Brief redirect using BL site....

Making it very difficult to post at all.

Only happens once every ten, fifteen minutes that I can tell.

Perhaps it should be rolled back for the senior staff and moderators? I seriously doubt a staffer would be behind a DDOS attack on BL.
 
Only happens once every ten, fifteen minutes that I can tell.

Perhaps it should be rolled back for the senior staff and moderators? I seriously doubt a staffer would be behind a DDOS attack on BL.

I can't blame you for wanting to get out of it, it's pretty annoying. But I think it's somewhat important that the mods be subject to it too. Otherwise they can't really say they understand that it's annoying and that it's a necessary evil that we just have to accept. I dunno, there's just something wrong to me about the ideas of admins being exempted.

But, that said. This is a completely academic discussion. I am all but positive you'll find it's not technically possible to exempt you.

EDIT: At this point in my post I had explained that for technical reasons its very unlikely that it's possible exempt the admins. Having looked into it further and thought about it more, I'm prepared to say it's not possible. Not the way you suggest anyway. The problem is that this antiDDoS challenge happens before the forum software is loaded, so it can't check the database for your accounts session cookie and exclude you. The only way would be to create a separate, secret domain for bluelight where the cloud flare Javascript challenge isn't active, and provide that url to trusted persons like admins. So for example, anyone going to bluelight.org is tested, while you and anyone else trusted accesses the site through say, secretbluelighturldonttellanyone.info or whatever.

Which is the other concern I have about the line of thought of omitting it from the mods but not the users. It would be much better to focus on making it less disruptive for everyone than just the mods.


This is happening WAY too often? how can it be bypassed by regular BL'ers? its happening too frequently by far and its really starting to piss me off. And it keeps making the browser hang on BL, then on trying to refresh or go back, it comes up with some horse shit about 'the submission cannot be processed because the token has expired'

Making it very difficult to post at all.

Best I can tell, it shouldn't be happening this often. Something is causing the server to rechallange you when it shouldn't. I'm not sure what the upper time limit is. But I'm sure it's supposed to be longer then you're experiencing. You might have better luck with a different browser.

My bet is that the higher ups have rather limited ability to influence how this works. They can use it, or not use it. But it's a third party system from the hosting service, so their ability to customize it could be quite limited.

EDIT: I've done some brief investigating. It looks like the cloud flare page shows up, then it runs a Javascript challenge to see if you're a real browser, then when that's accepted it issues a cookie to whitelist you so you don't see the message again.

That cookie is called cf_clearence and appears to be set to expire after an hour and a half, so a better question might be why it seems like many of us, myself included, are being rechecked so frequently. From what I can tell, it doesn't take much to cause the server to rechallange you. But there's lots of possible reasons it might be happening so frequently.
 
Last edited:
Interesting. If your phone is usually getting internet from your phone service provider instead of wifi, switching it to wifi "might" help.

The other thing that might help is changing web browsers, or using https://www.bluelight.org instead of http://www.bluelight.org.

These are all guesses though. Based on what I've been able to work out about what's going on.

I suspect in the long run this technology will be dropped. Apart from the side effects it causes, I also wonder how effective it will be. It depends on the nature of bluelights difficulties with DDoS attacks. But it wouldn't surprise me if it's determined that the benefits aren't worth the problems.

Time will tell. Until then, I'll mention if I find easy ways to solve the problems for users. For now my best advise for anyone having problems is to try and use the https:// version of the site. Try other browsers, and if possible, avoid mobile internet.

EDIT: I've been doing a bit more research. The page we're seeing and that's causing some disruption represents a feature provided by cloud flare that is there for the site admins to activate additional protections against DoS attack. Which is good news because it means this is likely temporary. It will probably be turned off when the site isn't under as much strain. It doesn't seem to be apart of intended function in the long term. Just a temporary measure. Of course that's up to the people in charge, but that's its intended use.
 
