Cloudflare is problematic for Tor users and privacy

@Firefishy it should be a requirement that users who configure cloudflare test all their changes in Tor Browser after every change.

Please download Tor Browser (it’s free), and write a post-change testing checklist.

• Tor Project | Download

Can mCaptcha proxy survive a 12000+ Mbps DDOS on a 2000 Mbps uplink? UDP and TCP Syn Flood.

We have not switched on Cloudflare because we needed Captcha protection.

The large scale 11 March 2024 and 11 July 2024 DDOS for ransom were the reason. We are due a response from police report in a few days.

Can someone link to the .onion address for the openstreetmap.org * website?

Onion Services have greatly improved security (including DDoS protection with built-in PoW), and I think this would solve the user’s issues while eliminating the DDoS risk from Tor users.

Can mCaptcha proxy survive a 12000+ Mbps DDOS on a 2000 Mbps uplink? UDP and TCP Syn Flood.

There’s no reason it couldn’t. Load balance across a scalable number of proxies with a hashcash delay. That would take care of your issue, yes.

• GitHub - ndbiaw/haproxy-protection: HAProxy configuration and lua scripts implementing a challenge-response page where visitors solve a captcha and/or proof-of-work (cpu intensive) task. Intended to stop bots, spam, ddos, etc.

Sometimes we as individuals have to adapt to a new reality
…
“I don’t want to change the way I do X” is an entirely natural reaction, but unfortunately sometimes the world does change and we need to adapt to it

I think you’re missing the point. This isn’t just “I wanna do X :'(”

This is, in many cases, “I have to use Tor because my life would be at risk if I didn’t”

There are countless at-risk users around the world who must use Tor for all Internet activity to protect themselves and/or their families. Examples of such groups include:

1. Refugees (eg escaping gang, State, or domestic violence)
2. Journalists (eg reporting on gangs, corruption, or oppressive regimes)
3. Whistleblowers (eg providing information to journalists above)
4. Activists (eg pro-abortion-rights or environmental activists)

Unfortunately, every year numerous people are assassinated in the the above at-risk groups ^[1][2][3]. As an Information Security consultant, I’ve trained such users to use TAILS so that all of their internet traffic is protected with Tor.

Using Tor is the best way for at-risk users to stay safe when using the Internet

OpenStreetMap.org services continues to available via the tor network. If you are using a client which supports alt-svc your access will work undisrupted.

If you are using public low-trust tor exit nodes to access osm.org, you will be required every few hours to solve a Captcha.

Respectfully, there is absolutely no way 12000+ Mbps of traffic can fit in a 2000 Mbps pipe regardless of what software proxy is used on the downstream link. The software isn’t the bottleneck. Our uplink was completely unusable during the DDOS including by us sysadmins who couldn’t even ssh into our services because of the 80% raw packet loss.

Our only access to our servers was via 4G (cellphone based) backup out-of-band access link running on a raspberry pi.

Many pipes, geographically distributed. If cloudflare does it, you can do it. There’s no technical limitation here.

Besides the harpxoy-protection recommendation above (which I can’t detect its use in the wild), afaik the most widely-deployed, in-house DDoS protection these days is EndGame

• GitHub - onionltd/EndGame: EndGame DDoS filter.

I don’t necessarily suggest using EndGame for OSM. It’s just one more example of a very successful, privacy-preserving, self-hosted DDoS alternative to CloudFlare.

… and so, presumably, can you @maltfield ?

OSM has tended to be a “do-ocracy” where people who say “you shouldn’t do it like this, you should do it like that” get challenged to “go and do it like that themselves”. If you really can set up a better solution to this problem than is currently in place, please do exactly that. When you’re able to demonstrate that, I’m sure the OPS team would be delighted to talk to you.

That sounds like a fun project What’s the budget for the infrastructure? Where can I apply for ops access?

I think the lower hanging fruit would be to setup a .onion site. I’ve done this before for many other websites, and I’d be happy to do it for OSM.

Right. No technical limitations, but a massively large financial and technical person resourcing limit.

Our 2x 1000 Mbps uplink costs:

Interconnect: 2x €138 / month
IP Transit: 2x $330 / month

~ € 881 / month total.

We’d have to spend at least €5286 / month (on 12 month contact) to survive a similar sized DDOS attack.

Cloudflare spending currently €0 / month.

Yeah, going the cloudflare route is usually a financial decision. But please don’t say that privacy-preserving alternatives are not available. They’re just more expensive.

It would cost nearly nothing to run a .onion service, and I think this would solve everyone’s concerns.

You are mixing concerns. Running a .onion service and a temporary pragmatic solution to protect ourselves from a DDOS attack are unrelated issues.

Tor access is disrupted for a tiny % of OSM mappers. As mentioned earlier in the thread, please use the DNS workaround if you are technically minded and want a workaround to the Cloudflare captcha.

I’m saying running a .onion service solves both problems:

1. We can provide the .onion site with direct access to the webserver(s), bypassing cloudflare (and thereby protecting at-risk users)
2. We don’t have to worry about DDoS attacks coming from Tor users to our .onion site, because it has built-in PoW for DDoS protection of Onion Services

Confucius say, person who gets OpenStreetMap URL wrong probably not best qualified to pronounce on how to configure that domain.

Exactly this! One day I was complaining about the standard tile layer, and then @Minh_Nguyen made an off-hand comment about OSM US wanting to make an American style “some day”, and then in a heartbeat later I rage-created the OSM Americana map style.

Proofs of concepts are not expensive. I ran a global map style with continuous rendering in the cloud for “coffee cups per month” budgets, out of pocket. Once I figured out all the nuts and bolts, OSM US happily partnered with our team and now they pay the “coffee cups per month” budget for serving tiles. That’s what stepping up looks like in a decentralized project.

What I believe @SomeoneElse is suggesting, is to just do it, then show it working, even if you’ve gotta spend a couple bucks to set up a cloud services account somewhere. If OWG had to take the time to entertain every random well-meaning comment or suggestion about how they were doing things wrong, they’d never have time for server administration as I’m sure you can imagine. Stand up a working prototype that solves real problems? I think that’s something we’re all very interested in.

just do it, then show it working

Done. Let’s roll this out to OSM.

• https://michaelaltfield.net/
• http://michaelahgu3sqef5yz3u242nok2uczduq5oxqfkwq646tvjhdnl35id.onion/

The technical issue is how do you handle at DDOS that exceeds your upstream bandwidth? More pipes is not a solution within the limitations of OSM’s scale.

“This article will describe how to point a .onion domain at your existing wordpress sites (on wordpress multisite)”

so it may be suitable for OSM Blog. Is it currently blocked while accessing from Tor?

Note that osm.org is not a wordpress site.

DDoS is not mentioned anywhere on that page. And you are confident your page can survive a 12000+ Mbps DDOS on a 2000 Mbps uplink DDoS? With UDP and TCP Syn Flood? Like @Firefishy mentioned in Cloudflare is problematic for Tor users and privacy - #22 by Firefishy ?