Other How to set up a local alternative to CloudFlare with FreeBSD?

madwebness

madwebness

CloudlFlare is bad. I won't go into too many details, but those who understand -- understand. The goal is to see if it can be replaced for less or equal money and -- in case it can be done -- to understand exactly how to approach this task.

Why replace Cloudflare (tl;dr version)
  1. My estimate of what they'd charge is anywhere between $7,000/mo and infinity (this is based on my personal experience with them). I think maybe this budget can be lowered if Cloudflare is replaced with a local solution -- especially when projects grow and there's more traffic. But we'll start with $7,000/mo as our budget.
  2. Cloudflare holds private SSL keys to be able to snoop on traffic and be able to decide what to do with each request (side effect being: they see ALL traffic between your users and your website).
  3. Cloudflare allegedly DDoS-es websites until they either pay up or, at least, subscribe to their free tier (strategy is, basically, to beat you up until you give in and let them read your traffic -- or, in other words, it's a racket).
While some websites may be perfectly fine (undestandably so) with all three bullet points above, there may be others, where operational, business or jurisdictional requirements demand the functionality Cloudflare provides be a layer that's controlled by the project administrators. Thus, the need for Cloudflare alternative is not an ideological itch to scratch, but a necessity. Here's a list of what I think is needed (perhaps, you can add some items or amend the list in some way).
  • DDoS protection: ip-address filtering and DB of ip-addresses, ASNs and their reputation
  • Auto-enabling protective measures upon traffic spikes (showing captcha, etc) or when other conditions are satisified.
  • Request filtering: filter attempts at SQL-injections, XSS and other requests that attempt to break into your app or infrastructure in some way.
  • Some kind Web-UI to set up various rules for any given website the system is protecting. The UI doesn't have to be feature-rich, but there has to be a UI, because setting this up via command-line will, quite clearly, get very tedious.
I've stumbled upon a few projects, such is this Linux Distro, but I'd be much more comfortable understanding each piece of the puzzle, even if it takes me a bit more time to set up. Thus, my question: how would you go about setting up an in-house Cloudflare alternative on FreeBSD, given the $7000 budget? What software available on FreeBSD would be needed for this setup and what hardware requirements are we talking about (minum viable setup)? And, finally, would such efforts be enough to make DDoS attackers go spend their resources some place else?
 
imho they scaled up at the right time, like YouTube, growing when nobody batted an eye about copyright violations then grew so big you cant really launch a competitor site anymore without the biggest bag of money. (and in case of YouTube, having googles bags of money helped a lot too) When DDoS attacks were still a more frequent event they provided a solution and indeed with the pricing as you mention they managed to grew the size they are. They initially filter your DDoS traffic (UDP floods etc) for free, then attackers switch to layer 7 attacks and you cant filter anything any more on your machines because all you see are cloudflare ips and then the only option you have are paid options at cloudflare. I've battled uncountable ddos attacks for customers over time.

But I think one needs a lot more then a single 7000 USD customer to be able to handle same kind of DDoS attacks, it takes quite a lot of equipment and big pipes to even start doing that correctly. Luckily there are quite a few providers now that can do their own DDoS filtering. So there are other options besides cloudflare. Maybe lifting on their infrastructure for DDoS flood traffic is an option vs doing all by oneself.

e.g. https://blog.ovhcloud.com/the-rise-of-packet-rate-attacks-when-core-routers-turn-evil/

But besides floods of traffic most attacks, one can handle easily themselves. IP delegation files can be downloaded at RIPE, perform some lookup checks per ip range/ASN and decide which traffic you want. e.g. disallow hosting ranges, VPN and so on. I run a honeypot project/RBL service for last 10+ years.

The showing captcha and other techniques depend a bit on your needs, but plenty of ways to do velocity checks for number of requests. And then forcing an ip to do additional checks to proof they are human.

Apply a whitelist approach for your website/application and bin all requests that don't match your whitelist (patterns) is typically the best approach. Also log these, and decide if you want to firewall those ranges.

For me besides the huge floods of traffic, all attacks are easily handled. Attacker traffic typically differs in a specific way from legit traffic, its always easy to find a pattern and start adding its to firewall tables to burn their packets. For some people being 'down' is unacceptable, but if you dont want to pay services like Cloudflare its best to just wait it out, dont reply on emails of attackers etc. Let them move on. The longer they run their attack the more hosts they will lose because people will start to notice and cleaning infected hosts and or devices. And then they lose resources without any 'return of investment'.
 
Thank you for the reply iRobbery
I think that's pretty much what I imagined I'd need to do. To clarify, I have no intention to launch a CloudFlare competitor. I would like to have a working software that would be a replacement and could be run from my servers (and, thus, avoid handing SSL certificates to a third party). And I'm still wondering, whether this software is something I can write on my own or it'd prohibitively long/difficult to try and implement on my own.

I found these two projects yesterday: https://fastnetmon.com and https://www.bunkerweb.io (not endorsing or advertising by any means). Pricing seems very reasonable. I guess one would have to try them first. But really, I'm wondering how much time would it take for a senior developer to implement something similar.

And yes, thank you for the assumption that "not everyone needs to have a 100% uptime" -- I think I'll now be keeping this in mind constantly. I certainly think this requirement is self-imposed by many projects and is unnecessary -- at the cost of having to subscribe to CloudFlare. I find it hard to imagine I'd actually need 100% uptime and find it hard to imagine a DDoS attack bringing the site down for a few days would be a dealbreaker for the users.
 
I dont think the fastnetmon.com services are sufficient, from what I understand, perhaps I'm wrong, they only can handle 100 gbit? Sounds like a lot of but piss of the wrong black hat/script kiddie and they often control more then 100 gbit in ddos power.

bunkerweb provides services I can do myself, might be useful as way of WAF (Web Application Firewall). They only seem to combine free services, software into a more simple solution to integrate, for the less savvy might be nice to use and if the web application you run isn't build in house (no whitelist approach for your URI filtering for example) might be helpful. Or just to tick of some sort of compliancy for some sort of certification. But the services they provide one can install themselves, e.g modsecurity with wasp rulesets. Perform DNSBL ip checks on clients etc.
 
madwebness said:
Request filtering: filter attempts at SQL-injections, XSS and other requests that attempt to break into your app or infrastructure in some way.
Click to expand...
In order to be able to do this you'd need to be able to get to the unencrypted traffic. You know, how cloudflare does it. Which is exactly the reason why you didn't like them:
madwebness said:
Cloudflare holds private SSL keys to be able to snoop on traffic and be able to decide what to do with each request (side effect being: they see ALL traffic between your users and your website).
Click to expand...
 
You must log in or register to reply here.
Back
Top