Goofed Home

Internet Protocol is the protocol underlying all Internet communications, what lets a packet of information get from one computer on the Internet to another.

Since the beginning of the Internet, Internet Protocol has permitted Computer A to send a packet of information to Computer B, regardless of whether Computer B wants that packet or not. Once Computer B receives the packet, it can decide to discard it or not.

The problem is that Computer B also only has so much bandwidth available to it, and if someone can acquire control over sufficient computers that can act as Computer A, then they can overwhelm Computer B’s bandwidth by having all of these computers send packets of data to Computer B; this is a distributed denial-of-service (DDoS) attack.

Any software running on a computer — a game, pretty much any sort of malware, whatever — normally has enough permission to send information to Computer B. In general, it hasn’t been terribly hard for people to acquire enough computers to perform such a DDoS attack.

There have been, in the past, various routes to try to mitigate this. If Computer B was on a home network or on a business’s local network, then they could ask their Internet service provider to stop sending traffic from a given address to them. This wasn’t ideal in that even some small Internet service providers could be overwhelmed, and trying to filter out good traffic from bad wasn’t necessarily a trivial task, especially for an ISP that didn’t really specialize in this sort of thing.

As far as I can tell, the current norm in 2026 for dealing with DDoSes is basically “use CloudFlare”.

CloudFlare is a large American Content Delivery Network (CDN) company — that is, it has servers in locations around the world that keep identical copies of data, and when a user of a website requests, say, an image for some website using the CDN, instead of the image being returned from a given single fixed server somewhere in the world, they use several tricks to arrange for that content to be provided from a server they control near the user. This sort of thing has generally helped to keep load on international datalinks low (e.g. a user in Australia doesn’t need to touch the submarine cables out of Australia if an Australian CloudFlare server already has the image on a website that they want to see) and to keep them more-responsive for users.

However, CDNs also have a certain level of privacy implications. Large ones can monitor a lot of Internet traffic, see traffic from a user spanning many websites, as so much traffic is routed through them. The original idea behind the Internet was that it would work by having many small organizations that talked to each other in a distributed fashion, rather than having one large company basically monitor and address traffic issues Internet-wide.

A CDN is also a position to cut off traffic from an abusive user relatively-close to the source. A request is routed to its server (relatively near the flooding machine), and so a CDN can choose to simply not forward it. CloudFlare has decided to specialize in this DDoS resistance service, and has become very popular. My understanding — I have not used CloudFlare myself — is that they also have a very low barrier to start using them, see it as a way to start small websites out and then later be a path-of-least-resistance to later provide commercial services to them.

Now, I have no technical issue with CloudFlare, and as far as I know, they’ve conducted themselves appropriately. They solve a real problem, which is not a trivial problem to solve, not as the Internet is structured in 2026.

But.

If DDoSes are a problem that pretty much everyone has to be concerned about and the answer simply becomes “use CloudFlare”, that’s routing an awful lot of Internet traffic through CloudFlare. That’s handing CloudFlare an awful lot of information about what’s happening on the Internet, and giving it a lot of leverage. Certainly the Internet’s creators did not envision the idea of there basically being an “Internet, Incorporated” that was responsible for dealing with these sort of administrative issues.

We could, theoretically, have an Internet that solves the DDoS problem without use of such centralized companies. It could be that a host on the Internet could have control over who sends it traffic to a much greater degree than it does today, have some mechanism to let Computer B say “I don’t want to get traffic from this Computer A for some period of time”, and have routers block this traffic as far back as possible.

This is not a trivial problem. For one, determining that a DDoS is underway and identifying which machines are problematic is something of a specialized task. Software would have to do that, be capable of doing that.

For another, currently there is little security at the Internet Protocol layer, where this sort of thing would need to happen. A host would need to have a way to identify itself as authoritative, responsible for the IP address in question. One doesn’t want some Computer C to blacklist traffic from Computer A to Computer B.

For another, many routers are relatively limited as computers. They are not equipped to maintain a terribly-large table of Computer A, Computer B pairs to blacklist.

However, if something like this does not happen, then my expectation is that we will continue to gradually drift down the path to having a large company controlling much of the traffic on the Internet, simply because we don’t have another great way to deal with a technical limitation inherent to Internet Protocol.

