6:49 - It was DNS. RedShirtJeff.com

I feel your pain Jeff! Each time I released a video talking about self-hosting security I get DDoS'd

Currently on the Cyber Security road and it is amazing how much I have learned from this video, "DOCUMENT EVERYTHING".

Thank you Jeff for this very topical video. I've been doing IT since the early 90's (yes I am older than dirt) and DOCUMENTATION (often paper notebooks) is the best bit of information to take away for those who watched this video.

Hope no one hits my site with a DDos attack. Glad you made it. Thanks for sharing.

Who would have anything against a RaspberryPi guy? Big Arduino?

The nice thing about cloudflare tunnels, is that it turns an incoming connection into an outgoing connection. Which is pretty handy when you want to host a site and you're behind a CGNAT.

40 Mb/s Attack seems HUUUGE, Then I remembered the SpamHouse attack cloudfare protected, and it was somewhere along a 1 TB/s attack. Cloudfare is amazing AF!

Years ago already the adagio was that the only way to stop DDOS is making sure your pipe is bigger than theirs. There is no way around companies like Cloudflare who have the budget for those big pipes.

When I saw your video about the cluster on a farm I was curious as to why you didn't have it behind Cloudflare. I agree with the idea of not contributing to centralization, but there are too many bad apples out there to not have a layer of protection like Cloudflare IMO.

Bro! Awesome video! Love the shirt. I still plan on getting into IT professionally instead of just studying, and tinkering, and grumbling about every commercial setup I see or have problems with. Love the shirt and just bought one!

I once saw a server rack that had a glass window. There was a sign inside that read: In case of DDoS attack, break the glass and cut the cables.

Documenting everything is the type of advice that seems obvious but is easy to skip over. I wish I had documented it, but in the past I dealt with what appeared to be a pretty small DDoS attack that turned out to actually just be a clever way a virus was trying to phone home. The domain was a simple two word name, and what I seem to remember is that both of those words happened to be in an array the virus would use to build a long list of domains to try phoning home. The malicious party could easily come back after buying a different domain from the list if they were ever shut down, and I assume it made it harder to trace back to the creator since many of the randomly generated names were already owned by legitimate sites like mine. Since my memory of it isn't great I really wish I had followed that advice, because it was an interesting learning adventure.

10:53 I know the pain, it was 5Mbps up before I we switched from Comcast to Fidium now its 1Gbps up symmetrical with my down for half of what you pay.... which is nice.

*adds Jeff's website to the list of websites unreachable when cloudfare has an issue again* Would love to see a project of where you make your "own cloud flare" so it won't be affected by outages like half of the Internet at this point but still be protected

"I'm not an idiot" Red Shirt Jeff edited in "Debatable" I bet lmao

Yup, that thumbnail is 🔥 (And I've tried to get my team to adopt your "it was DNS" shirt for our team uniform, but so far no go.... 😉)

"How I survived a DDoS attack" - "I waited until they were done"

God bless you Jeff! We're all with you brother.

This video is amazing, some of us like to self-host things but that comes with risks we need to be aware of!

Several years ago, I had noticed my bandwidth taking a hit. I went into the network monitoring on my router and watched my router being slammed by requests. They were hitting the dynamic IP assigned to the router by my provider. Thankfully, only a slow connection was the only result.

I just stumbled in to your site, and at my green level of understanding,I am just terrified to use my devices at all. Just unplugged my internet and went to bed. May go old school off grid,yikes!!! what an education. thnx

It’s sad that most of the DDoS traffics are from my country. A lot of people here use pirated and questionable software on both their phone and laptops without checking it first. I had my home ISP address blocked, and later found out that one of my family member’s laptop were infected with trojan and participating in DDoS.

