Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Alternative guide, use CloudFlare and hide origin address.

Most of AWS advices (like autoscaling) will help only a bit, but can cost a lot (lots of ec2 machines serving bogus requests).



Best way to defend against an L7 DDoS is to have the origin hidden, and to cache everything at a large number of geographically distributed PoPs.

This helps in 99% of cases, and where it doesn't it is simply because there is a resource that cannot be cached and that the edge must revisit the origin for. This is especially true whenever that resource is expensive for the origin to provide (involves database lookups and cannot be cached: shopping carts, login pages, search results), these are the ones which require you to rethink your application design.

If you're an application developer and wondering how to design your application to withstand a DDoS attack, then instead shift to just thinking: How can I make everything that this application does be cached by an edge server?

When you're not under attack using CloudFlare makes sense and saves you money anyway. At least... it does for me. On one of my web applications I use Amazon S3 for user attachment storage within a forum CMS, and my bill used to be upwards of $200 per month for just one of the sites I run. I changed the application so that it proxies the S3 request/response, and then set a CloudFlare Page Rule to sit in front of that path, and configured it to "Cache Everything". The effect of this was to reduce my AWS S3 bill down to $20 per month. After that I did it for every site.

There's a hell of a lot of benefit to using CloudFlare in conjunction with AWS, and not just when you're facing an L7 DDoS.

Disclosure: I work for CloudFlare (last 9 months) and have been a CloudFlare customer for 3 years and I was offered a job by AWS and also been an AWS customer for 3 years.


What's the limit at which CloudFlare will start billing you at a "enterprise rate" instead of $20 / month? That bandwidth can't be free forever...


Any company using the massive amount of bandwidth you are thinking of is probably not getting all the features required for their business on the $20/month plan. Hell, you can't even obtain access logs without the enterprise pricing. Your limit won't come from CloudFlare restricting you, a lack of basic necessities from the product will have you crawling to pay whatever enterprise amount they want.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: