

Scaling CloudFlare's Massive WAF - mxpxrocks10
http://www.scalescale.com/scaling-cloudflares-massive-waf/

======
mxpxrocks10
Also, I want to point out that many people at Cloudflare were involved with
the optimization of the WAF at Cloudflare including @agentzh
[https://twitter.com/agentzh](https://twitter.com/agentzh) He also did a
fantastic presentation at nginxconf!

~~~
eugeneionesco
Here's the video from nginxconf

[https://www.youtube.com/watch?v=Z0fQabvVhIk](https://www.youtube.com/watch?v=Z0fQabvVhIk)

~~~
mxpxrocks10
thanks for posting this - woot woot.

------
stevekemp
Cloudflare block comment-spam? That's pretty interesting to hear and not a
trivial problem.

I've been running [http://blogspam.net/](http://blogspam.net/) for the past
few years to filter comment-spam from blogs, forums, etc, and it isn't an easy
thing to manage.

------
seekingtruth
How soon until botnets & malware routinely bypass DNS and instead use host
files compiled from simple subdomain pings (and other vectors for IP address
leaks) and passed about like password lists?

~~~
nacs
If the target server is setup to only accept requests from certain IPs like
the Cloudflare IPs then this shouldn't be a problem.

~~~
seekingtruth
That doesn't seem to be common.

~~~
mxpxrocks10
it would be if such a list got distributed. Simple IP tables or webserver
config. Could you think of a way to make it easier?

------
puppetmaster3
I was always wondering what CloudFare does.

------
150
I'm sure they are doing a lot of great work. However, I really do not like the
idea of having one company to serve all major websites of the internet. Should
one not focus on a better solution to ddos-attacks than putting everything
into the hands of a single entity..?

~~~
davidy123
It's not hard to make your own Cloudflare-alike. I helped bootstrap this for
an organization in the non profit space which now serves dozens of threatened
web sites. I even created a monitoring/rotation system that takes care of much
of the minute to minute work. The hard part outside state funding is making it
profitable / sustainable for real emergencies. But the nature of DDOS is it's
largely about fighting fire with fire so basically needs a lot of distributed
hosts.

This is an area I'd like to see a peer solution be successful, a bittorrent
for hosting with no central dependencies.

~~~
mxpxrocks10
right on. what did you use for your stack when you bootstrapped?

~~~
davidy123
Pretty basic stuff. Apache traffic server, nagios, the monitoring/rotation is
in nodejs, some scripts to tie it together and a lot of cheap VMs around the
world. You can learn more about it at
[https://wiki.deflect.ca/wiki/Main_Page](https://wiki.deflect.ca/wiki/Main_Page)
, but I'm no longer involved in that project.

