Hi all,
I'm experimenting with some Cloudflare services, and a Javascript interstitial page called "Anubis" to mitigate an increasing amount of malicious / spammy traffic. You might see the interstitial "checking you are human" / "checking you are not a bot" page when you visit dcpomatic.com. I'll look into some more subtle solutions but it seems increasingly difficult just to run a web server these days.
Best,
Carl
Cloudflare / Anubis
-
CoreCode
- Posts: 4
- Joined: Wed Jul 30, 2025 10:45 pm
Re: Cloudflare / Anubis
sorry to sound negative, but is there any chance this can be turned off again?
as a user, if the website is still not here after 20 long seconds, i just turn away.
as a developer, we'll have remove support for automatically updating DCP-o-matic* from our MacUpdater because automatic downloads are no longer possible as things are currently.
is there even a connection between CloudFlare and Spam? CloudFlare does DDoS protection, which is not really connected to spam anyway...
as a user, if the website is still not here after 20 long seconds, i just turn away.
as a developer, we'll have remove support for automatically updating DCP-o-matic* from our MacUpdater because automatic downloads are no longer possible as things are currently.
is there even a connection between CloudFlare and Spam? CloudFlare does DDoS protection, which is not really connected to spam anyway...
-
carl
- Site Admin
- Posts: 2852
- Joined: Thu Nov 14, 2013 2:53 pm
Re: Cloudflare / Anubis
Hi,
I don't like it either, but for the next few weeks I am travelling with little/no internet and cloudflare currently seems to be the best way to keep dcpomatic.com up.
Spam is a problem, though a manageable one. The big problem is indeed a DDoS.
To give some background, the "attack" I am seeing has now gone through two distinct phases twice in a row.
In the first phase, on the order of half a million distinct IPs start sending HTTPS requests with URLs in /forum that all have a distinct pattern. This would overload the database server process, stopping the forum and bug tracker from working (and also making the web server slow - it's only a $10/month digitalocean droplet). Luckily this pattern is easy enough to detect, so I was running a script which would block these IPs at the firewall whenever they made a "bad" request. Eventually this would solve it.
However at some point the attack would change to what (AFAICS) is a SYN-flood attack. At one point there were 40k half-open connections to the HTTPS port on the web server. I couldn't find a way around this - legitimate connections would be dropped because of the large number of hostile connections and at this point dcpomatic.com was effectively offline.
I don't yet know what the answer is, but for the next while I don't have time to find it. I'm hoping I can either
Best,
Carl
I don't like it either, but for the next few weeks I am travelling with little/no internet and cloudflare currently seems to be the best way to keep dcpomatic.com up.
Spam is a problem, though a manageable one. The big problem is indeed a DDoS.
To give some background, the "attack" I am seeing has now gone through two distinct phases twice in a row.
In the first phase, on the order of half a million distinct IPs start sending HTTPS requests with URLs in /forum that all have a distinct pattern. This would overload the database server process, stopping the forum and bug tracker from working (and also making the web server slow - it's only a $10/month digitalocean droplet). Luckily this pattern is easy enough to detect, so I was running a script which would block these IPs at the firewall whenever they made a "bad" request. Eventually this would solve it.
However at some point the attack would change to what (AFAICS) is a SYN-flood attack. At one point there were 40k half-open connections to the HTTPS port on the web server. I couldn't find a way around this - legitimate connections would be dropped because of the large number of hostile connections and at this point dcpomatic.com was effectively offline.
I don't yet know what the answer is, but for the next while I don't have time to find it. I'm hoping I can either
- just start using a more powerful web server to run dcpomatic.com
- adapt my database server protection script so I don't need the cloudflare Javascript interstitial page any more
Best,
Carl
-
CoreCode
- Posts: 4
- Joined: Wed Jul 30, 2025 10:45 pm
Re: Cloudflare / Anubis
thanks for the explanation and for appreciating the downsides of the cloudflare stuff. sorry to hear about the troubles you've been seeing.
at least for the first phase, i guess using cloudflare *only* for the /forum/ directory could be a solution, which would solve the database issue while still leaving the site browsable without extraordinary delay and downloads working. i guess it wouldn't help for the SYN flood though.
would there be the option to excempt the downloads from cloudflare for the time being?
