We tried solving the issue only through software updates, and for a while we did, but the intensity of the attack is growing by the day and the current clearnet VPS is way too weak and cannot handle it. We will upgrade to a much bigger dedicated server and we expect the issues to be solved at least to a certain degree after that.
From what I've read about DDOS-attacks, home-made solutions are futile. Theymos
gave up years ago. It's very expensive to mitigate, while the attack (using a botnet) is very cheap to run.
The Internet is seriously flawed if everyone needs to huddle behind these huge centralized anti-DDoS companies in order to survive...
We are well aware of the difficulties that our stance on DDoS brings, but IMO there aren't many alternatives. I'm going to list some of them with their main disadvantages and it'd be great if we could get some feedback:
1.Proprietary DDoS (current form): Expensive to maintain | Big headache to monitor and adjust all the time | Attacks can't be 100% mitigated, it's a constant cat and mouse game | Might have downtime anyway regardless of how much money we're spending on servers | Might lose a lot of users because Clearnet is not available
2.Cloudflare or another 3rd party:
All transactions executed through Clearnet are automatically deanonymized | Anonymity Set would not be accurate anymore since deposits executed through Clearnet can't be counted as they are deanonymized so the entire platform would be more 'at risk'
3.Scrap Clearnet service altogether and only have an informative page when you enter whirlwind.money that directs you to the Tor version.
We do not want to lose the Clearnet business because it's very lucrative and it mostly contains the user types that interest us the most (someone that just wants some privacy), but achieving this through implementing Cloudflare would feel like selling our soul and lying to everyone for our gain. So as things currently stand and unless someone comes up with a better idea we will get "the big guns" out and continue with option 1, but if after a while our efforts prove to be futile like you say, then we believe the 3rd option is the only right thing to do.
p.s. the above only reinforces our beliefs that we need to distance ourselves from similar services as much as possible. not only is their anonymity set only as high as the number of deposits made during ~168 hours around your output transaction, but most of the deposits in that anonymity set cannot be counted anyways as they are logged by cloudflare. apologies if it sounds like we're attacking them for no reason, but this is the truth. We are not lying with anything, if we did then as said before any other operator is write in this thread and debunk our statements. It's your choice to use whatever service you think is best for you.