This has become somewhat-more important recently, because various parties who would like to train AIs have been running badly-written Web spiders to aggressively scrape website content for their training corpus, often trying to hide that they are a single party to avoid being blocked. This has acted in many cases as a de facto distributed denial of service attack on many websites, so we’ve had software like Anubis, whose mascot you may have seen on an increasing number of websites, be deployed, in an attempt to try to identify and block these:

https://lemmy.today/api/v3/image_proxy?url=https%3A%2F%2Fraw.githubusercontent.com%2FTecharoHQ%2Fanubis%2Frefs%2Fheads%2Fmain%2Fweb%2Fstatic%2Fimg%2Fhappy.webp

We’ve had some instances on the Threadiverse get overwhelmed and become almost unusable under load in recent months from such aggressive Web spiders trying to scrape content. A number of Threadiverse instances disabled their previously-public access and require users to get accounts to view content as a way of mitigating this. In many cases, blocking traffic at the instance is sufficient, because even though the my butt web spiders are aggressive, they aren’t sufficiently so to flood a website’s Internet connection if it simply doesn’t respond to them; something like CloudFlare or Internet Protocol-level support for mitigating DDoS attacks isn’t necessarily required. But it does bring the DDoS issue, something that has always been an issue for the Internet, back to prominent light again in a new way.

It would also solve some other problems. CloudFlare is appropriate for websites, but not all Internet activity is over HTTPS. DoS attacks have happened for a long time — IRC users with disputes (IRC traditionally exposing user IP addresses) would flood each other, for example, and it’d be nice to have a general solution to the problem that isn’t limited to HTTPS.

It could also potentially mitigate DoS attacks more-effectively than do CDNs, since it’d permit pushing a blacklist request further up the network than a CDN datacenter, up to an ISP level.

Thoughts?

1. Akamai is by a huge margin the single biggest CDN in the world, they are the 800lb gorilla. Fastly and Cloudflare aren’t minor players by any means, but their volume is not in the same league.
2. CDNs and DDOS don’t have much to do with each other. Cloudflare mitigates DDOS by scaling up network capacity and using pretty advanced pattern detection to simply soak up the traffic. Cloudflare is really, really good at scaling.

Now on that last point, there will indeed come a time when simply using the engineering technique of “making things bigger” won’t work if the attacks become sophisticated enough, but at that point networking will have fully become geopolitical tools (more than they are now).

A Layer-3 (network-layer) blacklist risks cutting off innocent CGNAT and cloud users. What you’re proposing is similar to mechanisms that already exist (e.g., access control lists at the ISP level work by asking computer B which requests it wants to reject and rejecting those that originate from computer A). However, implementing any large-scale blocking effort beyond the endpoint (i.e. telling an unrelated computer C to blackhole all requests from computer A to computer B) would be too computationally expensive for a use case as wide and as precise as “every computer on the Internet”.

Also, in your post you mentioned, “A host would need to have a way to identify itself as authoritative, responsible for the IP address in question.” This already happens in the form of BGP though it doesn’t provide cryptographic proof of ownership unless additional mechanisms are in use (RPKI/ROA).

maintenant looks interesting 🤔

Zero-config auto-discovery for Docker and Kubernetes. Every container is tracked the moment it starts — state changes, health checks, restart loops, log streaming with stdout/stderr demux. Compose projects are auto-grouped. Kubernetes workloads (Deployments, DaemonSets, StatefulSets) are first-class citizens.

config based on labels. sounds good for a moving selfhosting world…

I still haven’t found a Google Drive replacement. Nextcloud is way too bloated. Seafile is way too complicated to install.

I need multi-user support, so other apps where they just serve a folder from my server don’t really cut it either.

I don’t want to sync files at all. I want files to only be on the server, accessible via web interface. Like Google Drive.

Maybe look onto OwnCloud. That’s the project NextCloud was forked from many years ago. It’s very much still around and had a very different philosophy, a much more minimalistic approach with focus on stability. That’s actually the reason the people behind NextCloud had to fork it, cause all their additional features (bloat) wasn’t accepted upstream.

Just to start off, know that I have zero experience with this. I’m only looking into doing this because I’m absolutely sick and tired of centralised services (in this case Discord) turning to shit, and want to start a Discord-like/alternative federation between my friends.

Prosody seems to be the easiest to set up, and has all the available capabilities for a server that allows Discord-like functionality (text, group voicecall, streaming). Movim is the client that makes use of all that.

But I don’t have a clue how to set up a Prosody server with Podman. I’ve never done this before. I started by downloading the Prosody image through Podman, then tried running it, which prompted the creation of a container. Kept everything at the defaults and tried running it, but it didn’t work.

What do I do from here?

I mean, difficulty is relative mate. I just said I couldn’t get Snikket working (after multiple tries, too) but I’ve spun up both matrix servers. So I’d personally say it’s harder.

