Comment by jzebedee
1 year ago
The most bizarre thing is that this is a known issue that folks have asked them for ways to mitigate, to no avail. The reddit thread even links to an extremely weird dialogue where Netlify's response boils down to, "if you're hosting a small site that gets DDoS'd, don't."
https://answers.netlify.com/t/limit-bandwidth-to-avoid-high-...
https://www.netlify.com/security/ sez “Active DDoS mitigation — Netlify monitors for traffic pattern anomalies and spikes, and effectively controls for them as needed” and now I'm curious about what that actually means.
It means they protect themselves from layer 3 and 4 DDoS. For layer 7 you're mostly on your own. That's what most companies mean when they talk about DDoS anyway.
Right and as a CDN they HAVE to handle layer 3 & 4 DDoS themselves so it's not like they're doing you any favours. The traffic is typically routed to the customer based on SNI.
I found https://www.netlify.com/blog/2017/03/28/why-you-dont-need-cl... and it sounds like you're right.
“The cool thing is that we also provide a load balancer, and if our system has detected that our main load balancer is currently being hit by a large DDoS attack and is slow or unresponsive, we’ll simply route around that on the DNS level. Since we cache content at our edge nodes around the world, end users also experience extremely fast page load times because of this.”
1 reply →
It means that they will charge you 20k (a year's rent for me, no biggie) instead of 100k for your free website, or 5k if you got lucky.
If you value uptime, even through being massively attacked, they can offer you that.
5 replies →
They reroute the network traffic to ensure none of it gets dropped so they can accurately overcharge you for the the correct amount.
I'm hesitant to use "fancy" cloud service/hosting providers for reasons like this.
I don't understand why they won't just raise a 503 if the traffic exceeds the spend limit, or at the very least provide that as an option.
Playing ”devil’s” advocate: tracking spend in real-time is not trivial. It adds complexity to stack. Bugs in the feature can cause sites to go down (for long time) without a reason. Larger online businesses likely rather sort out the problems later than risk shutting down in the middle of unexpected success.
(But I also would like to see this feature)
Vercel will happily tell you how much you are spending in pretty much realtime as it sails past your budget
2 replies →
Not really. AWS has budget alerts right? And I can read those budget alerts through their API.
So it would be trivial for me to poll their budget API for an alert, and immediatly trigger a shutdown of my Cloudfront service. Why can't they do that for me?
3 replies →
What's spend limit?
Autoscaling is a feature!
I guess we need regulation for this.
18 replies →
Yep, for a static site you can throw nginx on some VPS for $10 a year and it'll handle a decent amount of traffic.
in other words, "if you're thinking of using netlify, don't".
true. I have a 9€/mo vps at Contabo for my blog and once boasted on HN that my small VPS is able to handle reddit/hn hugs which one user seemed to take personally and they started a DDOS against my VPS.
I only realized this after Contabo contacted me and said the traffic is so high that other clients service is also degraded and they will have to take my VPS down if its much longer (which was understandable). Gladly the ddos stopped soon.
But never was there any talk about any cost, they were very supportive
Even then Cloudflare forward proxy capable of real ddos handling wouldn't cost you $25 per month, some 0.5% of the 95% discounted bill.
But hey - just think about how much you saved on Netlify! Composable!
To some extent, that answer is fair enough, assuming they make this clear up front. If their service is "we'll keep your site up no matter what, for a price" that's a fine service to offer. It's not what the vast majority of people want, of course.
If their advertising is targeted to small businesses and individuals who could never afford this type of service, they could be guilty of false advertising, at least morally guilty. I haven't seen their marketing so I wouldn't want to say.
Their marketing is very much like this. It’s completely misleading. They are definitively not selling “keep it up at all costs, money no object”
This rings so true!
I've dealt with Netlify's support [1], and one of their CS heads was incredibly rude to me and blamed me for the problem they created.
[1] https://news.ycombinator.com/item?id=35610956
“Stop dressing so sexy if you don’t like the attention” is the vibe I got.
I don't fully understand Netlify, but it seems though it tries to be a one-stop solution for everything it doesn't have to be - you could put free Cloudflare in front of it and probably mitigate this kind of thing?
https://docs.netlify.com/domains-https/custom-domains/config...