CloudFlare - Why it's important to the internet, OR why you should stop complaining about captcha - General

I know already that the vast majority of Facepunch users think of CloudFlare as an annoyance, as a captcha entry they shouldn't need to do, that it's slowing down Facepunch and giving offline errors when Facepunch isn't online. I've seen that posted all over the forums. However, what CloudFlare is doing is important to the internet on the whole. I'm not talking about the CDN service they provide here; I'm talking about informing compromised users, and blocking malicious requests to a site. Blocking UDP/SYN/RST attacks. The average internet user will never notice this. To put it into perspective, here's a graph from my CloudFlare account. [img]http://gyazo.com/84fce804d54c0c34ac07ec01ad59a1ca.png[/img] Yes, that's two million hits per hour. Around 90% to 98% of that is from bots. While this was happening, CloudFlare was creating new rules to prevent those bots from being used in attacks against other sites under CloudFlare. Additionally, for each rule created, it will show that user a message informing them that their computer may be infected with malware. This ultimately helps everyone overall. CloudFlare generates these rules using data gathered from [url=http://www.projecthoneypot.org/]Project Honeypot[/url] - the developers of which started CloudFlare - , google, and behavior noticed from sites that are visited. IPs are given a "threat rating" which determines how large a threat it may pose to a server. This is then compared against the server's threat control level, and may then challenge the visitor with a captcha. The more malicious activity is done, the faster it gets blacklisted throughout all CloudFlare sites; meaning it gets challenged on all. You might think - who gives a fuck. CloudFlare only filters traffic for a tiny percentage of servers. Well, google are now launching a similar service. Everyone searching using google will now be notified if google detects any basic malware is messing around with their connection. [img]http://posterous.com/getfile/files.posterous.com/temp-2011-07-20/naysxazlcdJmuredhfmnzdnAfpFFezDlFzBtvtrIAmAEnACecjnwFBiqvDcb/google_malware_warning.png.scaled1000.png[/img] Of course, this will never stop the problem. But it makes it more bearable for those of us who have to deal with it on a day to day basis. CloudFlare isn't even a DDoS mitigation service, but it functions perfectly as one. They are quoted to have said that they will keep clients online up until [b]several gbit/s[/b]. I know several VPS hosts (BurstNet) that will disable your VPS for receiving a 500mbit hit from a booter. CloudFlare has saved me so much trouble it's hard to explain. And all of this, for free. Few more pictures after the massive wall of text: [img]http://gyazo.com/3195d82d3cf3f4235effe62293d38a8d.png[/img] HTTP flood bot: [img]http://gyazo.com/723a5d2fc93a605d24ce912f2fcacd36.png[/img] And CloudFlare filtering 75% of an attack against one of my sites: [img]http://gyazo.com/87d27fa1c321283fae1c801bda23a7e5.png[/img] Anyway, to draw that up. CloudFlare has saved me an immense amount of hastle. For what? For nothing. The only real differences between the free version and the paid-for version is a few little additions and real-time graphs instead of a 24h delay. They are some of the most genuine people I've ever dealt with in a company - I've given suggestions; which were actually considered and a few are currently being implemented. Bug reports - the issues were fixed within hours. Last but not least. I gave them feedback. Nobody else saw the feedback, but still they sent me a CloudFlare shirt (Which due to it coming from the USA, hasn't arrived yet). What I liked even more about CloudFlare was how easy it is to set up. All you need to do is change DNS servers to point to theirs, and then change SSH/RDP/FTP to point to your "direct" link. Here's [url=http://cloudflare.com]their site.[/url] I hope this opens some of your eyes about CloudFlare; Having to enter a captcha once or twice a week is hardly a penalty for something like this. [url=http://blog.cloudflare.com/breaking-the-cycle-of-malware]CloudFlare blog post about Google's new anti-malware service.[/url]

Nice writeup, thanks.

I didn't know this existed before now, thanks.

Also, if cloudflare says the forums are down - they are down. It isn't lying. It isn't causing them to be down. It's simply telling you that they're down.