I’d be interested in seeing that, or at least knowing which ejabberd container you chose and why.

It even includes the update from cosmos-server now (although there’ve been some bugfixes since 0.21.0) 😀

Hi, it’s me again. I like to think that my endless questions help fuel community engagement to feel less bad :sweat_smile:

So like the title says, I’m interested in running an OPNsense router for my home network so I can do better firewall filtering for both security and privacy (ad-blocking, phoning home, etc.) purposes. I found this video by Dave’s Garage that talks about running OPNsense in Transparent Filtering Bridge mode. I also researched that it’s better to use a switch and APs for any wireless traffic rather than having the router/firewall combo do it, so any hardware suggestions there? Here’s info about my network:

• 500 Mbps download and 50 Mbps upload speeds (stick with 1 Gbps ports right?)
• My Proxmox homelab is wired connection only, so I need to use one of the switch ports for it
• We do have a door camera (I pray it’s not Ring…), so I should set up VLANs right?
  • VLAN ideas: Guests, Family/Home, IoT, Homelab specifically? (any others suggestion VLANs/segmentation???)
  • Maybe I’ll do selfhosted IoT devices in the future because of this? The homelab must grow
• My mom watches a lot of YT on our FireTV, so any guides on what IPs to block for that?

So what Mini PC should I stick with (just 2 ports for WAN & LAN is fine right)? Do I need to avoid any specific brand NICs (do Mediatek cards suck)? What 4-port switch would be good? What wireless AP is recommended? Furthermore, how do you go about running cables in your home? The coax plate that my modem is connected to is literally in the corner of my house. The Wifi is bad in some spots because of this, so we’ve thought about extenders. But if I do my homelab and have a wireless AP, I can just run an Ethernet cable from the switch to a properly placed AP (I guess I’d need PoE then…) right? My mom is afraid of tripping on wires and while I say to just run them along the baseboard, she’s doubting me.

Second Protectli. They are solid little x86 boxes with no moving parts.

Furthermore, how do you go about running cables in your home?

You watch some Youtube videos about how to do it and then you follow the instructions.

It’s going to depend a lot on the construction details of your house: * Do you have wooden framing (common in the US), masonry (common in Europe, as I understand it), or something else? * Do you have access to an attic or basement/crawlspace? * Do you need to run wires on exterior walls (which means dealing with insulation), or just interior ones?

For me (wooden frame construction, accessible attic and basement), I didn’t find it to be too difficult. Is it work? Yeah, of course. But it’s not that bad, and I recommend spending the effort because having proper wall plates wtih in-wall wires is way nicer than having stuff snaking along surfaces.

Hello!

I’ve been playing around with self-hosting for a while now and I’ve started moving over to a VPS. At home I have a PC that’s on more or less ²⁴⁄₇ with an *arr stack, jellyfin and some other services. They can only be accessed through Netbird. The services aren’t that important, the data doesn’t really need to be backed up since it’s not very important. On the VPS, however, I would like to host some more critical services, such as:

• Vaultwarden
• Immich
• Gitea
• Overleaf

I want them available ²⁴⁄₇, even if I decide to distrohop and wipe my PC at home. The problem is how to structure all this. My current idea is to run Gitea and Overleaf out in the open behind some reverse proxy without authentication (Nginx or Nginx Proxy Manager). I’d like Vaultwarden and Immich to be on the same VPS, but, I don’t want those services to be accessible to anyone but me, so I’d need some form of ACL or authentication system. I’m thinking of using Netbird for this, since I already use it on all of my devices.

So I would set up DNS records from within Netbird that would point immich.domain.tld and vaultwarden.domain.tld to the internal Netbird IP of the VPS. In the reverse proxy, I’d set up access control such that it only redirects the Netbird IP range to those services. On Cloudflare, I’d point git.domain.tld to the external IP of the VPS with proxy enabled.

Everything would receive HTTPS certificates, and I’d block incoming traffic on every port except for 80 and 443.

Is this a good setup? Any tips or recommendations? Any pitfalls?

Thanks!

@versionc
Nice setup, pretty close to what I run. Few thoughts:

Reverse proxy + auth: I'd look at Traefik over Nginx Proxy Manager - it plays really well with Docker (auto-discovers containers, handles Let's Encrypt certs). For the auth layer on Vaultwarden/Immich, consider Authentik instead of tying it to Netbird. Gives you SSO across everything and you're not locked into one VPN mesh for access control. I run Authentik in front of most of my services and it's been solid (minus the time I accidentally deleted its secrets and locked myself out of everything - back up your auth server config).

