Mitigating a DoS attack with GoAccess and Cloudflare

Cloudflare Under Attack Mode

In this off-topic post, I’m going to discuss some behind-the-scenes “fun” that may happen when managing the web server used to host the CNX Software website. From time to time, the server becomes unreachable, but I can still access its console, and notice a very high CPU load (over 100) on a VPS with four cores, while the CPU load is typically 0.5 to 2 under normal circumstances. That’s usually due to a DoS (denial of service), DDoS (distributed denial of service), or some bug I can’t identify. An easy way to solve this issue is to log in to Cloudflare and set the “Under Attack Mode” to on. It will show all visitors a JavaScript challenge the first time they visit the website, and the CPU usage typically drops back to normal level within a minute or so. That means I can access my website and so do regular […]

GL.iNet Slate OpenWrt Travel Router Supports Tor, Wireguard VPN, and Cloudflare DNS over HTTPS/TLS

GL.iNet Slate

A couple of months ago, we wrote about GL.iNet Mudi portable WiFi router with built-in 4G LTE connectivity and supporting features such as the Tor Project, up to 25 VPN providers, and Cloudflare DNS over HTTPS or TLS. Mudi was launched on Kickstarter and should start shipping very soon, but I was informed about another OpenWrt travel router from the company with GL.iNet Slate also supporting many of the same features, but doing away with built-in cellular connectivity and battery. GL.iNet Slate (GL-AR750S-Ext) router specifications: SoC – Qualcomm QCA9563 MIPS 74Kc processor @ 775MHz System Memory – 128MB DDR2 Storage – Dual Flash 16MB NOR + 128MB NAND, MicroSD card slot up to 128GB Networking Ethernet 1x Gigabit Ethernet WAN 2x Gigabit Ethernet LAN WiFi Dual-band 802.11 b/g/n/ac WiFi 5 with transmission rates up to 300Mbps (2.4GHz) + 433Mbps (5GHz) 2x 2dBi external antennas 3G/4G – Optional via cellular USB […]

Optimizing JPEG Transformations on Qualcomm Centriq Arm Servers with NEON Instructions

Arm servers are already deployed in some datacenters, but they are pretty new compared to their Intel counterparts, so at this stage software may not always be optimized as well on Arm as on Intel. Vlad Krasnow working for Cloudflare found  one of those unoptimized cases when testing out Jpegtran – a utility performing lossless transformation of JPEG files – on one of their Xeon Silver 4116 Server:

and comparing it to one based on Qualcomm Centriq 2400 Arm SoC:

Nearly four times slower on a single core. Not so good, as the company aims for at least 50% of the performance since the Arm processor has double the number of cores. Vlad did some optimization on The Intel processor using SSE instructions before, so he decided to look into optimization the Arm code with NEON instructions instead. First step was to check which functions may slowdown the […]

Cloudflare Introduces 1.1.1.1 Privacy-focused DNS Service with DNS over HTTPS and DNS over TLS Support

The web is becoming more secure as more and more websites leverage HTTPS, which also improves privacy since the only nodes that know which exact page you are accessing should be your computer/device and the server running the website. If you’re using a search engine, they will also know and potentially get track of your history depending on your favorite search engine. One thing that’s still often unencrypted are DNS requests which convert a website name into an IP address. The servers are also often provided by your ISP, so they may not know which exact page you’ve accessed, but they can still keep track of the websites you’ve visited. Depending where you live, your government may also block DNS servers in your country during “periods of unstability”, so third-party DNS services can be useful. For example, using 8.8.8.8 or 8.8.8.4 from Google, and now 1.1.1.1 or 1.0.0.1 from Cloudflare, […]

Help Testing TLS 1.3 Compatibility for a More Efficient & Secure Internet

Transport Layer Security (TLS) is the protocol that allows for secure websites (via https), and currently, TLS 1.2 is the version most commonly used today, with 1.0 and 1.1 still supported by many servers for backward compatibility with older browsers, including the one running this blog. TLS 1.3 is the next version, already supported in libraries and server software such as wolfSSL or nginx, and promises to be more efficient – important for battery operated devices (IoT) – thanks to features like zero-RTT (0-RTT) mode, speedy with a restructured handshake state machine, and more secure. However, changes in security protocol may mess up connection with some browsers or middleboxes, as I experience when I enabled https on CNX Software using Let’s Encrypt with nginx and Cloudflare, with around 0.5% of users losing access due to using older web browsers and operating systems such as Internet Explorer on Windows XP. According […]

Installing Let’s Encrypt Free SSL/TLS Certificate in 2 Minutes with Certbot, Spending Hours Making it Work with Cloudflare

I’ve been using an SSL certificate to the download subdomain of this blog running ownCloud for about 2 years, but recently my free StartSSL certificate expired, and I had troubles to renew it, and I also received an email from Google telling me that “Starting October 2017, Chrome (version 62) will show a “NOT SECURE” warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode”.  So I decide to use free LetsEncrypt SSL/TLS certificates to replace the one in the download subdomain, as well as this main blog. Such SSL/TLS certificates are also very useful for the IoT gateways many of use have started using, and I found it’s even simpler than install a self-signed certificate, so there’s no reason to use those anymore. The easiest way to install Let’s Encrypt certificate is by using Certbot with instructions for various […]

Migrating a WordPress Blog from Apache2 to Nginx

This blog is hosted on a Linode VPS with 512 MB RAM and running Ubuntu 11.10. Up until today, Apache2 was the web server, and it worked fine except sometimes, it reached connection and memory limits, and the blog would go offline for a short period of time, especially right after a new blog post. So this week-end, I decided to switch to nginx (pronounced engine-x) web server which is said to use less memory than Apache2. Let me know if something suddenly stopped working… nginx is a relatively recent web server, and the documentation on the web seems to become outdated pretty fast, so I’ve decided to document what I’ve done. The first thing I would recommend is to try it in your own local server first,  and make sure most things are working including plugins. Testing your WordPress blog with nginx in a local server I run Ubuntu […]

EmbeddedTS embedded systems design