I thought the emergency browsing feature when the forums were down was quite good. It enabled me to browse some old threads for a while rather than constantly F5'ing to see if it's back up yet.

My only problem with CloudFlare is that because of some retard on my ISP I have to enter a captcha on a a lot of websites.

I never knew it did this. Thanks! It was also nice of them to send you a t-shirt for giving the feedback.

[QUOTE=SilverHedgehog;31235579]My only problem with CloudFlare is that because of some retard on my ISP I have to enter a captcha on a a lot of websites.[/QUOTE] It'd be interesting if Cloudflare could trace the infected user down by sending the IP address to the ISP, and the ISP getting the MAC address/whatever identifier they use and sending that customer a notification that they have malicious software that needs to be taken care of(as this user is an example of a situation where a whole group of non-static IPs are probably flagged as spambots due two one or two infections). Though, I guess there's not really any incentive for providers to do this.

[QUOTE=Soda;31235756]It'd be interesting if Cloudflare could trace the infected user down by sending the IP address to the ISP, and the ISP getting the MAC address/whatever identifier they use and sending that customer a notification that they have malicious software that needs to be taken care of(as this user is an example of a situation where a whole group of non-static IPs are probably flagged as spambots due two one or two infections). Though, I guess there's not really any incentive for providers to do this.[/QUOTE] That just gave me the idea of some super advanced worldwide anti-virus system, where infected PCs are flagged and then the ISP runs some sort of automatic tool to get rid of it.

[QUOTE=ChaosUnleash;31235807]That just gave me the idea of some super advanced worldwide anti-virus system, where infected PCs are flagged and then the ISP runs some sort of automatic tool to get rid of it.[/QUOTE] Until programs like uTorrent are considered malicious.

[QUOTE=Soda;31235756]It'd be interesting if Cloudflare could trace the infected user down by sending the IP address to the ISP, and the ISP getting the MAC address/whatever identifier they use and sending that customer a notification that they have malicious software that needs to be taken care of(as this user is an example of a situation where a whole group of non-static IPs are probably flagged as spambots due two one or two infections). Though, I guess there's not really any incentive for providers to do this.[/QUOTE] You'd be surprised. A timestamp and an IP address is enough for an ISP to get the exact user. ISPs also like to ensure their customers are not compromised as it reduces their costs. For example, my ISP has a system nicknamed "StalkStalk". Every time a URL is requested, they look it up in a database. If it hasn't been scanned in 14 days, they send two bots to the URL and scan most of the site for viruses.

[QUOTE=Overv;31235920]Until programs like uTorrent are considered malicious.[/QUOTE] but they wouldn't; it's just a file opener that happens to be used primarily for piracy if they were to consider uTorrent as malicious, it's likely they would consider WinRaR malicious too

[QUOTE=thispieiscold;31236199]but they wouldn't; it's just a file opener that happens to be used primarily for piracy if they were to consider uTorrent as malicious, it's likely they would consider WinRaR malicious too[/QUOTE] He's saying that if you give ISPs the power to block software from running on your computers, it will be used for censorship.

To be honest, if I'd see this [img]http://posterous.com/getfile/files.posterous.com/temp-2011-07-20/naysxazlcdJmuredhfmnzdnAfpFFezDlFzBtvtrIAmAEnACecjnwFBiqvDcb/google_malware_warning.png.scaled1000.png[/img] I'd think the message was from malware itself

I've never actually seen the capture but yes, CloudFlare is pretty amazing. I'm going to give them a go on a few of my sites :downs:

I can't say I've seen one of the CloudFlare messages, but I didn't know what CloudFlare really was Thanks for the info, OP!

So how does it (and the new Google thing) detect if malware is messing with your connection? And why would malware target connections to Facepunch, I can see viruses wanting to redirect searches and stuff but FP is pretty obscure in the grand scheme of the internet

Why CloudFlare? This is why CloudFlare [img]http://cold.netburst.co.uk/file/SS-2011-07-21_01.34.10.png[/img] Filtered out 75% of the attack right there.