A "smart' device is as smart as its operator/firmware-updates, even then it can host backdoors (which can come to light using network monitoring tools). I really like your transparency/OpenSource mentality

you know what all these ddos attacks after years of never having a single one? YOURE MOVING UP IN THE TECH LIFE AND SHOULD BE PROUD!(: Good stuff Jeff cant wait for your next video

Hi Jeff, I'm not sure if you're aware but the Cloudflare tunnel client (cloudflared) is actually an open source project. It would also help fix your CG-NAT problem. I've not used kubernetes but dabbled with docker swarm for a little while so I'm assuming it behave in a similar fashion. On the swarm you can run an instance of cloudflared on each node meaning (as long as every pi has an internet connection) you're no longer reliant on 1 node for the ssh tunnel. Love the channel. Thanks

While doing our charity stream to fund the British Red Cross, we had about 10k requests/second on various public services. This went on for minutes, then stopped for a few minutes, then erupted like that again. This killed the Stream for several Minutes

Amazing video! Keep up the good work.

A question, could Cloudflare prevent this? Edit:Nevermind, I got the answer.

I hope you have your PI Cluster behind a Pf-sense Router to stop virus attacks and other types of attack.

Was it DNS?

I used to fight off so many attacks like this at major hosting companies. layer 4 attacks like syn floods should generally be handled by whoever hosts the VPS... but these layer 7 attacks are a different story. I am personally not a huge fan of cloudflare for multiple reasons, but I have had pretty good success with AWS's WAF. It can be very limiting in it's rule sets and only evaluates rate limits at like 1 minute intervals... which means someone can blast you so hard in that 1 minute time period so bad you can go offline, then do it again 5 minutes later lol... the struggle is real regardless.... great video and great insights.

Sounds like a tough day at the office but at least you've learned a lot about defensive measures.

Interesting. I was also thinking of what you've been sharing with the world in the spirit of open source. It's basically the documentation for your infrastructure made available to the public

Woo Jeff! thanks for the info hopefully we all can prepare for inevitable attack

Maybe you could do a cyber security basics video in the future. I found this video very insightful.

Cool info, thanks for sharing, well done :)

good tools to use 9:55

You should check out what Troy Hunt has done in terms of automating adding blacklist IPs based on attacks, using Azure functions iirc but the premise is the same. Use the reporting of CF to drive adding a blacklist entry. This is probably the most basic form of Security Automation & Response (SOAR).

"How I survived a DDoS attack" The DDoS wasn't big enough to knock you out then.

Great Video Jeff,

That IoT Device security part is exactly why I intend to run my devices locally. First of all I don't want to rely on different IoT Clouds which might be up to data security standards or not. And for sure I don't want to expose my devices to the internet where they could be breached and used to perform malicious attacks on other networks.

Why did Indonesia have the most traffic? Does that mean that Indonesia has the most infected botnet or something?

When you are as smart as Jeff, you can make a whole video on why your viewers are not able to view your website and gain even more views. Take that DDoS attacker. 😂

Very insightful. Thanks

@JeffGeerling - do you recommend using separate baremetal server(s) dedicated strictly to monitoring? I have some Zimaboards and a NUC collecting dust..

This is why I stay as far away from PHP as possible. Spawning threads like crazy under load is not what I like seeing. Very well reacted under the attack I would say, and Cloudflare saves more people's behinds than I can count when stuff hits the fan :) "DOCUMENT EVERYTHING!"

A DDoS attack is a common problem that occurs on a number of websites. Whenever I find that it takes a long time or I can not access a website on my computer I very often suspect a DDoS attack on the website. From other videos I have seen it costs extra money to handle these DDoS attacks and get a website back online.

Not CE talk! I've been playing with Cloudflare and considering it for my personal site.

Tbh, i allways tought that using a cdn im front of a site is more or less a must have. I blocked certain countries at cdn level , 75 - 80 % of my bad traffic is from rusia, belarus and ukraine

I like the thumbnail, It’s cool.

This video has been a great lesson, thanks for explaining everything Jeff! With more and more people using NAS machines, and running their own servers (not realising that what theyre doing by all those apps in their NAS's!) this is going to become more and more of a problem for everyday people, let alone those of us trying to secure HomeLabs.

