OpenResty (Nginx + LuaJIT) can help you limit the damage of unsophisticated DDoS... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

tothrowaway on May 2, 2022 | parent | context | favorite | on: I won free load testing

OpenResty (Nginx + LuaJIT) can help you limit the damage of unsophisticated DDoS attacks like these. I keep a count of the requests-per-second I'm getting in each nginx worker. I also set a special cookie for every response from the upstream (it could literally be foo=bar). When the RPS goes approve a certain threshold, if the special cookie is not present, I serve a static HTML page (bypassing the upstream) that sets the cookie and reloads the page (Nginx can do 20K+ RPS without breaking a sweat). In my experience, these fly by DDoS attacks never use cookies, so legitimate users can get through, but the bots are blocked.

Of course, if you get hit with something slightly more targeted, this defense is worthless.

krono on May 2, 2022 [–]

Either it's the cost/benefit ratio that been keeping them from handling this, or it simply hadn't crossed their minds until now in which case you might soon need to come up with a new mitigation strategy ;)

pythux on May 2, 2022 | [–]

Definitely a matter of cost/benefit ratio. DDOS using headless browsers are pretty common.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact