Railway TOS
I was using railway to host my project with their database and suddenly I started to receive that my account violated the terms of use, which is very curious since the project has been running for over a year, could you tell me under which clause the terms were violated?
40 Replies
Project ID:
N/AN/A
what where you running? if i may ask
API to software licensing
but i've received a email that the payment have failed
can be because this?
are you banned?
yep
suddenly
what kind of apis where you running?
Registration/login API, creation and validation of application keys, a dashboard to manage these keys
that doesn’t give me enough details to tell you what you did/didn't do wrong, so i will ask someone who can find out.
there is #🛂|readme #6 but i feel like you are at least owed an explanation.
i have asked someone who is able to find out, either they will update you here, or will let me know and i will update here
@Caillou can you please DM the email address associated with your account? I will see if I can do some research
i've sent
Gotcha- I am the one who banned ya, we got a lot of rps on that service and it looksed suspicious
We can restore and credit your account, thats our bad.
@Caillou - your database and data should be back up
Yep, we have been suffering DDoS attacks for a week, we are already carrying out a process to fix this problem
oh dear ;-;
How did you set up your CNAME?
We are currently using the domains generated by railway itself, because when we link it to the domain the attacks return
All custom domain DNS settings are currently disabled
Yea, that is causing us to get DDoSed, we have mitigations but it loaded our proxy to hell
Cloudflare on your provided domain don't work?
It even works, but we received an attack of 7 billion requests in a period of 2 hours, many of which ended up bypassing cloudflare's protections
Yea- at the free tier they can't do much
who is the threat do you know? what are you selling?
We don't know who it is, it started suddenly, we believe that one of our resellers decided to pick a fight with some tough people. We have a product for protecting .NET projects
With the website down, programs are unable to connect to our license server, meaning that all of our clients' executables that were protected cannot open.
everything are ok now, thank you!
🥺🤦
And blame me, the idiot who pressed the button
Also- you should really be on the Pro plan
We don’t knock off Pro workloads easily and we have a policy to warn you
We currently are a small company, and in future we go to Pro, but at this moment our balance can't handle this price
@Caillou - we are seeing another DDoS spike, and we may have to take the site down. Are you confirming this?
Apparently we are, I removed the dynamically generated domain, this should stop the attacks
Subdomain is "https://robot-api-production.up.railway.app"
we saw a precursor attack to the one starting with private too - we've had to disable both.
no problem
I apologize for this situation
I know its not your fault - but we've also got limited options here unfortunately - every time the traffic spikes happen we page someone in. This time our mitigations blunted a majority of it. But not sustainable.
most of the traffic seems to originate from APNIC IPs - so mostly on our asia edge
Can you tell me which URI they were accessing from the URL "https://robot-api-production.up.railway.app/" ?
Unsure as we can't investigate network traffic this way, can you tell us what you are selling from this service?
.
Is it DRM?
No, it's just a private project
What are you protecting?
(Its okay if you say cheats, I just need to know what corner of the internet we are pissing off)
yep, you are right
okay- so I can't have your traffic mess up the experience for the other hobby users
I am going to be direct with you:
Either you:
1) Use a custom domain and properly secure it.
2) Proxy your traffic via private network and tunnel it out to a different hosting provider.
The Hobby plan makes no uptime guarantee and @char8 has been pinged day and night due to your workload. It is not fair to him nor the other users that we are the turf for this beef.
I suggest that you remove the
up domains as soon as possible, and migrate this workload off of Railway.
I am not going to ban you and ask nicely this once, but if we keep getting this traffic- we will have to count it as a ToS violation. I am willfully forgetting what you are hosting.
Tagging: @Caillou - vizNo problem, I will move this out and just keep the database to stop this problem, I have already closed all instances, again I apologize for what happened
No problem. Sorry, but we gotta do what's best for all users on the platform.
I know this has nothing to do with Railway, but I'll insert it here to close this topic and mark as solved.
Cloudflare's managed challenge filter was the real problem, as most of the requests were valid, they ended up automatically passing the captcha, custom rules were used in the Firewall to use interactive challenges on all public pages of the application, this resulted in only 0.02% of requests reached nginx (with the managed challenge they were +30%), the final configuration was to define a narrower ratelimit, allowing only 2 requests in a period of 10 seconds, with these changes resource usage went from 100% to 2 % (running 3 servers behind the proxy).
I thank the team for their attempts to help, when I do non-controversial projects I will definitely choose Railway. 🫡
Angelo isn't here so I'll thank you for your understanding and the update you have provided