I spent a total of 3 hours clicking CloudFlair check-boxes trying to be allowed to login to SaidIt today....like usual

submitted by SoCo from (self.whatever)

sorted by:
top
newinsightfulfun
you are viewing a single comment's thread.

view the rest of the comments →

[–]magnora7 4 insightful - 1 fun4 insightful - 0 fun5 insightful - 1 fun -  (21 children)

That's probably a function of how many tor attacks we have received in the previous couple hours, it tightens the security if there is a DDOS attempt through tor or other VPNs (which we get about 10 daily for years now, and they must be automated because they keep trying yet never succeed)

[–]SoCo[S] 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (16 children)

Do people still DDoS with Tor? It seems unlikely to ever be very good at that. To me, it looks like almost all network hacking seems to happens over common big-name cloud services now.

There are only a couple thousand Tor exit nodes I think. That seems like it would consolidate a distributed attack into only like a little over a thousand connections at once, which seems wimpy. (I assume all exit nodes wouldn't be useful against a single target, due to be geographically spread out or otherwise, using all exit nodes at once might be hard to reach).

[–]magnora7 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (15 children)

They're able to spoof IP addresses in the tor node range of IPs, is the actual problem. They're not using tor, they're just acting like they are a lot of times to make the fact their IP changes with every request look less suspicious.

[–]SoCo[S] 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (14 children)

The 'Tor node range of IPs' is regular IPv4 and IPv6......so I'm not following you. Are you saying the whole regular Internet is broken?

You can easily get a list of all the regular Internet IPs of all Tor exit nodes, they provide a list to do just that.

Changing your IP with every request would be problematic for most websites. Tor only does that when the current exit node goes out of service or the user clicks 'new circuit for this site' (usually due to the current circuit of nodes failing to load site).

If you really want unlimited obscured IPs, you get a Google, Amazon, or Microsoft cloud account. Preferably, all of the above, cycle free offers, and grab some European cloud host accounts too. You can have more than 1000 IPs then.

[–]magnora7 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (13 children)

It's worse than that, these attackers can spoof any IP. Trillions of IPs. They often choose Tor node IP ranges to spoof, it seems, to overlap with real traffic, as a means to try and get us to ban tor and to also cover up their activity. They also spoof other IP ranges, but tor is their favorite.

[–]SoCo[S] 4 insightful - 1 fun4 insightful - 0 fun5 insightful - 1 fun -  (6 children)

Since a spoofed IP cannot receive a reply, they should be just standard network noise for a HTTPS web server; they cannot preform the HTTPS handshake.

Their likely goal is to both/either:

  • stress the website forcing it to use expensive privacy invading protection services that are feasibly able to de-anonymize users across the net, even on Tor, if so inclined (Cloudflair's transparency reports give the impression of resistance, but I prefer to trust no one and no service).
  • cause a reflection attack against the spoofed IPs

When they connect to the HTTPS and the website replies to the spoofed IP, those packets make the website reply to the Tor IPs, becoming a reflection attack. For a non-valid TCP connection, these should be dropped pretty readily by the Tor node's NAT, and the HTTPS handshake packet shouldn't be too large. Yet, with enough of these, it can likely still degrade the Tor node's network.

Similar to robo callers spoofing caller ID's, this network spoofing can only exist non-locally because large network operators or backbones don't reject packets with obviously forged return addresses. A large amount of cellular and Internet backbones are filtering for this. I suspect that cloud providers have simply covered their eyes and ears, allowing their customers to freely send spoofed packets en mass. Considering how much malicious vulnerability scanning, specific attacks, and scam/malware hosting that comes from the major cloud providers, seemingly without a care or way to identify or report them, this seems a likely origin, even though not helpful.

HTTP (without the S) on the other hand, could cause lots more problems for a webserver and a much more significant reflection as well.