Last edited:
I'm on my phone, it works fine on my mobile internet, but I have the issues you guys describe when using my Wi-Fi.
 
This is happening WAY too often? how can it be bypassed by regular BL'ers? its happening too frequently by far and its really starting to piss me off.

It's frustrating for everyone, just try to remember Bluelight is free and there are people working on the problem.
 
My Wi-Fi sucks donkey dick though, it's always giving me trouble.
 
This wifi vs mobile thing is a pretty big maybe. My thinking behind it is that, I've determined that if the server detects anything it thinks is unusual or loses track of you in any way it rechallanges you. For example, when I tested it I found that it rechallanged me if the web browser appears to change in any way. Even a single 1 or 0 different and it considers it a different browser and rechecks. I haven't tested it but if it's checking that, it's likely doing the same with your IP address. Mobile internet usually involves sharing a pool of IPs and might have forward proxies making it more likely something could go wrong. Using https will prevent the possible forward proxy issue which is why I suggested that.

But plenty of wifi networks will have problems too depending on the internet provider. It's just something that might be helpful to some people and is probably worth trying.

It's well worth remembering that bluelight is a free service, because being a free service is likely part of the reason for this situation. Less money means less resources which means fewer resources to be depleted in an attack until the service stops working.

This function of the site is literally called "I'm under attack mode". So it was likely turned on because of an ongoing attack. So when that stops it'll likely be turned off again. Which is why I think this is probably just a temporary inconvenience.
 
I haven't been able to post from my phone at all (Wi-Fi connection), either in mobile or desktop mode. My desktop browser works fine.
 
So, I'm (obviously) lobotomized of all my computer/network knowledge, but I have some questions:<br><br>Isn't "checking your browser" for five seconds like the last thing you'd want to do in a DDoS attack?  Like, people can't sign on, cause the server's overloaded, so let's add a step to slow everything down even more?<br><br>What exactly are they checking for when examining your browser?  Why does it take so long to do that?  Why would a VPN or cookies make a difference, the attackers don't have a cookie if they never connected, can erase them anyway, and cycle their IP address?  Who are the likely culprits?  Why would they target Bluelight?  Why would they do that for <em>days</em>?  Why is Bluelight not in my spellcheck?  Why is "spellcheck" not in my spellcheck?<br><br>If Jess is a biscuit--i've always suspected--is that good or bad in SA?  Does that mean she's a cookie?  Why would cookies or VPN's make a damn difference on a site with no illegal activity?  Does my ISP have this site on some blacklist, and if so, why?  It seems more like my ISP has Scrofula logged-in on some blacklist, and if that's the case, FFS why?<br><br>Thanks anyone who answers any of these.<br><br>
 
^ the interstitial page implements a check to ensure you're, as far as we can be aware, a legitimate human visitor and not part of some botnet.

speculating on likely culprits is pointless.

alasdair
 
OK, and if I come from a site with an identifying cookie, I not only skip that page, I get logged in automatically. I guess that fits with everything.

I feel like there's two competing pressures at this site (and a couple others): either total anonymity, or as much as possible; vs. walking around the internet totally naked, as I used to do, figuratively and literally.

Of course, it was the latter what borked my box.
 
Never mind, that's not how it works after all. There is no pattern at all.
 
OK so, first thing to realize is that we aren't talking about old school style DDoS attacks. Or I sure hope we're not because that's not the intended use of this feature.

This feature that's causing the browser check is designed to prevent layer 7 DDoS attacks. Now I'll confess that this is an area where I can't claim to be an expert, it's newer and my knowledge in this subject is a bit out of date. But the primary difference is that these attacks work by taking advantage of how the web and some http servers work. With http and Javascript and all that. As opposed to older DDoS attacks like simple layer 4 syn floods or smurf attacks (if you don't know what that is.. It's where you're attacked by smurfs being bribed with black market smurfberrys. :)) These newer layer 7 attacks involve things like getting your bots by malicious web pages using Javascript and such, stuff that works at a higher level than older DoS attacks) and using that to amplify the damage compared with the attackers network resources. Or using bots to make lots of seemingly valid http connections using up resources beyond just network resources (like the servers thread pool).