Netbird approach: Using Netbird IP ranges for access control on the reverse proxy can work, but it's a bit fragile. You're coupling your network topology to your auth policy. If Netbird changes IPs or you add a device, you're editing nginx configs. A proper auth proxy in front gives you more flexibility.

Gitea / Forgejo: I'd also recommend checking out Forgejo if you haven't - it's a community fork of Gitea that's been moving faster and stays fully open. I ran Gitea for years before switching. Either way, I'd push back on running it without auth entirely. Even for public repos, you want auth on the admin/write side. Forgejo (and Gitea) support public repos with anonymous read access - you don't need to skip auth, just configure repo visibility. The built-in controls are solid enough.

General structure: Your instinct to keep critical services (Vaultwarden especially) off the public internet is right. Password manager should have the smallest attack surface possible. The VPS-as-entry-point pattern is good. I do the same thing with a cheap VPS running a reverse tunnel so my home IP is never exposed.

One thing to think about: if you wipe your home PC, make sure your VPS services can stand alone. Docker volumes + a backup strategy (even just weekly to cheap cloud storage) will save you when something goes sideways.

@deepjoy @versionc name dropping Traefik AND Authentik in one comment? Ok, you’re talking my language. Followed.

My networking knowledge is not good, so maybe it’s nonsense indeed. I just thought if everyone in the network knows what is blocked then DDoS protection could be distributed because every “reputable” switch/router in the network can block connection as early as possible without hopping close to destination creating unnecessary traffic

OPNsense doesn’t officially support ARM. You need an x86 PC for it unless you want to mess with an experimental build.

OpenWRT does support the Raspberry Pi though. You will want the Pi 5 for that since it has PCIe to connect an ethernet card to.

Hey everyone 👋. I just wanted to share a little personal project that grew a bit more than I initially planned.

The original idea was simply to build a game so I could play Parchis (Ludo) with my family, as it’s a classic in our household. I ended up building the whole thing entirely through “vibecoding” (AI-assisted coding) because I wanted to see how far I could push current my butt tools.

The result is a full web multiplayer game (React/Vite frontend + Node/Express/Socket.io backend with SQLite to store game data).

If anyone is curious or wants to spin it up on their local network to play with friends/family: 🔗 Repo: https://codeberg.org/baner/parchis (it has a docker-compose.yml ready to go in seconds).

⚠️ A big warning about security: As I mentioned, I completely built this relying on AI, and it was initially meant as a home project. *I am not a cybersecurity expert by any means.* While I have briefly exposed it to the internet a couple of times to play with remote relatives, my absolute recommendation is to host it ONLY on your local network (LAN) or behind a VPN (like Tailscale/Wireguard). The nature of AI-generated code means it’s probably full of vulnerabilities that I haven’t caught. Play at your own risk if you decide to open ports to the wild web! 😅

This is also my first project using a monorepo structure and publishing a Docker image for others to deploy. If you take a look and see something horrible (or something that works surprisingly well haha), all feedback is super welcome. I hope someone finds it fun for a local game night!

https://lemmy.zip/pictrs/image/f6530eaa-d644-44fa-b16a-43cc9da22f42.avifhttps://lemmy.zip/pictrs/image/c1565209-1015-4877-8c82-c2e3fae0c616.avifhttps://lemmy.zip/pictrs/image/d6dc5657-becc-4cf0-904b-ec1e14be7566.avifhttps://lemmy.zip/pictrs/image/7b9ac290-016c-4529-b6cb-cb0a8cd2c2fe.avifhttps://lemmy.zip/pictrs/image/ccf41f63-5f49-4c6a-99e2-8d23cb8bb42d.avifhttps://lemmy.zip/pictrs/image/d1072de0-036a-4358-adb9-e2bc5cbfca02.avifhttps://lemmy.zip/pictrs/image/1b09e506-5d7e-441d-8adb-bcbac4de3d61.avifhttps://lemmy.zip/pictrs/image/f28c7aee-6253-456c-a94b-7625881923d1.avif

This project seems pretty neat! I appreciate that you are upfront that it is AI-assisted (some projects don’t do that and get grilled for it), I might check it out!

Thanks, I have tried to follow best security practices on this like using JWT for authentication, sanitize all inputs for SQL injections, password hashing, etc. Still better to be cautious, project still need some fixes but not affecting the overall gameplay. Right now I am working on documentation. It can be played as a guest but creating an account allows the game to track stats about win, lost, captures, XPs and a lot more. is mobile friendly, there is an android app but is not part of the repository at this time. make sure to share back your experience if you check it out.