undefined | Better HN

0 pointsglobie10mo ago0 comments

Simple: Connect larger NICs and do "dumb" DDoS filtering at your fattest point.

Consider an HTTP daemon serving static content on a physical server. If that physical server has a 10Gig NIC it will withstand 90%[0] of the real-world DDoS attacks which would affect the same server with a 1Gig NIC.

"Dumb" DDoS filtering means blocking UDP and SYN floods, and other simple attacks. Your goal is essentially to block traffic which could be spoofed, making your downstream traffic somewhat attributable. Many ISPs provide functions like this, and is not nearly as complicated or invasive as letting Cloudflare MITM every bit of your traffic.

Any effort past that point should just be made in caching static assets, and optimizing dynamic pages. If your website uses sessions, you can implement basic rate controls very easily. No WAF required!

[0]: I made it up

0 comments

fwipsy10mo ago

> I made it up

I appreciate the honesty, at least

globieOP10mo ago

This conclusion stems from that it is much easier to launch a DDoS from a single server w/ spoofed traffic than to use a botnet. If you have a single 10Gig server, you will likely not be able to take down another 10Gig server unless the target is already doing near 1gbps[0]. I believe most "noise" DDoS which effects random website operators is considerably less than 10Gbps, and pretty much every giant attack uses spoofed traffic which can be blocked upstream without a WAF. So long as your upstream is big enough.

[0]: I made it up, again.

wmf10mo ago

DDoS is distributed denial of service. It isn't coming from one server. It's now trivial to buy 100 Gbps or more of DDoS so sites would need 400G or more to simply eat it.

1 more reply

j / k navigate · click thread line to collapse