When even a simple SHOUTcast server gets hit with "robots". There is nothing to gain there from a small community radio XD

Just set up my website on a small server in HK, 2 hours later, it got a DDoS attack. :(

Man. i am glad you survived!!

very imperative. good vid

Cloudflare. The biggest man in the middle attack till this day.

They probably used sapphire and a botnet

You have nginx, you can also put a ratelimiting with a nice mapping, this way you can prevent geting POST and die, of course if transactions were millions your nginx will die but still it need good amount of money, CF is free and nice choice for sure.

Thanks for sharing.

I need a shirt that says "It was the MTU"

They use small package packs to preform definate denial of service freezing my stuff and crashing it. And I have to start over at the last save.

Happened to me. My solution was inverting the anti tachyon particles in the bio neural gel packs.

Correction, Cloudflare does NOT have thousands of DDOS scrubbing pops, they have about a dozen. Now they do have thousands of POPs but most are virtual and serve assorted functions within their CDN. Because Cloudflare architects their CDS in multiple hub and spoke segments, what happens is that when you ingest into their CDN the service you are paying for will re-direct the ingress traffic to the appropriate pop. Ingest into the CDN is based on Geolocation and then it will be routed accordingly based on routing metrics to the DDOS service.

Thanks for all the useful info Jeff! Can I point out one tiny thing though? The label on that Hue Bridge should spell "Philips Hue", so not "Phillips" like the screwdriver. 😉

I would love a video on your monitoring tools

smack filters works for me!

Around 2010, I started a small little community with a few friends and later other people that came by. The gist of the situation was that the place I originally frequented was going through some drama because of a ban-hammer slinging, stoned to the moon admin. It was, in hindsight, quite a funny situation but rather anoying back in the day. A while after I had made the community, running with Yii 1.x and other PHP software like AJAXChat, I was hit with a multitude of DDoS attacks whilst on vacation in Egypt - and it suuuuuuuuucked. Have fun using weird pseudo-SSH clients on random websites to log into your server to look at whats up because you can't install anything on a PC in an internet cafe. And we are talking 2011, webapps - as we know them today - and things like Electron were still pipedreams. During that, I eventually ended up using CloudFlare myself but also learned, that some server providers - i used Hetzner at that time - sometimes have the ability to null-route traffic. So while I had my server recover, I had all traffic null-routed, turning my server into a black box for a few hours and accessing it later using a KVM-over-IP solution given by the DC staff. So far, CloudFlare has been my mainstay for DNS management and they have a few solid and good features. But without a good CDN, running a website off your own lonesome server can be a nightmare. Configuring rate limits per IP is one way, but usually not the best. I learned that a hardware firewall can be a figurative live-saver - because that is what Hetzner used when null-routing my traffic. So far, I have not seen other services like CloudFlare, and since I joined them they have grown tremendously. Fun fact, did you know that at some point CloudFlare itself was used as a DDoS puppet? xD Turns out that there was a mailserver bug that was abused, i think it was SMTP - and later an NTP related issue, that would allow an attacker to fake the destination address of a paket and thus utilize a gigantic network in their stead to send traffic. And CloudFlare ended up becoming the butt of that joke momentarily. Poor whoever-got-hit-by-that xD...their network is big. Hopefuly, in the future, Cloudflare, AWS and Google Cloud and Azure aren't the only platforms out there to make average websites more secure and provide good DNSes and caches. But man, did I ever giggle when I heared you describe the issue, because I FELT THAT. xD

There are unlimited 4G / 5G connections in Europe, the fee is modest ~ €30 per month. The operator already filters out DDos from there.

thank you for the info.

The problem is when is not a website, and you are a provider of services and try to protect your company or customers. In my country, kiddies are ddosing services of customers mostly daily and that's a problem, what only datacenter can mitigate or try yourself, if datacenter will not block you. So what is a good way to protect the servers without cloudflare, because it's not available for IP:PORT (custom port)?

Who would win in a celebrity geek match? Jeff Geerling vs ExplainingComputers ???

There's couple of reason of why Indonesia increased in becoming source of DDoS. Our gadget and device usage increased exponentially in these few years. This increase unfortunately not followed by good security practices and possibly increase the possibility of infected device with malware or botnet. Beside that, there's a recent booming of cheap Cloud VPS with hourly rate. That can be registered by any user from the world without any identification assessment. Some even priced like $0.0047/hr, and of course they have API Access. Imagine that the actor can easily deploy thousands of new instance armed for DDoS and redeploy after each hour to get fresh IP in fraction of dollars and easily joined again if got suspended.

New shirt idea It was "smart" devices.

Bungie needs this rn bruh.

I have a dream, that you make a tutorial about openmediavault 6 hardening. Firewall configuration and more.

Oh my gosh. I know a bit about networking around the house and setting up a few lan servers.. but I wouldn't even know where to start blocking a DDoS attack. I'd probably just pull the plug.. which is very effective but, well, .... a server without power isn't a server.

this is a great video!!!

just setup rule so it triggers after X amount simultaneous connections

Cloudflare Tunnel™ is also your friend. Reverse proxy for mere mortals.

You talk about cache busting but aren't responses to POST requests usually uncached?

For years I've been wondering about Cloudflare so I've looked into it a few months ago and made the switch. Now my personal domains are hosted and managed on Cloudflare making my life so much easier. Cloudflare e-mails me weekly reports about my domain's visibility on the internet. Also, using Cloudflare's family DNS to filter content on my home network.

if you have a paid plan at Cloudflare, you can open a support ticket and they'll provide you lots of valuable information about the attack so you can help Cloudflare block the requests in their firewall edit: it's also a great idea to add a JS challenge firewall rule for european countries that you can just enable whenever something happens

Have you tried POW mitigation?

I would like to take a course on networking in order to understand most of the terms in this video. What would you recommend Jeff? I'm open to books, online courses, anything that's worth it!

your website was down a few minutes ago (17:30 Paris time)

For making sure only Cloudflare accesses my site I use their Authenticated Origin Pull feature. Works like a charm and I don't have to update Firewall rules whenever their IPs change.

seeing "Indonesia" in the list of traffic is kinda scary, the hacker in my country maybe just testing it's attack for getting ready for russia's attack

I don't know what caching you have in place, but have you considered varnish as a frontend? also php-fpm has multiple settings which may be worth trying, like timeouts and limits to the threadpool.

*me hitting my own laptop based server with 10000 POST requests per second*

I Have watched nearly all of the videos you have posted and you talk a lot about documentation. Like in this video with when something happens document everything. How to you do this effective and efficiency? I understand logs, but you had a git issue on this like you are using git as a notebook of sorts. I would love to see a video on all the ways git can be used other than just for code. Currently I just use it for code. Never really thought about using the issue tracker for homelab stuff.

3k request sounds like a DoS with proxy

wow that traffic from indonesia, remembering internet literacy here is so low.

This was excellent

Even before I click the video. I knew Cloudflare inside this somewhere lol.

Why I don't tell or show people where my stuff is when they ask about how I keep it physically and digitally safe. So many people ask these dumb questions, it seems they don't want to do a basic Google search on solutions to their problem, or have malicious intentions.

Scary. This stuff is what keeps me away from cloud services. In this situation they probably scale up until I file bankruptcy :s

Average day in my life. But instead of pis I use and AMD EPYC as a host system, DDoS protection and cloudflare proxy. And fun fact: ARM CPUs can handle more requests per second than x86 CPUs. So for a proxy, a VPS with and ARM CPU and nginx can handle more requests

I know this would be pretty much impossible to measure or calculate... but i would love to know how much electric energy is wasted on ddos. Not only the bots doing requests, but the servers trying to deal with it.

DDOS/DNS attacks is one of the oldest trick in the book, mid Mars the Swedish bank identification system went down half a day, 'technical problems they stated'... Wells someone with a lot of machines in control, stated this DDos attack.