Just looked at the anonymous analytics I collect on the security/privacy blog.

No SQL Injection attacks yet (would be useless anyways as I don't use MySQL/MariaDB for the databasing.

Directory Traversal attacks. Really? 🤣

Nice try, guys.

Need new plan of attack lol

Gonna try loic next with permission @linuxxx

Awww, I didn't know you were inviting people to get creative. :)

@windlessuser If you try it at low settings, I don't mind as long as you inform me when you'll do it and wait for an okay :). It's good to do security tests! (I just have to make sure that I'll be at my monitoring system haha)

@windlessuser Testing myself right now, at 800 connections sending in hellfire and the CPU load doesn't go above 1 percent xD

@MrJimmy Of course! One thing I've learned from pentesting since I was 15 is that the best way to test security is to do real life attacks.

I don't mind if people perform security tests, hell, I'd do it myself!

In case of DDoS attacks I do like to watch it live to see if everything holds. Of course that won't happen irl probs (seeing it happening live) but it's a responsible way of testing imo.

Next to that, the only thing I ask is to report found security flaws instead of abusing them. If you do that, I'll thank you rather than getting angry :)

@MrJimmy Right now I'm actually under DDoS for real but it looks like the server is holding it very well :)

I went with NetData, let me upload a partial screnshot of what I just witnessed :) @MrJimmy

@linuxxx holy shit! That must be so fun to watch hahah! Knowing that the system you built/configured is working perfectly as intended. Cheers!

@MrJimmy @hacker

@linuxxx interesting. Interesting indeed.

@hacker Normally I get around 50- connections. My own DDOS attack made it to nearly 1K connections :)

@linuxxx what about this anonymous analytics you have going on. I'd love to implement something like that for my site. Any suggestions?

I just have some values in Redis which I increase on every site visit :)

So what were the stats so far?

@MrJimmy I think it's the server itself which can easily keep up. I'm currently doing a heavy load test again. (I rent this server solely for devRant stuffs and I've got 14gb ram so I'll be fine I think for now :)

@JoshBent Nearly at 1K visits now :)

@MrJimmy @hacker Just flooded myself with about 100K connections and I started to get time-outs haha. Going to look into how to block those kinda attacks now :)

@linuxxx oh haha! That's cool. Also, look into Client.js (you can store the info you get in a db).
You can get more information about visitors this way if you want, anonymously of course.

@MrJimmy Please do, would be awesome! In the mean time I'm trying to fine-tweak the firewall/ids haha

@linuxxx Now I see why my connection is rejected. ;_;

@Awlex Currently I fucked something up in nginx's config so my whole web server is down, working as fast as possible to find this freaking issue 😅

@Awlex Fixed, should be working again!

Are you using a CDN/Caching system?

If not, you should look into it... It can lower the db connections on high traffic/DDoS attacks.

Edit: care to share the url? :D

@bas1948 The entire cms works with Redis which is a caching system :). No CDN, I want to keep the requested files etc under my own control for privacy/security reasons.

@bas1948 https://much-security.nl :) (new url will be released tonight I think ;)

@hacker I'm wondering how it gathers the IP address and the geo ip data? Both those things are a no-go for me ;)

@linuxxx hahah, I knew you'd say something about that. Well, first of all, don't worry. I specifically made it so the client is anonymous. No one but you can see that information (not even me).
I made my own Promise function to fetch that data from a public API :)

Well, I admit to watch a live report like this 😂

@linuxxx Your resources aren't returning a caching header.. Correct me if I'm wrong, but I believe that instructs the browser to fetch them everytime

Anyway, I also host my own files on S3 but serve them through cloudfront.. A win win solution :)

May I also ask why you're fetching data through a get parameter?

@bas1948 I honestly have no fucking clue.

I'm a linux engineer/backend programmer and I never deal with this kinda stuff xD

@linuxxx would you be interested in the idea of caching the site's static content (CSS and what not)? Doing so would greatly improve the performance/speed of the blog.

Well, you now have something to research I guess(no pun intended :D).

I suggest using post parameters instead of get, and definitely use post ID's to fetch data rather than a string.. Strings are a recipe for disaster..

@bas1948 Yup will do :)

Why are strings a disaster though?

@hacker Yeah sure! Would caching make that new versions will be downloaded from the server anyways though?

@linuxxx yep, caching means static resources will be saved on the client's pc until the header expires.. Or if you change file name.. E.g style.css?v=1

As for strings, I meant plain text... Sorry.
For instance a unique hash is unique and shouldn't cause problems, but let's assume you want to add another introduction.. You'd fetch it as ?post=introduction2 ??
Doesn't make sense and it is confusing..

Ps: sorry if my explanations aren't clear, haven't slept for the past 3 days.

@linuxxx I agree with @bas1948. Your static files can be updated using different file names. Look up "cache busting", people have come up with pretty clever ways.

And also, @bas1948, you really should go to sleep, man.

Is this a challenge?

@linuxxx Should we fund a Mirai DDOS attack? 😋

Or whatever its successor is called again.