[QUOTE=garry;31235495]Also, if cloudflare says the forums are down - they are down. It isn't lying. It isn't causing them to be down. It's simply telling you that they're down.[/QUOTE] I really hope people already understood that

[QUOTE=Zeke129;31236953]So how does it (and the new Google thing) detect if malware is messing with your connection? And why would malware target connections to Facepunch, I can see viruses wanting to redirect searches and stuff but FP is pretty obscure in the grand scheme of the internet[/QUOTE] Ever wondered why Facepunch used to be slow occasionally? There's a few possible explanations, and one is an attack. Attacks generally use zombie bots; controlled by malware.

Honestly when I first saw this I thought I had gotten a virus. You know how when visiting some websites it will pop up a screen with a false virus scan? I thought this was like that. But it kept popping up on Crafthub and here so I did the captcha and got in. usually for me though all I have to do is reload the page and I can get to the address.

Well thanks for using cloud flare on your website to keep the experience for the non-infected people good. Now that has been said we need to kick people off the internet if they are to be infected, funny thing nowadays malware is hard to detect by the normal user with out anti-virus software. Though this would be interesting if someone was to try to view the site but get kicked off and try to sue. What is even more interesting to see that out of eight million visits seventy five percent of that was bot traffic really shows that such services are needed.

[QUOTE=rsa1988;31237019]Well thanks for using cloud flare on your website to keep the experience for the non-infected people good. Now that has been said we need to kick people off the internet if they are to be infected, funny thing nowadays malware is hard to detect by the normal user with out anti-virus software. Though this would be interesting if someone was to try to view the site but get kicked off and try to sue. What is even more interesting to see that out of eight million visits seventy five percent of that was bot traffic really shows that such services are needed.[/QUOTE] That's really what CloudFlare and google are doing. Malware is easy to detect from the server end; because of how the client acts towards the server. Blocking completely isn't really an option - too many possible false positives. Raising awareness is the best option really. [quote]What is even more interesting to see that out of eight million visits seventy five percent of that was bot traffic really shows that such services are needed.[/quote] Well, that was during an attack. I'll show you a graph from a regular site that wasn't under attack at the time. [img]http://gyazo.com/9977a729c6f0877917bebc8c41cee6cc.png[/img]

Cool stuff, I support everything CloudFlare does all the way.

[QUOTE=BrQ;31236550]To be honest, if I'd see this [img]http://posterous.com/getfile/files.posterous.com/temp-2011-07-20/naysxazlcdJmuredhfmnzdnAfpFFezDlFzBtvtrIAmAEnACecjnwFBiqvDcb/google_malware_warning.png.scaled1000.png[/img] I'd think the message was from malware itself[/QUOTE] The line is blurring between illegitimate and legitimate warnings. Google, being as smart as they are, should come up with something a bit better.

[QUOTE=FlapadarV2;31237106]Malware is easy to detect from the server end; because of how the client acts towards the server.[/QUOTE] Can someone explain this in detail because I'm curious

I have to admit, while I've never had these notifications myself, I would actually think that it was the malware itself or that the server was compromised with that warning. I can see the benefit of it, but there's I guess a certain defensive mechanism ingrained into most of us by now.

if you think the message is malware then isn't it doing its job? it's not like google's going to get hacked and spread malware around

Good read; I have to admit I wanted to blame CloudFlare for the downtime even though I knew it wasn't to blame. :v:

[QUOTE=Zeke129;31244748]Can someone explain this in detail because I'm curious[/QUOTE] Most malware infected computers will be used to DDoS websites. [img]http://gyazo.com/723a5d2fc93a605d24ce912f2fcacd36.png[/img] A stupid number of hits in a small amount of time. Either that, or it will attempt to find exploits (Common one is to scan /phpmyadmin/ on servers to try to exploit that) and other such thing. This would get it flagged as a bot, so any normal behaviour on a site the actual person visits would give them a warning.