Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Are there any effective measures against DDoS attacks?
3 points by laumars on March 4, 2013 | hide | past | favorite | 4 comments
The company who I work for has taken on a lot of new business lately and while, thankfully, we've never been a target of any attacks before now, I'm a little concerned that we might not escape indefinitely. As a large portion of our business is online and due to our business becoming more and more high profile in recent years, I'd like to have some kind of disaster recover plan in place for DDoS attacks (even if the IT director and/or CEO dismisses any contingencies I recommend, I wouldn't be doing me job right if I didn't at least investigate this potential).

So I'm basically just looking for some advice in any hardware recommendations and ways to react when such an attack is under way.



You could try Cloudflare?

http://avgjoegeek.net/cloudflare-review/

http://www.forbes.com/sites/eliseackerman/2012/02/29/how-clo...

(I'm not affiliated in any way with these guys, and I'm aware they just had an outage while updating the server code to defend against a DDOS attack, but they seem good! )


For an analogy, the best way to stop a big flood is with a dam, and services like Cloudflare provide an upstream (i.e. DNS) dam mitigating DDOS.

Without such an upstream service and short of building an extensive infrastructure yourself, you basically have to batten down the hatches and have a server (plus preceding switches etc.) that can handle a large amount of traffic.

I think there are other services, but Cloudflare is the most prominent and is used by sites like 4Chan to avert DDOS.


This is what I used to believe as well. But I'm reading more and more about how ISPs are filtering out such attacks and how some dedicated networking gear (eg Pravail APS) can stop at least some types of DDoS attacks from saturating your web farm.

It's that side of things that I'm mostly unclear about. Are solutions like Pravail APS basically snake oil?


I'd probably try an epoll based reverse proxy like nginx sitting in front of my application, which I'd then aggressively test. I'd download large ion cannon or whatever the kiddies are using these days.

There's probably something you can do at the DNS level.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: