Unfortunately a lot of people's job and credit / achievement relies on LinkedIn post. If it is not on LinkedIn you haven't done anything. And seems especially true in UK.
I know OVH and Hetzner gets mentioned a lot as European Cloud, but I thought I should bring UpCloud [1] for HN's attention. I believe their CPU core are actual CPU core and not vCPU as in a single thread ( Although I cant find reference to it which is annoying )
I also sometimes think OVH and Hetzner are not a fair comparison as much as I want competition to HyperScaler. Hetzner uses consumer grade component with a few server grade selections.
Do I have Stockholm Syndrome for being just utterly confused how ever single one of these budget providers [that I've seen so far] has no meaningful IaaS IAM offering? I don't mean "yeah, I can login to the console with username and password," I mean Permissions, Roles, Machine Identity, ... you know, who can do what to what and be able to see those actions in an audit log
As a concrete example for your link, they cite Crossplane (and good for them) but then the Crossplane provider gets what I can only presume is some random person's console creds https://upcloud.com/docs/guides/getting-started-crossplane/#... and their terraform provider auths the same way
If I dont want my user to have Cloudflare captcha or for example captcha dont work on my Safari 18.5 running on OpenCore Patcher MacBook 2015. What other options have I got?
Most websites don’t need DDOS protection.
Many websites which use Cloudflare to block basic bot vulnerability scanning. You could block this type of traffic with other methods; ja3/ja4, Ip to ASN & ASN filtering, etc.
While it may not impact your site, it does impact your hosting provider. As their costs go up, your costs go up. Anything on the Internet at this point needs DDoS / scraping protection. If may not drop your service, but your ISP or upstreams may blackhole your route.
The "old web" (current web) was largely based on an open exchange of information.
The "new web", post AI bot scraping, is taking its place. Websites are getting paywalls. Advertising revenue is plummeting. Hosting providers are getting decimated by the massive shift in bandwidth demand and impact to systems scraped by the bots.
I guess my products fall into a niche that doesn’t seem to attract AI crawlers. I’ve seen only a few and they haven’t been too aggressive. I mean they ignore typical crawl rate limits defined in robots.txt but account for maybe only 1-2% of my overall traffic.
DDoS and AI are mostly unrelated. Sure, AI companies are running low-quality scrapers, but they don't cause nearly as much traffic as a DDoS. They might cause as much CPU load as a DDoS, which is an application-level problem.
You make a contract with a company that does layer 3 ddos protection, you advertise a route including their AS on a subset of your prefixes and they route to you over a GRE tunnel.
With these services the forwarding happens at a lower level. The traffic doesn't come from them - the source address is whoever actually sent the traffic. And the destination address is you, but the Internet thinks they are hosting you. They can't just forward the same packets to you because they'd just go back to the DDoS provider because that's where "you" "are". So they put the packets inside other packets and send them to you on a different address.
I suppose they could rewrite the destination to be your real address, and then send them to you without extra layers; you wouldn't get to know what the original destination address was; maybe if you only have one, it doesn't matter.
The simplest is to just wait until the attacker is bored, and/or daddy's credit card runs out.
If you aren't doing any business, or not much business, through your site, this can be fine. Your hosting provider may either choose to let your server be overwhelmed with as many packets as its pipe can fit, or it may need to protect its network by discarding traffic to your IP address upstream of itself. It's probably a good idea to reach out to your hosting provider and let them know you're getting DDoSed. Even if they can't do anything about it (though there's a chance they can) they'll hopefully appreciate the heads up.
True story: I ran a Pixelflut client for 38C3 from a Netcup server in Nuremberg (this somehow had better performance than running it on my tablet at the physical location) and they somehow thought 38C3 was DDoSing me and "helpfully" blackholed traffic between 38C3 and my server.
---
It's important to stop thinking of DDoS as some magic hammer of Thor that you can't do anything about. DDoS packets, like all other packets, have source and destination addresses and flow through routers and links.
When Cloudflare receives a 7-terabit DDoS, they aren't receiving 7 terabits through one link. Cloudflare operates a huge number of locations that pretend to be one coherent network. So they're receiving 100 gigabits in London, 100 gigabits in Frankfurt, 200 gigabits in NYC, etc. Their network architecture pretends like it's delivering all these packets to their destination addresses, but really, each location has its own completely different set of servers that all have the same addresses. (This is called anycast.) Each individual packet sender is only sending packets to the nearest Cloudflare node, where they're getting discarded. Likely, no individual node is overloaded by this, but when you aggregate the statistics from all of them, it adds up to a large amount of traffic. This is by the nature of a DDoS - it's devices all over the world attacking you, which means they're all coming by different routes.