i see even Homebrew had to disable DCP-o-matic now:
> disable! date: "2025-07-28", because: "cannot be reliably fetched due to Cloudflare protections"
at least for the first phase, i guess using cloudflare *only* for the /forum/ directory could be a solution, which would solve the database issue while still leaving the site browsable without extraordinary delay and downloads working. i guess it wouldn't help for the SYN flood though.
would there be the option to excempt the downloads from cloudflare for the time being?
i see even Homebrew had to disable DCP-o-matic now:
> disable! date: "2025-07-28", because: "cannot be reliably fetched due to Cloudflare protections"
-
Carsten
- Posts: 3010
- Joined: Tue Apr 15, 2014 9:11 pm
- Location: Germany
Re: Cloudflare / Anubis
Why does Cloudflare exhibit these side effects? Aren't many sites using Cloudflare nowadays?
(BTW - currently, I don't see the Cloudflare pass when accessing dcpomatic.com)
(BTW - currently, I don't see the Cloudflare pass when accessing dcpomatic.com)
Last edited by Carsten on Fri Aug 01, 2025 11:19 am, edited 1 time in total.
-
carl
- Site Admin
- Posts: 2852
- Joined: Thu Nov 14, 2013 2:53 pm
Re: Cloudflare / Anubis
The "checking you are human" interstitial page only appears if you have the "I'm under attack" mode enabled in cloudflare. Otherwise they just do some other, less intrusive protections by checking web requests and filtering out some bad ones before they hit my cheap webserver.
I switched it off for a while to see if I can filter out the forum database-killing attacks myself, and so avoid the interstitial (because it causes a lot of other problems for legitimate automated fetchers).
I switched it off for a while to see if I can filter out the forum database-killing attacks myself, and so avoid the interstitial (because it causes a lot of other problems for legitimate automated fetchers).
-
Carsten
- Posts: 3010
- Joined: Tue Apr 15, 2014 9:11 pm
- Location: Germany
Re: Cloudflare / Anubis
I hope you can still enjoy your holidays!
-
CoreCode
- Posts: 4
- Joined: Wed Jul 30, 2025 10:45 pm
Re: Cloudflare / Anubis
thanks, confirming that everything is fine now again
-
IoannisSyrogiannis
- Posts: 309
- Joined: Mon Nov 13, 2017 8:40 pm
- Location: Iceland
Re: Cloudflare / Anubis
Well, not quite.
To be more honest than courteous, as a forum user, I care less for developers' download automations and inpatient users than being able to access it.
The forum is for the benefit of the users. It has no advertisements for the profit of the owners. Nothing to monetize from the high numbers of users or visitors.
Therefore, if someone turns away when the website is still not there after 20 seconds, that shouldn't weigh the least in favor of jeopardizing its accessibility.
P.S. For the sake of "how", following the link to https://dcpomatic.com/forum/ redirected me successfully and the effect didn't last long.
Barco is using a folder name in form of a number between their download domain name and the media blocks' public certificate packages. That folder name is unique for each media block's serial number. Therefore, the users can not download in bulk the certificates. They use the link provided by a QR code that shows on the faceplate of the server.
That is admittedly a bummer, when you have the serial of one of their (Alchemy) servers and don't want to wait for a response from the end user for obtaining the certificate.
To be more honest than courteous, as a forum user, I care less for developers' download automations and inpatient users than being able to access it.
The forum is for the benefit of the users. It has no advertisements for the profit of the owners. Nothing to monetize from the high numbers of users or visitors.
Therefore, if someone turns away when the website is still not there after 20 seconds, that shouldn't weigh the least in favor of jeopardizing its accessibility.
P.S. For the sake of "how", following the link to https://dcpomatic.com/forum/ redirected me successfully and the effect didn't last long.
Barco is using a folder name in form of a number between their download domain name and the media blocks' public certificate packages. That folder name is unique for each media block's serial number. Therefore, the users can not download in bulk the certificates. They use the link provided by a QR code that shows on the faceplate of the server.
That is admittedly a bummer, when you have the serial of one of their (Alchemy) servers and don't want to wait for a response from the end user for obtaining the certificate.
You do not have the required permissions to view the files attached to this post.
-
CoreCode
- Posts: 4
- Joined: Wed Jul 30, 2025 10:45 pm
Re: Cloudflare / Anubis
it seems cloudflare is back on, so we've removed support for all the apps from MacUpdater now