route 53 and CloudFlare
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Amazon Route 53 and CloudFlare

sktanmoysktanmoy Member
edited April 2012 in General

Using CloudFlare, we can protect websites from a range of online threats from spammers to SQL injection to DDOS, can hide server IP etc. Are those possible with Amazon Route 53?

Comments

  • raindog308raindog308 Administrator, Veteran

    Route 53 is a DNS service. Period.

    Thanked by 2klikli marrco
  • @raindog308 said: Route 53 is a DNS service. Period.

    Well said. Took my words

  • Got it, is there any cheap alternative? Actually for one website, $20/mo is a bit higher for me.

  • 96mb96mb Member

    @sktanmoy Cloudflare is free?

  • raindog308raindog308 Administrator, Veteran

    You are cut/pasting Cloudflare propaganda:

    "Protect your website from a range of online threats from spammers to SQL injection to DDOS." Direct from their front page.

    What exactly is it you're trying to do?

    There really isn't a "pay $20/month and your site is magically protected from all threats" service.

    I am highly skeptical that CloudFlare protects any site against all possible SQL Injection attacks. All it takes is one badly written script. How can CF protect against someone who feeds POST/GET directly to a query?

  • KuroKuro Member

    Take a look at naxsi (NGINX module) ?

    This will help you a bit with the SQLi, not so much the others...
    It's kinda like Apache's mod_security, but better (and for NGINX :D)

  • As I use SSL, CloudFlare isn't free for me :)
    @raindog308, yes, copy-pasted, to avoid mistakes to express about their services!

  • sktanmoysktanmoy Member
    edited April 2012

    I am highly skeptical that CloudFlare protects any site against all possible SQL Injection attacks. All it takes is one badly written script. How can CF protect against someone who feeds POST/GET directly to a query?

    You're 100% right, but actual aim is to protect my website from DDoS.

  • KuroKuro Member

    @sktanmoy said: You're 100% right, but actual aim is to protect my website from DDoS.

    Get a BuyVM VPS + DDoS protected IP?

  • sktanmoysktanmoy Member
    edited April 2012

    @Kuro said: Get a BuyVM VPS + DDoS protected IP?

    Already did but not sure if that would be really effective.

  • KuroKuro Member

    @sktanmoy said: Already did but not sure if that would be really effective.

    I've heard it can handle near 10Gbps before it becomes an issue (in which case your IP will be null-routed) and most DDoS attacks I've heard of have only been a few Gbps max. Also, I doubt cloudflare would take a 5Gbps+ attack for you.

  • SpencerSpencer Member
    edited April 2012

    @DotVPS said: Once Cloudflare hits 100mbps on that one server they route the traffic directly to the server.

    They are that generous? I thought it was a lot less. But I am prob wrong.

  • @DotVPS said: I have never used the protection because of our SSL but yes apparently when there 100mbps port's filled they route it direct.

    They must have a few 10GBit NIC in them servers then!

  • joepie91joepie91 Member, Patron Provider

    @raindog308 said: I am highly skeptical that CloudFlare protects any site against all possible SQL Injection attacks. All it takes is one badly written script. How can CF protect against someone who feeds POST/GET directly to a query?

    When you use CloudFlare, you change your DNS servers to their server, and their DNS servers will return CloudFlare IPs when queried. This essentially means that all your traffic is routed through CloudFlare quite literally (and this is why it only works for HTTP/HTTPS), so they get to do with the traffic whatever they want, including caching (for Always Online) and running a WAF: http://en.wikipedia.org/wiki/Application_firewall#Cloud-based_web_application_firewalls

    They can analyze all requests that are made to your site and filter out those that they believe to be harmful. As long as noone figures out the original server (or you configured it not to serve any requests that are not from CloudFlare), you should generally speaking be fine. Obviously CF isn't bulletproof and there will likely always be a way to circumvent it, but from what I heard they're doing a damn good job.

    @DotVPS said: Once Cloudflare hits 100mbps on that one server they route the traffic directly to the server.

    In my experience (disclaimer: this may have changed) CloudFlare had no issue dealing with a 5gbps DDoS, and it didn't route traffic directly to the server. Only when it became problematic for CloudFlare (nodes going down etc.) did they disable CloudFlare for my domain.

