from Hacker News

Sourcehut and Codeberg are both currently experiencing a DDoS attack

by smlavine on 1/11/24, 9:53 PM with 141 comments

  • by tpoacher on 1/12/24, 12:27 AM

    There's been a few of those for sourcehut ... makes you wonder wth is going on ...

    In one of the previous ones, they said there was high suspicion it related to 'hatred against a transgender developer in the company' or something like that. Like, who the hell targets a "company" because of an employee who works there you don't like ...

  • by nine_k on 1/11/24, 11:38 PM

    A ton of source code that is stored on Sourcehut and Codeberg is also likely replicated over dozens or hundreds of other machines.

    I wonder if something like the BitTorrent protocol could be used to keep a repo accessible without directing all the traffic to one site. Take a magnet link to a particular repo and commit, receive the complete branch eventually. Now serve these commits to other peers. That would be rather harder to DDoS or censor.

    (This, of course, ignores other aspects of forges: CI/CD, releases, packages, etc. Issues and even code reviews can be branches, too; such tools exist, and e.g. Fossil has them built in.)

  • by palata on 1/11/24, 10:16 PM

    Genuinely interested: who the hell pays to DDoS services like Sourcehut and Codeberg? :/

  • by rokkitmensch on 1/12/24, 12:43 AM

    I do wish folks would implement PoW ratelimiting. You can host the req'd JS on a CDN.

    I implemented this as a .NET lib (https://bvulpes.net/tarpit-a-proof-of-work-http-ratelimiting...) for obscure reasons, but an NGINX integration would really be ideal.

  • by masa331 on 1/12/24, 3:07 PM

    Outage statement from Drew: https://outage.sr.ht/

  • by qxfys on 1/12/24, 3:43 AM

    Wait. I thought the problem of being DDoS-ed is widely solved, i.e., just pick someone else (cloudflare, akamai, fastly, etc) to be the "proxy" of your site, and then let them defend the attack for you. No?

  • by ksjskskskkk on 1/13/24, 2:36 PM

    tinfoil hats on.

    mystery solved: in the coming days github will announce obligatory 2fa linked to a phone number.

    some Microsoft exec is betting his job that people will not just abandon github if they turn the heat on too hard on the slow boiled frog that is open source still hosted there.

    to offset that theoretical exec fears that open source projects will jump ship, they spent the equivalent of one expensive dinner on ddos for hire to take the top competitors offline.

    this is not some coordinate evil plan at Microsoft, just something that someone with even as little as M3@microsoft money and very little cryptocoins can easily do in under an hour.

  • by crotchfire on 1/12/24, 6:14 AM

    To use the Mastodon web application, please enable JavaScript. Alternatively, try one of the native apps for Mastodon for your platform.

  • by tiffanyh on 1/11/24, 10:20 PM

    > "we called [Cloudflare] and they quoted a very big number" [0]

    This is what I've never understood about Cloudflare.

    You're suppose to be able to purchase a business account for $200/mo [1]

    But it seems like at some point, Cloudflare says you need to upgrade to a custom pricing plan.

    What triggers Cloudflare to state you can't use the $200 Business Plan account?

    [0] https://fosstodon.org/@arch@floofy.tech/111739294821803544

    [1] https://www.cloudflare.com/plans/

  • by doublerabbit on 1/12/24, 3:14 PM

    Simple solution, Rent a botnet and DDOS the DDOS. /s