

Ask HN: Are there any effective measures against DDoS attacks? - laumars

The company who I work for has taken on a lot of new business lately and while, thankfully, we've never been a target of any attacks before now, I'm a little concerned that we might not escape indefinitely. As a large portion of our business is online and due to our business becoming more and more high profile in recent years, I'd like to have some kind of disaster recover plan in place for DDoS attacks (even if the IT director and/or CEO dismisses any contingencies I recommend, I wouldn't be doing me job right if I didn't at least investigate this potential).<p>So I'm basically just looking for some advice in any hardware recommendations and ways to react when such an attack is under way.
======
anonymouse123
You could try Cloudflare?

<http://avgjoegeek.net/cloudflare-review/>

[http://www.forbes.com/sites/eliseackerman/2012/02/29/how-
clo...](http://www.forbes.com/sites/eliseackerman/2012/02/29/how-cloudflares-
free-ddos-protection-service-is-disrupting-the-multibillion-dollar-computer-
security-and-content-delivery-markets/)

(I'm not affiliated in any way with these guys, and I'm aware they just had an
outage while updating the server code to defend against a DDOS attack, but
they seem good! )

------
philip1209
For an analogy, the best way to stop a big flood is with a dam, and services
like Cloudflare provide an upstream (i.e. DNS) dam mitigating DDOS.

Without such an upstream service and short of building an extensive
infrastructure yourself, you basically have to batten down the hatches and
have a server (plus preceding switches etc.) that can handle a large amount of
traffic.

I think there are other services, but Cloudflare is the most prominent and is
used by sites like 4Chan to avert DDOS.

~~~
laumars
This is what I used to believe as well. But I'm reading more and more about
how ISPs are filtering out such attacks and how some dedicated networking gear
(eg Pravail APS) can stop at least some types of DDoS attacks from saturating
your web farm.

It's that side of things that I'm mostly unclear about. Are solutions like
Pravail APS basically snake oil?

------
keefe
I'd probably try an epoll based reverse proxy like nginx sitting in front of
my application, which I'd then aggressively test. I'd download large ion
cannon or whatever the kiddies are using these days.

There's probably something you can do at the DNS level.

