FRESH

Hacker News

Ask HN: Is it possible to avoid Bandwidth DDoS attacks without Cloudflare?

13 points by theanonymousone

by toast0

0 subcomment

Most VPS/hosting will only charge for outgoing bandwidth. Returning an HTTP 429 is (likely) pretty small, compared to returning a full response; but if that's too much, you can probably do something to drop the connection, but that's not likely to be super straightforward.
You'd still be charged for SYN+ACK and what nots, although some providers charge for payload bytes only. If you're getting a lot of abuse, it'd make sense to drop packets with an IP firewall rather than HTTP config.
Once you're pretty well protected against 'layer 7' application based DDoS, expect to get targetted with volumetric DDoS instead. That's just sending you garbage packets until you run out of inbound bandwidth; usually by spoofing UDP requests to the world from your IP. The requirement to handle that on your own is to have more inbound bandwidth than they're targetting you with; that and enough CPU to process their stuff, but drop all udp and drop all ip fragments is easy for firewalls. If your IP is targetted for 10Gbps of abuse, and you have a 1G connection, chances are your host will null route your IP to protect its infrastructure, same deal if you attract 100Gbps of abuse on a 10G connection. Top volumetric attacks are around 2 Tbps now, but chances are you won't attract those.

by FlyingAvatar

1 subcomments

Having an attacker know the public IP of your box almost guarantees that they can take it down. Even if somehow you were able to ignore all the packets from the attacker, most capable DDoSers will be easily be able to saturate the bandwidth of pretty much a single VPS easily.
And if it's a cheap VPS, your provider is going to drop you in a blink so that their other customers are not affected.
If you want to be able to withstand a DDoS, you need a WAF who can absorb the amount of bandwidth that the attacker is capable of delivering, while also being capable of filtering enough of it that your service is not overwhelmed anyway.
Also, if you have ever hosted your service directly on the public IP of your VPS, you also probably need to change it. If an attacker sees your service is suddenly behind CloudFlare, they can search sites that keep a history of domain's public IPs and will attack all of them to see if they can skirt around your WAF.
Ideally, you need to keep the IPs of your services completely private and then firewall them such that only your WAF provider can forward traffic to them.

by JSDevOps

0 subcomment

Cloudflare don’t run the internet.
https://blog.torproject.org/trouble-cloudflare/?ref=troyhunt...
Theres a good guide somewhere I read a few months back I’m trying to find it. In the mean time check over on r/selfhosted
https://www.reddit.com/r/selfhosted/comments/132g8un/what_da...

by runjake

0 subcomment

You can contact your provider and they can work with their upstream to blackhole the traffic before it reaches your server. If they're a decent provider, they'll have protections in place to mitigate it before you really notice it.
Based on some of your comments, it sounds like you're really asking is "Is there anything I can do to mitigate it myself?" and my answer to that is:
Not really. Once the traffic hits your host, it's hitting your host no matter what, even if you shut off the web server or firewall the port. Traffic is cheap for criminals, so they can essentially send down whatever throughput is needed for the job.

by tiernano

1 subcomments

Some VPS providers offer DDoS protection. If your server blocks their IP you could add it to the firewall of the provider, assuming they have an API, and block them there too.