Stay away from KnownHost!

Than you for the quick reply. My ticket ID is KH20240731217C. The attacker stopped for now but I'm sure that he'll begin at around 17:00 PM CET.

Howdy,

We had already found your ticket and our support manager gave you a couple of replies. Based on what he found I don't anticipate this to be an issue moving forward but your ticket is assigned to him in our escalated queue and we'll keep an eye on it should something change.
 
We had the same issue a couple of years ago. Simply configure your firewall to allow traffic from Cloudflare servers only.
 
  • Like
Reactions: Xon
Do we need to request this from the host? We use shared.

A shared environment isn't going to be able to implement that as the firewall is going to impact all users on the same server, so the only way you can block all but cloudflare is to have your own vps/cloud/dedicated environment.
 
Do we need to request this from the host? We use shared.
Get rid of shared hosting. Providers such as IONOS or OVH offer a firewall for all their virtual servers or cloud instances. Simply use Plesk / cPanel / ISPconfig or w/e (which you should also protect using the firewall; allow access from your ip address only) if you are still not familiar enough with Linux.
 
Than you for the quick reply. My ticket ID is KH20240731217C. The attacker stopped for now but I'm sure that he'll begin at around 17:00 PM CET.

Howdy,

We've been keeping an eye on things and it appears this issue has been corrected and we're not showing any further signs of this attack vector making it to your site. If you need anything else don't hesitate to reach out to us.
 
You should never be using your server to send emails these days. Let AWS or MailChimp or someone handle it. That way, your emails won't leak your IP.
I disagree, as long as all your email server results are good, there is nothing wrong with using your own SMTP settings.
 
I disagree, as long as all your email server results are good, there is nothing wrong with using your own SMTP settings.
If you are a small hobby site, that is not at risk for any attacks, or if you're unlikely to reach a high level of activity then sure. Otherwise it's easy enough to use a separate service, and lessen the headache of hosting your site, and also prevent a way of your IP leaking.
 
I still don’t understand if this was a problem with his mail setup leaking the IP, or if it was the fault of his host. If the former, the subject title casts a very negative light on the host that is not deserved, and should be changed. It’s very unfair to the host.

Disclaimer…… I’ve been with this host for years and have never had a problem that wasn’t solved almost immediately.
 
I still don’t understand if this was a problem with his mail setup leaking the IP, or if it was the fault of his host. If the former, the subject title casts a very negative light on the host that is not deserved, and should be changed. It’s very unfair to the host.

Disclaimer…… I’ve been with this host for years and have never had a problem that wasn’t solved almost immediately.
Why would the host have to secure their IP from leaking? It makes no sense for a host to have to secure the customers site because there is no solution that will work for every customer, nor every host. They provide a service allowing you to publish your website to the public internet, and you can then choose to secure however you feel fit.

Even the way that KnownHost handled the situation is better than most hosts, because many hosts will just cut you as a client rather than deal with a DDoS affecting other customers.

His anger was misguided, and honestly KnownHost is owed an apology, or at least an edit to the main post so this does not affect their reputation 🤷‍♂️.
 
Authenticated origin pulls can be configured per-host in every sane webserver setup I know of, and the mutual TLS ensures connections which aren't from cloudflare's proxy service are rejected.
Indeed it can and if you want to go one further and not use a shared Cloudflare Authenticated Origin Pull client certificate, which would allow other Cloudflare customers to possible connect, you can generate your own CA/Intermediate signed client SSL certificate and upload it to Cloudflare for custom hostname Cloudflare Authenticaed Origin Pull client certificates. I leverage Cloudflare's own cfssl toolkit for this as outlined at https://github.com/centminmod/cfssl-ca-ssl.

Example for custom client SSL cert for

1. custom apex domain client SSL cert which would replace default shared Cloudflare Authenticated Origin Pull client certificate and ensure only your Cloudflare domain zone connects to your origin and not other Cloudflare customer's zone domains.
2. custom non-apex hostname domain client SSL cert which would replace default shared Cloudflare Authenticated Origin Pull client certificate and ensure only your Cloudflare domain zone connects to your origin and not other Cloudflare customer's zone domains.
 
  • Like
Reactions: Xon
For what it's worth, I've actually experienced Google practically DDoS-ing a website (went full retard, but figured it out eventually and solved it :) ).

Not sure about the direct hosting server IP though - how it got to that and why.

Based on the (very good/positive) feedback I got about KnownHost (haven't used the services myself), the title of this thread feels quite strange to me.
 
Back
Top Bottom