KiwiFlare

[Super Male Vitality]

I can't imagine what the issue is with people having the screen multiple times. The only thing that can cause that is: 1) you're using a network that switches your routing every other request, or 2) you don't allow cookies.

Does proof of work expire after 24 hours? Because from my experience, everyday I have to go through the ddos message screen multiple times, but eventually it stops and works normally, so maybe it requires ddos check for every possible path our ISP routes us?

 

[Null]

Does proof of work expire after 24 hours

yes. these people are complaining about a test every single page load.

 

[Roland TB-303]

I don't fucking believe it, it looks like its the 10y anniversary theme that was causing issues for me, @Bundychu you should try this as well and see if anything changes

This worked for me too, no more security check every page and oops we ran into an error while trying to rate and post.

 

[Windows Error 98]

It's never been a consistent problem but I have had periods of 5 or so minutes where every page will trigger the KiwiFlare check. I have cookies on and it goes away eventually. I don't have more than 2 or 3 KF tabs open. IDK what the issue is. Not causing me any significant problems but yeah.

 

[Historical Figure]

I felt it was being a tad too paranoid at first but now it's working just like I'd expect it to. I just hope you don't find a way to teach it to sense mental retardation, I kinda like being able to post on the Farms.

 

[Balldo's Gate]

I can't imagine what the issue is with people having the screen multiple times. The only thing that can cause that is: 1) you're using a network that switches your routing every other request, or 2) you don't allow cookies.

I've occasionally gotten the screen multiple times, say the first five page loads in a session, but it's gone away eventually. It isn't that much of a hassle so I assumed this was intended behavior.

 

[GenociderSyo]

DDOS screen is popping up every screen I visit today. Open main page attempt to hit the notifications and it wont even let me view them because it immediately decides it has to retest.

Firefox 109 seems to have resolved itself now though went on for about 15 minutes.

 

[InFO Digger]

Just in the last 10 minutes I'm getting 429 errors again (Tor browser, .net domain). Switching circuits has been working but should I reset identity anyway?

 

[lolwatagain]

I've occasionally gotten the screen multiple times, say the first five page loads in a session, but it's gone away eventually. It isn't that much of a hassle so I assumed this was intended behavior.

I get the same behavior. I figured I'm just getting a new node on the mesh each time and have to compute a solution for each node. It usually works fine for the next 24 hours after the first few page loads.

 

[xn--mck1c]

I'm using it with KiwiFlare because I needed a multi-master database. There were users on cell networks being routed to different frontends every other request, causing them to hit checks constantly (since the sessions were stored separately on each node)

@Null Would using something like a HMAC fix this without having to keep the nodes in sync?

Spoiler: Terminology

Node: the endpoints running the protection
Issuing node: node that verified the client’s PoW
Verifying node: a different node that the client has “roamed” to (perhaps by using a different network route)

Token: the clearance token that’s sent to the client (as it is now)
(Private) key: arbitrary, secret data shared between all nodes, never sent to the client
(Public) signature: data that’s sent to the client which allows any non-issuing node to verify the token

Setup:

• All nodes need to have a copy of the same private key in memory

Issuing process:

• Issuing node generates a clearance token
• Issuing node generates a signature via hash(key,token)
• Token and signature are sent to the client to save
• Since the hash is not reversible, the client is unable to obtain the key from the signature.

Verifying process:

• Verifying node receives the token and signature from client
• Verifying node compares the value of hash(key,token) with the signature
• If the values match, the signature has to have been generated by someone with knowledge of the private key, which ideally only other nodes have.
• The verifying node can then consider the token as validated without doing the PoW process itself.

Reducing the importance of synchronization latency between nodes prevents the issue where the client is switched to a different node before the information is propagated and is thus kicked back to the PoW page.
A timestamp can be appended to the token to enforce expiry (signature will be invalid if timestamp is modified).
The revocation of tokens after too many requests can be done via simpler means since synchronization/latency issues won't erroneously kick users back to the PoW page.

 

[Null]

The significant change to KiwiFlare that took me a week to get rolling is that the different frontends will synchronize sessions. My belief is that the users who had serious issues connecting to the site before will now be able to use it without issue. I think that many cell users were being routed between multiple frontends which would constantly invalidate their authorization. It took a long time to get this working and I'm testing it now.

I haven't noticed ANY issues with white pages lately. Let me know if that changes.

 

[vomitusdeux]

The significant change to KiwiFlare that took me a week to get rolling is that the different frontends will synchronize sessions. My belief is that the users who had serious issues connecting to the site before will now be able to use it without issue. I think that many cell users were being routed between multiple frontends which would constantly invalidate their authorization. It took a long time to get this working and I'm testing it now.

I haven't noticed ANY issues with white pages lately. Let me know if that changes.

I was getting white pages pretty badly until last night/this morning. It seems like it's cleared up at least for me.

 

[Near]

I've been getting plagued by white pages whenever I browsed a thread too fast. I just tested it out right now and it doesn't seem to do that anymore. God bless.

 

[reptile baht spaniard rid]

I haven't been seeing kiwiflare on Tor at all, good jerb ya toothless wonder

Edit: I have to say, stepping back, this whole thing has made me realize that what cloudflare does ain't shit at all, if some no-tooth hobo with a laptop and a shell account can replicate it in a few months. What a scummy company existing on the backs of bad code and small pipes. No wonder they do so much to appear "great".

 

[Wrestlemania]

Working great so far. Got the page once at the start of the session, all pages loading fine. Good job

 

[Jesse Nicholas Radin]

I get impatient, but if it helps my connection be more secure/private, I support it.

 

[AnOminous]

I haven't been seeing kiwiflare on Tor at all, good jerb ya toothless wonder

Edit: I have to say, stepping back, this whole thing has made me realize that what cloudflare does ain't shit at all, if some no-tooth hobo with a laptop and a shell account can replicate it in a few months. What a scummy company existing on the backs of bad code and small pipes. No wonder they do so much to appear "great".

ClownFlare is a complete joke and it's amazing they have managed to pretend to be a real DDoS mitigation service when the instant they get an actual DDoS they roll over on their belly and piss themselves like a submissive dog.

People actually pay these retards.

 

[Geranium]

Had a few problems where KiwiFlare seemed to be kicking in when fetching resources that don’t get downloaded at page load (eg loading half the reaction icons) and leading to the “oops” error dialog.

But after a few refreshes it seems to have settled down. For reference: European on a VPN to another European country.

Thanks for your hard work Josh.

 

[Null]

But after a few refreshes it seems to have settled down. For reference: European on a VPN to another European country.

I seriously boosted its tolerance to requests before issuing a rechallenge.

I've also turned off traditional 429 limiting so it's 100% KF mitigation now.

I tested the multi-frontend setup and can confirm that Scylla is working and sessions share between nodes. This means that cell users who are getting routed between multiple frontends should not get endless challenge pages anymore.

We'll be adding a 4th frontend soon.

 

[Sexy Senior Citizen]

"The human race built most nobly when limitations were greatest." -Frank Lloyd Wright