« BackAsk HN: Is it possible to avoid Bandwidth DDoS attacks without Cloudflare?undefinedSubmitted by theanonymousone a day ago
  • toast0 a day ago

    Most VPS/hosting will only charge for outgoing bandwidth. Returning an HTTP 429 is (likely) pretty small, compared to returning a full response; but if that's too much, you can probably do something to drop the connection, but that's not likely to be super straightforward.

    You'd still be charged for SYN+ACK and what nots, although some providers charge for payload bytes only. If you're getting a lot of abuse, it'd make sense to drop packets with an IP firewall rather than HTTP config.

    Once you're pretty well protected against 'layer 7' application based DDoS, expect to get targetted with volumetric DDoS instead. That's just sending you garbage packets until you run out of inbound bandwidth; usually by spoofing UDP requests to the world from your IP. The requirement to handle that on your own is to have more inbound bandwidth than they're targetting you with; that and enough CPU to process their stuff, but drop all udp and drop all ip fragments is easy for firewalls. If your IP is targetted for 10Gbps of abuse, and you have a 1G connection, chances are your host will null route your IP to protect its infrastructure, same deal if you attract 100Gbps of abuse on a 10G connection. Top volumetric attacks are around 2 Tbps now, but chances are you won't attract those.

    • runjake a day ago

      You can contact your provider and they can work with their upstream to blackhole the traffic before it reaches your server. If they're a decent provider, they'll have protections in place to mitigate it before you really notice it.

      Based on some of your comments, it sounds like you're really asking is "Is there anything I can do to mitigate it myself?" and my answer to that is:

      Not really. Once the traffic hits your host, it's hitting your host no matter what, even if you shut off the web server or firewall the port. Traffic is cheap for criminals, so they can essentially send down whatever throughput is needed for the job.

      • JSDevOps a day ago

        Cloudflare don’t run the internet.

        https://blog.torproject.org/trouble-cloudflare/?ref=troyhunt...

        Theres a good guide somewhere I read a few months back I’m trying to find it. In the mean time check over on r/selfhosted

        https://www.reddit.com/r/selfhosted/comments/132g8un/what_da...

        • tiernano a day ago

          Some VPS providers offer DDoS protection. If your server blocks their IP you could add it to the firewall of the provider, assuming they have an API, and block them there too.

          • theanonymousone a day ago

            Thanks. What if there is no such provider-level protection?

            • stop50 a day ago

              They have such protections. At the very last option an AS can drop all packages comming from the outside. Contacting the support should help.