Fending off attacks
As you may or may not have noticed, qnrq.se was inaccessible between Friday the 14th until Monday the 17th. The site was totally unavailable for 65 hours due to a powerful DDoS attack that knocked out my host’s cluster on which the site resides (126.96.36.199). Downtime doesn’t affect me as a publisher: there is nothing here that is not backed up and I don’t intend to financially gain from the visitors of this site. Instead, it affects you as a reader. It affects your ability to access the information that is being spread through this domain. This is a serious attack on your right to access information freely. Therefor I would like to address how this situation will be handled to ensure that you can, at bare minimum, always access the content that I provide.
There are no restrictions that prevent search engines and other crawlers from accessing content published on this site. If it goes down you can always view the content through, for example, Google’s cache or the Internet Archive. I have also installed and configured Cloudflare, which caches and delivers content through their CDN even when the site is inaccessible. Please keep in mind that Cloudflare is an American company which by law has to co-operate with the NSA and similar organizations. If you wish to hide your activities on this site from such organizations then please use an anonymization service like IPredator or Tor.
Cloudflare is the first non-Swedish service which is involved in delivering content on this site since I first put it online nearly two years ago. There are no Google Analytics or similar foreign tracking you here. My host, Binero, is a Swedish company with their servers placed in Sweden. The Flattr buttons you see all over the site are served by a Swedish company with servers in Sweden. The Creeper icon in the menu on the right side is served by a Swedish server run by a group of Swedish open source fanatics. The top domain? Swedish. You get the point.
Limiting the site to be served from within the Swedish borders has always been a conscious decision. Originally publications were mostly limited to Sweden and I didn’t want my visitors’ data to be sent to a lot of fishy people I have no idea of who they are. Later the site grew in popularity and I now have almost as many international visitors as I have Swedish.
I have to both fend off attacks and ensure acceptable performance. The site is being run with a very limited budget and implementing Cloudflare seems to be the best alternative from a both financial and performance perspective. Introducing an American company into the chain isn’t exactly my dream scenario but the availability is important for me. Unfortunately this creates a conflict with users that care about their privacy, especially around America.
I hope to satisfy both the performance parts and privacy parts in different means. I have stuck to the same host, Binero, for many years now, but the way that they handled the recent DDoS is entirely unacceptable to me. I am not going to deal with a host that requires me to contact them to move my site to a cluster which is not affected by the attack by pure principle (“because it causes downtime for the already DDoSed customers”, they claimed). My attitude is that if I am paying somebody to deliver me a service then I expect them to do everything in their power to ensure that the service is delivered and not require me to walk extra miles for them and then waiting for three days for their support to react. With those conditions I would much rather have as much as possible in my control, and that’s the next phase.
I am breaking up with Binero and moving the site to a dedicated Swedish VPS. For security and other considerations I will abandon PHP on the new host and serve WordPress generated pages statically. Everything will remain the same for you as a reader in terms of accessing and reading. The positive thing is that I won’t have to deal with intrusion attempts directed at PHP and WordPress and also Cloudflare will be configured to cache the static pages so that you can access them even when my host goes offline. The negative part is that you will no longer be able to leave comments on the site, but that may be fixed sometime in the future. When the site has been migrated to the new host it will also be available through HTTPS.
I believe that this is the best solution available, please let me know if you feel otherwise by commenting on this post.
Cheers, stay critical.