Author Topic: Cloudflare was installed on FA BEFORE the DDOS  (Read 1466 times)

ohboyherewego

  • Posts: 11
  • E-points: +0/-0
  • Uninitiated Rube
    • View Profile
Cloudflare was installed on FA BEFORE the DDOS
« on: October 19, 2014, 12:06:39 am »


    http://ox.furaffinity.net/cdn-cgi/scripts/cf.common.js

    http://furaffinity.net/cdn-cgi/scripts/cf.common.js

    Right click, view page info, not source, but info.

    This screenshot was taken in Eastern time, same as neer.

    Tell me, tell me why, Cloudflare was installed almost a day before the ddos.

    You cannot , you absolutely cannot tell me this isn't proof. There is no fucking doubt about this one.

    http://i.imgur.com/XZUbpLD.png here is another screenshot.


mahadri

  • Posts: 10
  • E-points: +2/-0
  • Uninitiated Rube
    • View Profile
Re: Cloudflare was installed on FA BEFORE the DDOS
« Reply #1 on: October 19, 2014, 12:43:16 am »
You cannot , you absolutely cannot tell me this isn't proof. There is no fucking doubt about this one.

This isn't proof. /cdn-cgi/ is a virtual directory served by CloudFlare for all proxied sites. For real files, if FA installed a JavaScript file like jQuery, the last-modified time is set from an archive or HTTP headers to a time before the installation.

$ curl --head http://cloudflare.com/cdn-cgi/scripts/cf.common.js
HTTP/1.1 200 OK
Date: Sun, 19 Oct 2014 07:24:54 GMT
Content-Type: application/javascript
Content-Length: 4443
Last-Modified: Tue, 14 Oct 2014 05:26:02 GMT
...

ohboyherewego

  • Posts: 11
  • E-points: +0/-0
  • Uninitiated Rube
    • View Profile
Re: Cloudflare was installed on FA BEFORE the DDOS
« Reply #2 on: October 19, 2014, 12:48:50 am »
You cannot , you absolutely cannot tell me this isn't proof. There is no fucking doubt about this one.

This isn't proof. /cdn-cgi/ is a virtual directory served by CloudFlare for all proxied sites. For real files, if FA installed a JavaScript file like jQuery, the last-modified time is set from an archive or HTTP headers to a time before the installation.

$ curl --head http://cloudflare.com/cdn-cgi/scripts/cf.common.js
HTTP/1.1 200 OK
Date: Sun, 19 Oct 2014 07:24:54 GMT
Content-Type: application/javascript
Content-Length: 4443
Last-Modified: Tue, 14 Oct 2014 05:26:02 GMT
...

https://www.youtube.com/watch?v=1MTqZOAswrI

fuck me sideways

Conan

  • Posts like Kage drinks
  • ****
  • Posts: 716
  • E-points: +39/-9
  • ¯\(°_o)/¯
    • View Profile
Re: Cloudflare was installed on FA BEFORE the DDOS
« Reply #3 on: October 19, 2014, 03:21:26 am »
https://twitter.com/Dragoneer/status/514206378966384640

Actually it was installed last month, at least for a short time.


ohboyherewego

  • Posts: 11
  • E-points: +0/-0
  • Uninitiated Rube
    • View Profile
Re: Cloudflare was installed on FA BEFORE the DDOS
« Reply #4 on: October 19, 2014, 03:28:59 am »
https://twitter.com/Dragoneer/status/514206378966384640

Actually it was installed last month, at least for a short time.

Oh man, thank you for that, I was hoping there was going to be something. This is around the time he was tweeting about debt too

nrr

  • Sean Piche Fan Club
  • Cabalistic Fuckhead
  • **
  • Posts: 104
  • E-points: +7/-3
  • OMG SO CUTE ^__^
    • View Profile
    • lynxies :3
Re: Cloudflare was installed on FA BEFORE the DDOS
« Reply #5 on: October 19, 2014, 09:42:46 pm »
https://twitter.com/Dragoneer/status/514206378966384640

Actually it was installed last month, at least for a short time.

