ee9d9 - 3d
And my relay went down again. Folks are using Cloudflare Workers to perform attacks and scrape the heck out of websites (not new or Nostr-specific, they just hit my relay hard this weekend). If you don't use Cloudflare Workers, do yourself a favour and deny all traffic from 2a06:98c0:3600::103.
nostr:nprofile1qqsw9n8heusyq0el9f99tveg7r0rhcu9tznatuekxt764m78ymqu36cpr3mhxue69uhhyetvv9ujucnfw33k76twwpshy6ewvdhk6tcpzdmhxue69uhhwmm59e6hg7r09ehkuef0qy2hwumn8ghj7un9d3shjtn4w3ux7tn0dejj7ne6u4e, nostr:nprofile1qqst6jhruelzn9jdf9qhyfsac3fetjyld0fwwary9cmxzfchrhacragppemhxue69uhkummn9ekx7mp0qy2hwumn8ghj76n9d3k8jenfwd5zumrpdejz7yj9f6t just giving you both a heads up. Over 500k requests from this ip in the 24 hours prior my relay crashing.
I've opened an abuse ticket. Their forums are filled with folks facing the same issue. Cloudflare customer support only starts caring when your company is spending over $10K USD per month with them (speaking from experience, I got the VIP treatment while working at "too big to fail inc", but also had to deal with them on a $20/month plan. I’ve already shared a few horror stories with you, like the time they just decided to block all videos on my Mastodom server). In short, they’re aware of it: - https://community.cloudflare.com/t/urgent-malicious-requests-coming-from-cloudflare-workers-2a063600-103/809347 (recent) - https://community.cloudflare.com/t/how-can-i-block-2a063600-103-at-waf-level/651073/40 (2024) - https://community.cloudflare.com/t/is-it-safe-to-block-2a063600-103/321899 (2021) I don’t like blocking useful services like this, as folks on Nostr might be building legitimate stuff using Cloudflare Workers. But at this point, it’s really the lesser of two evils. Even though my firewall detected the abuse and was returning 429s to all requests, the sheer volume of requests was still enough to take everything down.
semisol @semisol - 3d
Try looking at the Cf-Worker header and blocking based off of that. Need an entirely new account or a name change (not sure if it is rate-limited) to bypass it. My services have `noswhere.workers.dev`, let me know if you experience any issues.
ee9d9 - 17h
Yeah. This is a bizarre one. And it has increased substantially. I had like 500k hits the very first day. Yesterday it was over 10m.
ee9d9 - 16h
If you can keep a list of CF-Worker headers, the more people reporting the script kiddies the better. Some traffic may be legitimate like Semisol stuff above. But on my side the fast majority of traffic are WordPress, router and admin panel attack attempts. The more people reporting those folks the better. At some point CF will have to connect the dots.
ee9d9 - 15h
GM folks. Just sharing this again for Nostr operators in the European time zone. It is getting worse. I had over 10 million requests on my personal relay yesterday. Several other folks operating Nostr infrastructure have confirmed the same. Coincidentally or not, I’ve been seeing both clients and relays going on and off over the past few days. nostr:nevent1qqs8u28ef975y9y24ekhs86galvr7a93n0a7aykgrl0e208hqqa6gvcprdmhxue69uhksctkv4hzuctrvd5k7mre9eek7cmfv9kz7q3qa6we08n7zsv2na689whc9hykpq4q6sj3kaauk9c2dm8vj0adlajqxpqqqqqqzdtejsl Cloudflare seems to be doing jack squat to mitigate the attack so far. So, if you haven’t blocked Cloudflare Workers from reaching your relay yet, I sincerely recommend you do. Also, if possible, keep a list of Workers hitting your infrastructure, remove legitimate traffic as best as you can, and keep reporting it to Cloudflare. At some point, they’ll have to do something about it. #devstr #cloudflareWorkers #botsBeBotting
If you can keep a list of CF-Worker headers, the more people reporting the script kiddies the better. Some traffic may be legitimate like Semisol stuff above. But on my relay the vast majority of traffic are WordPress, router and admin panel attack attempts. The more people reporting those folks the better. At some point CF will have to connect the dots.
GM folks. Just sharing this again for Nostr operators in the European time zone. It is getting worse. I had over 10 million requests on my personal relay yesterday. Several other folks operating Nostr infrastructure have confirmed their servers getting hammered. Coincidentally or not, I’ve been seeing both clients and relays going on and off over the past few days. nostr:nevent1qqs8u28ef975y9y24ekhs86galvr7a93n0a7aykgrl0e208hqqa6gvcprdmhxue69uhksctkv4hzuctrvd5k7mre9eek7cmfv9kz7q3qa6we08n7zsv2na689whc9hykpq4q6sj3kaauk9c2dm8vj0adlajqxpqqqqqqzdtejsl Cloudflare seems to be doing jack squat to mitigate the attack so far. So, if you haven’t blocked Cloudflare Workers from reaching your relay yet, I sincerely recommend you do. Also, if possible, keep a list of Workers hitting your infrastructure, remove legitimate traffic as best as you can, and keep reporting it to Cloudflare. At some point, they’ll have to do something about it. #devstr #cloudflareWorkers #botsBeBotting
ee9d9 - 11h
It is getting better me as well. Still a lot of traffic, but maybe Cloudflare is finally mitigating it a bit, or maybe folks have realised that Cloudflare Wotkers aren't free and that after several million requests blocked my server isn't changing its answers :).
