Stay away from KnownHost!

[Recep Baltaş]

Hi,

Let me tell you about my experience with Knownhost

I have bought a yearly plan to host my new website. Yesterday, some idiot began DDoSing the site. The website is behind Cloudflare but the attacker has our origin IP so it can bypass the Cloudflare.

I seek help from Knownhost but the support people have no idea about origin IP. They keep telling that I'm behind Cloudflare and I should enable DDoS protection from there

Hello Recep,

Thank you for writing back! Since you are using Cloudflare, the block needs to be done there. Blocking at the server level will not work. If you have any further questions or require additional assistance, please feel free to reach out.
----------
Nikhil E.
KnownHost, LLC

How come blocking the attackers on Cloudflare will work if the attacker knows my origin IP right? I ask them this question and get back this reply

Could you please share how you were able to know that they are accessing the server directly?
As the proxy is enabled, the traffic redirects through Cloudflare.

Then I ask them to provide me the attacking IP list so that I can block them via .htaccess and get this response:

    631 66.249.79.75
    683 34.112.90.241
    714 78.190.48.188
    731 108.72.205.73
    842 5.47.111.213
   1035 188.132.145.255
   1089 85.99.17.149
   1532 2a06:98c0:3600::103
   1844 66.249.79.74
   2289 66.249.79.73

They give me Google's IPs as the attacker IPs I inform them about this and get this response

Hello,I have checked the access details and found that most of the access is from bots.

So it turns out, Google bots are DDoSing my website The bots, which could not take down the website all the time, decided to attack nonstop for two days

We have blocked aggressive bots except Google bots from accessing your domain using the .htaccess file.You can check the in the .htaccess file in your public_html.However, Googlebot accesses are increasing on your domain. I infer we need to block Google bots on your domain temporarily on your domain to resolve the issue.

After that, I told them to block Google bots via .htaccess and see if the solution works, which of course did not as the website is still unreachable.

This is the hosting provider I've seen here in every single topic being recommended and this ^^ is my experience.

Unfortunately, I have a yearly subscription and I will use it till the and of the year as I think I won't get a refund (or can I?)

Stay away from KnownHost!

 

[DanielP]

Howdy,

KnownHost here.

I'm sorry you've had a bad experience with our support, do you happen to have a ticket number that we can reference so I can have our team look into this further?

Normally for folks using Cloudflare we do recommend they enable the "I'm under attack mode" if they are getting a lot of bot/attack traffic because the way Cloudflare proxies traffic, it renders the server-side protections practically useless as IP blocks are ineffective from our side due to the proxy.

Thanks and I look forward to hearing from you!

 

[Chromaniac]

Probably best to get a new IP assigned to your account. But before doing that make sure that you are not leaking your IP through any route (link/image proxy, unfurl).

 

[Old Nick]

But before doing that make sure that you are not leaking your IP through any route (link/image proxy, unfurl).

How to know?

 

[Chromaniac]

that is the tough part lol. i mean all you can do is setup proxies to route traffic through external server. xenforo has an internal feature for proxy...

Config.php options | Manual | XenForo

End-user documentation for XenForo

xenforo.com

@digitalpoint cloudflare addon also has two options to route proxy data through cloudflare servers which also helps a lot i bet.

 

[Old Nick]

Is the proxy secret key provided by a third-party service or you have to create it by yourself?

 

[Chromaniac]

yeah it's kind of confusing. xenforo devs should provide a random key generator here similar to how wordpress provides here. (Or maybe add a line in the field description that a key can be any random mix of numbers and letters )

from my experience you are supposed to enter any random keywords here. i just use a random password generator and put in that.

but this is not what hides your IP. this one is used to create randomized URLs for your proxied images which you can expire by changing the key.

 

[Old Nick]

but this is not what hides your IP. this one is used to create randomized URLs for your proxied images which you can expire by changing the key.

It seems that protect from third-party access or i understand wrong?

If you have enabled the image or link proxy, this secret key will ensure that images and links are only proxied if the requests originated at your forum. If you find that links are being accessed via third-party sites, you can change this secret key to expire these links. All links stored on the forum will be automatically updated to use the new secret key.

I had also activated proxying with CF via the DigitalPoint add-on.

 

[Old Nick]

i just use a random password generator and put in that

RandomKeygen - The Secure Password & Keygen Generator

RandomKeygen is a free mobile-friendly tool that offers a randomly generated keys and passwords you can use to secure any application, service or device.

randomkeygen.com

 

[Chromaniac]

yeah. from my understanding, proxy was originally launched to host http images from external domains through your own domain which might be running on https. it fixed a major issue with mixed security content which caused issues in browser. now this is not that big of a deal coz most of the web is now basically running on https and you would rarely land on a domain on http.

the idea behind the key is to create expirable URLs for images. so, if some third party website starts embedding your hosted images using the proxy links, you can just change the proxy key and all those links would expire. but the same embeds would continue to work on your board because those links would get updated automatically.

 

[Old Nick]

I understand, thank you for this clarification.
As you wrote before maybe XF devs should explain better how it works.

 

[Chromaniac]

It is like a 10 year old feature and there is a video that explains it lol.

