Alright kids, breathe...a DDoS attack isn't the end of the world, it's just the internet throwing a tantrum. If you really don't want to use a fancy protection provider, you can still act like a grown-up: get your datacenter to filter trash at the edge, announce a more specific prefix with BGP so you can shift traffic, drop junk with strict ACLs, and turn on basic rate limiting so bots get bored. You can also tune your kernel so it doesn't faint at SYN storms, and if the firehose gets too big, pop out a more specific BGP prefix from a backup path or secondary router so you can pull production away from the burning IP.
> pop out a more specific BGP prefix from a backup path or secondary router so you can pull production away from the burning IP.
This won't help against carpet bombing.
The only workable solution for enterprises is a combination of on-prem and cloud mitigation. Cloud to get all the big swaths of mitigation and to keep your pipe flowing, and on-prem to mitigate specific attack vectors like state exhaustion.
Very quickly you'll find this doesn't work. Your DC will just null your IP. You'll switch to a new one and the attackers will too, the DC will null that one. You won't win at this game unless you're a very sizeable organization or are just willing to wait the attackers out, they will get bored eventually.
Worrying about a DDoS on your tiny setup is like a brand-new dev stressing over how they'll handle a billion requests per second...cute, but not exactly a real-world problem for 99.99% of you. It's one of those internet boogeyman myths people love to panic about.
Alright kids, breathe...a DDoS attack isn't the end of the world, it's just the internet throwing a tantrum. If you really don't want to use a fancy protection provider, you can still act like a grown-up: get your datacenter to filter trash at the edge, announce a more specific prefix with BGP so you can shift traffic, drop junk with strict ACLs, and turn on basic rate limiting so bots get bored. You can also tune your kernel so it doesn't faint at SYN storms, and if the firehose gets too big, pop out a more specific BGP prefix from a backup path or secondary router so you can pull production away from the burning IP.
> pop out a more specific BGP prefix from a backup path or secondary router so you can pull production away from the burning IP.
This won't help against carpet bombing.
The only workable solution for enterprises is a combination of on-prem and cloud mitigation. Cloud to get all the big swaths of mitigation and to keep your pipe flowing, and on-prem to mitigate specific attack vectors like state exhaustion.
I never claimed to be an enterprise, nor did I suggest this was the best option for them. Cheers!
Very quickly you'll find this doesn't work. Your DC will just null your IP. You'll switch to a new one and the attackers will too, the DC will null that one. You won't win at this game unless you're a very sizeable organization or are just willing to wait the attackers out, they will get bored eventually.
Worrying about a DDoS on your tiny setup is like a brand-new dev stressing over how they'll handle a billion requests per second...cute, but not exactly a real-world problem for 99.99% of you. It's one of those internet boogeyman myths people love to panic about.
You turn off the screen. They can't hurt you if you don't see them
[dead]
You wait for it to stop.
That is not what mitigating means.
he'll politely ask them to stop