Submitted by Fossidarity in AskRaddle
dele_ted wrote
Reply to comment by imminent in What is a good habit you have that you're proud of? by Fossidarity
Alright, that's an internal API, and only exists because the developers are lazy. However, it's not behind CloudFlare - you're saying we could increase the costs of having their website online by generating more traffic to CloudFlare, by using a part of their site that isn't even behind CloudFlare? Yeah, this is a hole in their security, because you can connect directly to the server, which potentially enables a denial of service attack if you had enough bandwidth at your disposal (which you don't), but loading a video every now and then still won't do anything. Am i missing something, or are you thoroughly confused?
imminent wrote (edited )
However, it's not behind CloudFlare
Their API is behind Cloudflare, you look at the response headers when you access https://hooktube.com/api?mode=video&id=fQk7KtBXWyQ and you see Server:"cloudflare" as well as other cloudflare stuff, please don't ever EVER ever talk about stuff you don't understand while claiming that others are confused. You got it wrong twice now FWIW.
Which also means that a single person can't take it down since Cloudflare can rate limit requests, and his server too. So it must be distributed.
dele_ted wrote (edited )
Which also means that a single person can't take it down since Cloudflare can rate limit requests, and his server too. So it must be distributed.
Just checked again, admittedly you're right about the API being behind CloudFlare. However, the IP to the original server, the one hiding behind CloudFlare, is being leaked. If you want to, you could target your attack there instead, and actually start to make a difference.
The IP is 199.188.200.9.
e: I still think you're confused. Just casually loading up videos through CloudFlare will never accomplish anything. Cherry on top, they're using a free CloudFlare account! Proven by their SSL certificate.
imminent wrote
Just checked again, admittedly you're right about the API being behind CloudFlare. However, the IP to the original server, the one hiding behind CloudFlare, is being leaked. If you want to, you could target your attack there instead, and actually start to make a difference.
But he's blocking direct access to everything except Cloudflare. So in practice that means 199.188.200.9 is blocked for you.
e: I still think you're confused.
e: Videos aren't loaded through Cloudflare (it would've been too costly!), but directly from *.googlevideo.com
e: Another reason to force them to upgrade to a Pro account and increase their cost.
dele_ted wrote
So in practice that means 199.188.200.9 is blocked for you.
It throws a 403 error, but i wouldn't say it's blocked before having scanned for open ports.
Another reason to force them to upgrade to a Pro account and increase their cost.
The free plan allows, quoting from Cloudflare's own website, "Unmetered Mitigation of DDoS".
Cloudflare is free for them. It will not become less free just because you make everyone here on Raddle visit it.
imminent wrote
It throws a 403 error, but i wouldn't say it's blocked before having scanned for open ports.
I'm pretty sure it's intentional and you won't find any open ports.
The free plan allows, quoting from Cloudflare's own website, "Unmetered Mitigation of DDoS"
But it's not absolute, as an example mixtape.moe had their Cloudflare account terminated because it used up too much. But in this case it will be impossible to have him in such situation so I retract what I said.
Viewing a single comment thread. View all comments