The idea behind this front page currently active on bluelight, is before you get to the forum and everything related to it, you're taken to a page which gives your browser a Javascript math challenge to accomplish, ideally ensuring its a legit connection with a browser with a Javascript engine rather than a simpler bot. Your browser has to solve the challenge and send it back to the server, which then issues you a clearance cookie which is supposed to allow you access to the real site for a certain amount of time. I'm not sure what that intended length of time is, but I'm pretty sure it's at least half an hour. So the fact that people are getting this challenge so much more frequently is unintended behavior.

One of the reasons the server might rechallange you is if it thinks something about the session like the user agent (what the browser claims to be to the server) or IP changes. So changing browsers, trying to avoid forward proxies with https or VPN, and avoiding internet connections where your iP might frequently change (like cellular internet) are all things that "may" help in some cases.

Further details can be found here: https://blog.cloudflare.com/introducing-im-under-attack-mode/amp/

And by googling cloud flare ddos protection and "I'm under attack mode" which is the specific technology we're discussing.

As for who's behind it, who knows? Why do people commit random property damage in real life? To feel powerful? Extortion? Some strange political viewpoint. Maybe even some asshole who got banned. Though that last one I'd consider unlikely. Not impossible, but in this kind of situation the perpetrators often aren't current or former members of the community at all. Just destructive assholes doing what they were born to do.
 
Last edited:
I'm also having problems with this, any time I try to post it redirects me to a blank page and the post doesn't go through. I had to switch browser to post this.

Surely if cloudfare is working then DOS'ers can be prevented from creating accounts and therefore bluelighters with over 50 posts could be exempted?
 
I'm also having problems with this, any time I try to post it redirects me to a blank page and the post doesn't go through. I had to switch browser to post this.

Surely if cloudfare is working then DOS'ers can be prevented from creating accounts and therefore bluelighters with over 50 posts could be exempted?

I'm gonna just quickly preface this by saying that I'm not anyone in authority at bluelight. And if anyone doesn't wanna believe or has a hard time believing anything I've said for whatever reason you're of course welcome to ask someone in authority.

Now with that said, I'm all but positive you can't be excepted for technical reasons. The DDoSers aren't creating accounts at all most likely. And this feature functions at the hosting level.

Basically it works like this, websites like bluelight, they're a combination of a hosting provider, in our case cloud flare, and an off the shelf forum software package, in our case vbulletin.

The problem here is the antiddos feature causing the problem, is on the hosting side. It's customizable to some extent, but it's very unlikely that it can be linked in to the forum softwares database to decide how to exempt people.

Basically you would have to program a feature that's entirely external to the forum and that probably can't be programmed by the client at all, to access the forum database, check if your session cookie matches an authenticated user, and exempt entirely.

So first, it's unlikely to be possible, and second, on the very VERY unlikely chance that it actually is possible, it would definitely require someone with web programming experience, and there might not actually be anyone like that in authority to do it.

Sorry, like I said I'm not anyone in authority, but it still kinda is what it is. It probably will be turned off in time. But exempting anyone through their account isn't gonna happen.

Most likely all this is, from the perspective of the person who turned it on, is a button somewhere in the admin section of the hosting account for this site that says "I'm under attack mode", and a few other things that let you customize the banding and perhaps wording of the page. But that's it. I can't imagine they give you any access to control the code that makes it work.

It's a shame really, cause if you put aside all the logistical problems, if you really were both a competent programmer, had access to everything, everywhere. And an overwhelming drive to give people the best user possible experience. Exempting you with your forum session cookie really is probably the ideal solution here.
 
Last edited:
Without pretending like I really understand this whole business, your posts about it sound spot on Jess. Thanks for writing this all out here for people to read so they have a better sense of what’s happening with this annoying business.
 
Top