S

Post in thread 'What is Proxy links and Proxy images?'

Aug 16, 2014

Those are explained by Kier in the HYS video here. The relevant part starts around the 2:30 mark.

They're intended to help suppress insecure content messages when users post picture URLs and links to sites that don't use SSL. But, they're also handy for tracking outbound links and what pictures are posted on the forum and how many times each has been viewed.

Speaking as someone who runs XF on SSL and previously had to deal with insecure content messages, those are my very favorite XF features. Just a wonderful addition to the core.

• SamL

• 

This page could be improved I suppose.

Image and link proxy | Manual | XenForo

End-user documentation for XenForo

xenforo.com

Also this bit is incorrect:

Here, you can set parameters for your proxy, including how often your server will check for updates of the original source image and how large images can be before your site will opt to keep them hot-linked instead of proxying them.

XenForo 2.2/2.3 shows a placeholder image instead of hotlinking images which exceed custom size setting in backend.

 

[Paul B]

xenforo devs should provide a random key generator here

Or, you could just enter a random key instead of wasting development time.

JFC

 

[ekool]

Or, you could just enter a random key instead of wasting development time.

JFC

I just mash a bunch of keys on my keyboard every time I configure it. Usually ends up looking like this:

a;sdlkfjas;dfkjfslajfsdwf

 

[Old Nick]

I just mash a bunch of keys on my keyboard every time I configure it. Usually ends up looking like this:

Thank you for this valuable advice!
I managed to disable my trackpad with a key combination!! I struggled for 10 minutes to reactivate it with the tab and enter keys!

 

[ekool]

Thank you for this valuable advice!
I managed to disable my trackpad with a key combination!! I struggled for 10 minutes to reactivate it with the tab and enter keys!

LOL. That's hilarious. Talk about a random trojan horse.

 

[Forsaken]

Hi,

Let me tell you about my experience with Knownhost

I have bought a yearly plan to host my new website. Yesterday, some idiot began DDoSing the site. The website is behind Cloudflare but the attacker has our orijin IP so it can bypass the Cloudflare.

I seek help from Knownhost but the support people have no idea about origin IP. They keep telling that I'm behind Cloudflare and I should enable DDoS protection from there



How come blocking the attackers on Cloudflare will work if the attacker knows my origin IP right? I ask them this question and get back this reply



Then I ask them to provide me the attacking IP list so that I can block them via .htaccess and get this response:

    631 66.249.79.75
    683 34.112.90.241
    714 78.190.48.188
    731 108.72.205.73
    842 5.47.111.213
   1035 188.132.145.255
   1089 85.99.17.149
   1532 2a06:98c0:3600::103
   1844 66.249.79.74
   2289 66.249.79.73

They give me Google's IPs as the attacker IPs I inform them about this and get this response



So it turns out, Google bots are DDoSing my website The bots, which could not take down the website all the time, decided to attack nonstop for two days



After that, I told them to block Google bots via .htaccess and see if the solution works, which of course did not as the website is still unreachable.

This is the hosting provider I've seen here in every single topic being recommended and this ^^ is my experience.

Unfortunately, I have a yearly subscription and I will use it till the and of the year as I think I won't get a refund (or can I?)

Stay away from KnownHost!

Most hosts will only give you basic support for DDoS attacks, as the methods that attacks are done are much more varied than they were 5-10 years ago.

The fact that the host continued to reply, and made an effort with what you requested is better than most hosts will do (unless you pay for management).

Their advice for the most part was solid, which is to use CloudFlare, turn on "I'm under attack" and to wait out the attack as much as possible. Your IP being known changes the situation, and that is not KnownHost fault, nor any other hosts fault .

Most hosts will null route your site, and then drop you as a customer depending on how big the attack was (I've had issues with OVH in the past for this, whereas Tier.net gave way better support).

Work with Knownhost to change your IP, lock down any IP leaks, and prepare a plan for any future attacks as they're common when you run a website. I get on average 3-4 attacks per week, and that's if I'm not purposely pissing people off.

 

[Recep Baltaş]

Howdy,

KnownHost here.

I'm sorry you've had a bad experience with our support, do you happen to have a ticket number that we can reference so I can have our team look into this further?

Normally for folks using Cloudflare we do recommend they enable the "I'm under attack mode" if they are getting a lot of bot/attack traffic because the way Cloudflare proxies traffic, it renders the server-side protections practically useless as IP blocks are ineffective from our side due to the proxy.

Thanks and I look forward to hearing from you!

Than you for the quick reply. My ticket ID is KH20240731217C. The attacker stopped for now but I'm sure that he'll begin at around 17:00 PM CET.

 

[Recep Baltaş]

Probably best to get a new IP assigned to your account. But before doing that make sure that you are not leaking your IP through any route (link/image proxy, unfurl).

Ufortunately I do via sent mails and unfurl. I'll fix this when I move to VPS/VDS.

 

[Enes3078]

Is the proxy secret key provided by a third-party service or you have to create it by yourself?

View attachment 307662

This should also close the vulnerabilities created by Unfurl, right? It's not working I suppose. I tried this option with password generators btw.