Yes, but not competently. They never renumbered, and they never made any effort to get rid of everything in furaffinity.net's DNS zone that points at their 70.whatever addresses. This compounded by Viv's blog meant that any attacker would know exactly how to bypass CF and go straight for FA's network.

That said, I _want_ to say that the one thing that the site has done right so far is point to *.facdn.net and furaffinity.net by DNS name. This means that once those are chunked behind a CDN, there shouldn't be any unintended leakage (heh) that would be valuable to attackers.

I've written a couple of emails over the past few days detailing a few things that FA can do to make sure that they can obscure their real numbering behind CloudFlare and to defeat the available resolvers on the Internet. We'll see if this advice takes hold, but I'm not holding my breath. I'm willing to put money on someone saying to him, "Don't listen to nrr. He doesn't know what he's talking about. He also hates FA."

… you know, despite the fact that I do this shit for the self-styled most trusted name in news. That's cool though. 8)
im glad the "I saw a furry IRL" thread is so good at bringing goons together

YOUR PARTICIPLES AREN'T THE ONLY THINGS DANGLING

magus

  • *
  • Posts: 51
  • E-points: +4/-0
    • View Profile
Re: Cloudflare was installed on FA BEFORE the DDOS
« Reply #6 on: October 21, 2014, 01:31:21 am »
https://twitter.com/Dragoneer/status/514206378966384640

Actually it was installed last month, at least for a short time.

....you know what's interesting about this is it gives you numbers to do some back of the envelope calculations for Piche's AWS plans. The numbers I came up with were rather more expensive per-month than I bet he's thinking they will be.

Which is usually how AWS engagements go, but whatever.

mexxy

  • Posts: 12
  • E-points: +0/-20
  • Anthropomorphic middle finger
    • View Profile
Re: Cloudflare was installed on FA BEFORE the DDOS
« Reply #7 on: October 25, 2014, 11:14:52 pm »
I'm willing to put money on someone saying to him, "Don't listen to nrr. He doesn't know what he's talking about. He also hates FA."

You showed me up in that Javascript password hashing implementation POC.

Security is one of my strong points, at least with web apps so I know for a fact you're not full of it.

It sounds like it was on the CDN level, then. So, just a bunch of retards with a script and too much free time?

Again, I don't really care. I don't use FA anyway.

I just wanted to purchase an ad.

Maybe I'll specnd some time on this and read more into it but I've been busy all day and now I gota head out again >.<
Confucius viewed woman as a thoroughly irrational creature often as difficult to deal with as servants.
- Max Weber

JTfurry

  • *
  • Posts: 34
  • E-points: +1/-0
  • Uninitiated Rube
    • View Profile
Re: Cloudflare was installed on FA BEFORE the DDOS
« Reply #8 on: October 27, 2014, 07:31:45 am »
Anyone looked at the IP history yet, eg Netcraft?



Says 17th on there. That would be just at the end of the DDOS? I don't remember the dates to well.

Their old server IP looks to be online but everything is blocked. Going through all their IPs atm looking to see if anything is open :3
They can't be dumb enough to still use the old block they own though surely? :P

nrr

  • Sean Piche Fan Club
  • Cabalistic Fuckhead
  • **
  • Posts: 104
  • E-points: +7/-3
  • OMG SO CUTE ^__^
    • View Profile
    • lynxies :3
Re: Cloudflare was installed on FA BEFORE the DDOS
« Reply #9 on: October 30, 2014, 06:47:24 pm »
You showed me up in that Javascript password hashing implementation POC.

You're damn right I did.

Security is one of my strong points, at least with web apps so I know for a fact you're not full of it.

Secure software is a subset of reliable software. I write reliable software for a living, so I would like to think I know a thing or two about security.