    @PytoHost said: They must have a few 10GBit NIC in them servers then!

    From the top of my head, they have 10gbit at every PoP. I'm not entirely sure though, and it may have changed by now.

    I've only ever used the free service, by the way - it doesn't come with a WAF. It does provide the "DDoS mitigation" though, although it has to be noted that they're definitely not a 'DDoS protection provider', it just happens to be a useful side feature. If you're under any serious attack (in the range of tens of gigabits), you'll probably want to be looking at Prolexic.

    Thanked by 2djvdorp raindog308
  • If you have no personal experience, not commenting tends to be a better option than commenting with borrowed knowledge ;)

    CF is fine for smaller, burst attacks. They don't route traffic directly till it starts becoming an issue for them.

  • @Kuro said: Get a BuyVM VPS + DDoS protected IP?

    I had to remove my buyvm ddos protected ip from my uptime monitor, as I was sick of getting 50+ emails a day about it.

  • lbftlbft Member

    @joepie91 said: it has to be noted that they're definitely not a 'DDoS protection provider', it just happens to be a useful side feature

    AFAIK the original pitch for CloudFlare was as a security thing, with the CDN being the useful side-effect rather than the other way around.

  • joepie91joepie91 Member, Patron Provider

    @lbft said: AFAIK the original pitch for CloudFlare was as a security thing, with the CDN being the useful side-effect rather than the other way around.

    That is correct. If I recall correctly, they originally wanted to present it as a WAF kind of service (combined with Project Honeypot for keeping track of abusive IPs), and they had to figure out a way to make the added latency of proxying a request unnoticeable to the end user. While doing that they figured out that they could actually make it faster than when not having CloudFlare inbetween, and that's how it led to them being a CDN of sorts.

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    Wrong.

    They help 'some' with that, but they're very quick to point the records back at you so you deal with the flood if it's of a decent size. There's no set limits that they go by, but from what they said on WHT, 'if you affect others, youre off the team'

    Francisco

  • raindog308raindog308 Administrator, Veteran

    @dmmcintyre3 said: I had to remove my buyvm ddos protected ip from my uptime monitor, as I was sick of getting 50+ emails a day about it.

    Could you expand this? What was the problem?

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @raindog308 said: Could you expand this? What was the problem?

    I'm thinking his IP might be getting thrown behind the SYN filtering. We've had a few people that have been getting pretty heavy SYN floods for their gameservers and it's making them lag as awknets SYN filtering isn't constant - it's 'dynamic'. It's good stuff, but for gameservers it'll derp for a second :(

    For now i'm waiting to monitor the floods myself and will likely just have awknet ACL the ports they flood and hopefully put an end to that.

    Francisco

  • DerekDerek Member

    I got good and bad news for some....

    https://developers.google.com/speed/pagespeed/service

    Google is going to pwn cloudflare :/

    Thanked by 2klikli IceCream
  • Doubt it.

    CloudFlare is too far ahead for Google to catch up. At the rate the CF keeps hiring these engineers, Google will never catch up.

    PageSpeed also doesn't do security. It's also much slower than CloudFlare's network. I've tested with various tools and browser experience.

  • fanfan Veteran

    Google is going to pwn cloudflare :/

    ghs.google.com is blocked in China, so the Google one is nothing to me. :(

    Thanked by 1klikli
  • @fan said: Google is going to pwn cloudflare

    Really!!!

  • Awmusic12635Awmusic12635 Member, Host Rep
    edited April 2012

    If I remember correctly, Cloudflare took a 20Gbit ddos for lulzsec on their free plan.

  • ihatetonyyihatetonyy Member
    edited April 2012

    @Fliphost said: If I remember correctly, Cloudflare took a 20Gbit ddos for lulzsec on their free plan.

    Could have ended up being on the FBI's dime given recent revelations..

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @Fliphost said: If I remember correctly, Cloudflare took a 20Gbit ddos for lulzsec on their free plan.

    Right but that's lulzsec, they got a crap load of publicity over that. Do you think the guy with his minecraft site is going to be so lucky?

    Francisco

    Thanked by 3yomero NanoG6 maxexcloo
  • Awmusic12635Awmusic12635 Member, Host Rep

    Good point, guess it just depends who you are and their decision at the time.

Sign In or Register to comment.