[–]magnora7 6 insightful - 1 fun6 insightful - 0 fun7 insightful - 1 fun -  (5 children)

Interesting technical analysis, I will think about that some more, thank you. They are obviously somehow able to get replies despite the IP changing with literally every request and jumping beyond any normal IP bounds of any service like tor. I don't know exactly how it works. Honestly it's beyond anything I've ever seen, it may be some gov't tech, who knows. It's quite obviously not some dumb script kiddies, there's no question about that. They know what they are doing and have lots of software specifically for this. I have also seen they have software that does automated account registration, and automated comment and post deletion after a saidit account is banned. They're quite obviously well-prepared, and a lot of this was unleashed on day 1 of saidit's launch, wherein a group on reddit literally scanned /r/conspiracy for regularly-commenting usernames and then registered all those usernames on saidit in order to frustrate the migration and scare off new users. They registered something like 5,000 accounts in under a half-day, on saidit's opening day, before we turned on a more advanced captcha system.

Saidit basically had to become a cyber-fortress just to exist, I probably personally spent over 1000 hours just on saidit cybersecurity alone. I learned how to write Cloudflare API bash scripts that send self-autogenerated IP ban lists (which I also wrote a script for) from our server to the cloudflare server, without having to use the paid service, just to save money. D3rr and I used every trick we know to get saidit as secure as it is, and he's even better with this stuff than I am.

Basically my point is, this is a very high hurdle to jump over, and it's little wonder a lot of reddit alternatives implode quickly. You have to absolutely have your stuff together from day 1, or the site will be taken down from malicious attacks that are just free-floating around the internet. Most people can't do this, and most forums fail. Especially if the forum is related to anything controversial.

This itself is a way to stifle the free speech of the masses. You literally have to be a cybersecurity expert just to run a dang forum in 2023. And that's not even mentioning the actual code of just getting the thing running in the first place. And then the critical mass problem of attracting enough users. The hurdles are too high, so it's little wonder there are so few viable reddit alternatives. It's not a good state of affairs for the internet and culture in general. And with with the improving quality of automated AI posting and commenting on top of that, I worry about the future of anonymous text-based forums.

[–]Vulptex 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (4 children)

Honestly it's beyond anything I've ever seen

It might be reddit then. Reddit is somehow able to detect your alt accounts automatically, going back years, in cases where it should be literally impossible to do even manually.

[–]magnora7 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (3 children)

Could very well be, especially since this is a fork of reddit's open source, and the attackers seemed to know the software inside-out on day 1, and exactly how to exploit it. And it would make sense that reddit would want to stifle competition.

[–]Vulptex 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (2 children)

Yeah that's very suspicious. Could also be agents from /r/defaultmods.

[–]Vulptex 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (5 children)

Wouldn't be surprised if it's feds doing this, or even CloudFlare and Google shills.

[–]magnora7 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (4 children)

I'm pretty sure it's the former, not the latter. Also could work for reddit, shutting down competition. Although reddit is basically fed owned at this point too, so the distinction probably doesn't matter that much. Also there are Russian and Chinese shill groups, and many more... it's quite frequent the shill groups will even fight each other. The internet is truly a different place from 20 years ago

[–]LarrySwinger2 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (3 children)

What kind of fighting are you talking about?

[–]magnora7 4 insightful - 1 fun4 insightful - 0 fun5 insightful - 1 fun -  (2 children)

I mean fighting in the sense of arguing and posting tons of comments and posts that hijack entire threads and forums. Like for example, a thread might have 90 comments, 40 are russian shills arguing the pro-russian side, 40 are US shills arguing the US side, and then 10 are actual real people. Because the different shill groups try to shut each other down they get caught in arguments with each other, and those arguments end up making up the bulk of some threads. Especially if it's a contentious MSM hot button current issue for both sides, then it goes wild and normal folk can barely get a word in edgewise.

[–][deleted]  (1 child)

[removed]

    [–][deleted] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (3 children)

    Ddos would be automated and it is done explicitly for the reason of de-anonymizing users. So data brokers can collect and transmit the content of these messages, the whole of the internet went out of their control and they’ve been doing a massive cya operation by shuffling blame to the users for any mistakes.

    [–]magnora7 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (2 children)

    ddos has nothing to do with de-anonymizing users. What it does is eat up the bandwidth so no one can access the website. It doesn't grant any access to anything

    [–][deleted] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (1 child)

    I know, they are forcing your hand at blocking tor ranges (ddos) in an effort to deanonymize users via cloud flare, since with tor - it makes access more difficult.

    [–]Vulptex 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

    I wouldn't even be surprised if CloudFlare is actually who's doing it.