Maybe I'll specnd some time on this and read more into it but I've been busy all day and now I gota head out again >.<

Maybe you can show me more of your security strong points eks dee

Now, stop fucking posting.
im glad the "I saw a furry IRL" thread is so good at bringing goons together

YOUR PARTICIPLES AREN'T THE ONLY THINGS DANGLING

mexxy

  • Posts: 12
  • E-points: +0/-20
  • Anthropomorphic middle finger
    • View Profile
Re: Cloudflare was installed on FA BEFORE the DDOS
« Reply #10 on: November 01, 2014, 12:02:30 am »
Secure software is a subset of reliable software. I write reliable software for a living, so I would like to think I know a thing or two about security.

Funny, same here ;3

Also, your assumption there is flawed.

You can't have 100% secure software unless you are telling me it's 100% bug free.

Bugs can cause security vulnerabilities, simply by their unknown nature.

Maybe you can show me more of your security strong points eks dee

I ID'ed and fixed over 200 vulnerabilities in an enterprise eCommerce app. Then again, the PCI auditors were morons at the time. I looked at their "reports" and it was ~ 100 pages of our login screen. Just *maybe* the spider hit the logout button? Just a wild guess :V

SalesForce was A LOT better and found a lot I already documented. So, yeah... That's when the product owners prioritized it. I was doing the fixes, which for certain things (like FINDING HTML EMBEDDDED IN THE SQL DATA) a lot had to be a hack. There was also a bad file inclusion bug that was core to our architecture. A lot of workarounds and I left line-spanning rexexp's but there really was no other way and I was the only developer who could do it and make the audit. And we did.

I also ported the app from IIS/Coldfusion to an Apache Tomcat stack so we coud develop services in a non-shit language like J2EE in parallel for new development while still running the monolithic POS legacy app. The framework is one of the problems; developers don't generally write with security in mind. I've been doing this stuff for 8 years or more. I'm not a noob :p

I just find it unfortunate I work with so little other science (and math too, an area I'd like to get stronger in). Right now I'm doing platform engineering for a large SOA (well, n-tier to be specific but I have my dreams) and work with Java, Ruby, C++, Bash, front-end, whatever. Basically back-end glue code but I go back to the front-end sometimes (not as much as I'd like; JS and HTML/CSS are some of my my strong points but I'm a bit too OCD to be a UIX person). Not to mention the pay cut.

Quote
Now, stop fucking posting.

Oh, come on. And I expected more from you ;3

Stop posting and GTFO are so last millenium.

I said you showed me up. Once. I owe you one; maybe sometime it'll happen (though we don't talk much).

Or did I?

Nah, that was far too weak. Just a paradigm I believe; there's no such thing as a 100% secure application (assuming it is of reasonable size).
Confucius viewed woman as a thoroughly irrational creature often as difficult to deal with as servants.
- Max Weber

Dima

  • *
  • Posts: 45
  • E-points: +7/-2
  • Inadequate
    • View Profile
Re: Cloudflare was installed on FA BEFORE the DDOS
« Reply #11 on: November 01, 2014, 12:19:29 am »
words that bump the thread but aren't new information about the topic

Please don't.

mexxy

  • Posts: 12
  • E-points: +0/-20
  • Anthropomorphic middle finger
    • View Profile
Re: Cloudflare was installed on FA BEFORE the DDOS
« Reply #12 on: November 01, 2014, 12:26:29 am »
Please don't.

Right. Who are you, again?

It's a slow forum, people should realy stop complaining about bumping threads.

Not my show though; I guess the intent is decent content.

He asked though, I answered. That's called a discussion.

This is a discussion forum. Maybe you missed that somewhere :V
Confucius viewed woman as a thoroughly irrational creature often as difficult to deal with as servants.
- Max Weber

ProvincialTwit

  • Abuse Dept.
  • Postcount killed Trogdor
  • *****
  • Posts: 794
  • E-points: +77/-33
    • View Profile
Re: Cloudflare was installed on FA BEFORE the DDOS
« Reply #13 on: November 01, 2014, 03:31:50 am »
Go away.