It's similar with hosting providers too, at least the big ones. Suppose you're on Hetzner: https://www.hetzner.com/unternehmen/rechenzentrum/ . They're not getting a terabit against your server through one link - they're getting 100Gbps through DE-CIX Frankfurt, 10Gbps through AMS-IX, 50Gbps through Telia in Nuremburg, 50Gbps through Telia in Helsinki, 50Gbps through Core-Backbone, etc.
If they deploy a routing rule to the router on their end of each of those links, which says to discard packets where the destination address is yours, they can protect their network. Your site will still be down, of course.
If one of their pipes does get overloaded (say their full 10Gbps from Baltnet in Frankfurt), they can reach out to that network (pretty much every serious network on the internet has a network operations center, reachable 24/7 by phone) and Baltnet will track it down further and block the traffic even closer to its source (or at a wider part of their network).
If you're lucky and the DDoS traffic is just coming from a few "directions", users whose packets happen to come via a different direction may still be able to access your site.
Suppose you're on Uncle Tom's Tiny Hosting Company Ltd (not real), they're certainly not the scale of Hetzner, and they only have a 10Gbps pipe between them and their ISP which is easily filled by a single attack. They'll have to contact their ISP to block traffic to your server so that the rest can get through, and their ISP will do the above stuff.
None of this information will keep your site up during a DDoS, I just want to show you there's a depth to this DDoS thing and this Internet thing and it's not just magic.
Fwiw, i have a site with nearly zero content or users; randomly it got ddos'd one day, and never happened again. I think the reasons for a ddos can be wide ranging, from just testing, to nation state, to someone is unhappy with your font choice
An 11 year old with a discord account and a stolen credit card can now rent massive capabilities that can take (smaller, limited peered) entire countries offline for brief periods these days.
Perplexity is currently valued at $15B, would be fun to see Apple go through with this because Apple, under Steve Jobs era and influence dont do big acquisition.
I believe it's been 5 years that some Chinese phones already have Silicon Carbon battery... Samsung/Apple was crazy slow on this, and later this year everyone will get "Shocked" when apple supposedly show up their new phone with the new battery...
It is about destroying the industry which the West have a stronghold in. Giving it away for free, in the name of Open source also attract a lot of "common interest", those from Europe who want to break free of US, and those from US who wants US to fail, and companies who simply want another company to fail so they could gain competitive advantage. And China is very happy to help.
It has been blatantly obvious for the past 10 plus years yet most still see it as if it is new.
What "stronghold"? The science of LLMs is widely known, with everyone adding new small tricks everywhere. The main moat so far has been the availability of compute, and that's a leaky moat because inevitably more companies will find enough compute or make snappier models, or simply take more time to train them.
There is no secret sauce or moat , they ve been saying that for years, and it's still true. Being number 2 in the race is a losing position, so china probably thought they might as well give it away
Think: How did they target all of those Iranian scientists?
Most likely through their phones. They can just track you if they wanted to. Everybody knows it. This sentiment is part of why the USA will lose the propaganda war.
There is no amount of propaganda the USA can make to remedy this reality.
The US' software domination has really spooked a lot of people and nation states. No one really trusts US tech companies.
And sure, "everybody spies", but that in and of itself will bring a lot more competition and privacy focus, hopefully.
China will take advantage of that sentiment. They don't have to win the war personally, just the US has to lose it. India is already trying to develop its own phones, China will only keep going.
I dont want to use iCloud alternative, even if it is cheaper. And at least in terms of Backup, I am also not fuss about having alternative, unlike App Store blocking access to Apps.
I do however wish for TimeCapsule for iOS that is linked to iCloud Cold Storage backup.
But modern Apple isn't about being the best or even better. It is all about value extraction. How do we milk more money from our loyal customers.
>see svt-av1-psy, being merged into SVT-AV1 itself
Part of it being merged for now.
It is unfortunate this narrative hasn't caught on. Actual quality over VMAF and PSNR. And we haven't had further quality improvement since x265.
I do get frustrated every time the topic of codec comes up on HN. But then the other day I only came to realise I did spend ~20 years on Doom9 and Hydrogenaudio I guess I accumulated more knowledge than most.
reply