Announcement

**bug77** · 11 October 2023, 10:32 AM

Originally posted by F.Ultra View Post

Well the issue is that both creates exactly what the goal is, to not make you able to serve content to actual users and only to the bots. There really is no way to win here unless you have Google amount of bandwidth and machines.

Not really. A proper response to a DDoS attack is to filter the malicious traffic and let everything else in. Not easy to do, but it happens.

**F.Ultra** · 11 October 2023, 10:50 AM

Originally posted by bug77 View Post

Not really. A proper response to a DDoS attack is to filter the malicious traffic and let everything else in. Not easy to do, but it happens.

Which is often impossible to do. If you do it before your rate limit then that process can be DDoS:ed by the high request rate, and if you do it after the rate limit then you have already rate limited so then you have a high chance that every single connection that survived the rate limit is only the DDoS traffic (since they connect more aggressively they have a much higher chance of surviving a rate limit).

**F.Ultra** · 11 October 2023, 10:53 AM

Originally posted by curfew View Post

Rate-limiting the bot's connection will only improve bandwidth for real users.

Then you have to correctly determine that it is bots and not real users, in a proper DDoS all connections looks like real users. Plus you now have to have something that does this determination and filtering with a capacity that is greater than the DDoS. I have never seen any one standing up serving real customers during a DDoS unless they have been backed by Google type of BW and resources.

**bug77** · 11 October 2023, 11:50 AM

Originally posted by F.Ultra View Post

Which is often impossible to do. If you do it before your rate limit then that process can be DDoS:ed by the high request rate, and if you do it after the rate limit then you have already rate limited so then you have a high chance that every single connection that survived the rate limit is only the DDoS traffic (since they connect more aggressively they have a much higher chance of surviving a rate limit).

Then how come we have all these DDoS attacks with barely an impact on traffic?
It's hard at first, because you don't know what's malicious and what's legit, but once you figure that out, it's pretty much smooth sailing.

**edgmnt** · 11 October 2023, 06:03 PM

Originally posted by bug77 View Post

Then how come we have all these DDoS attacks with barely an impact on traffic?
It's hard at first, because you don't know what's malicious and what's legit, but once you figure that out, it's pretty much smooth sailing.

I guess it depends on the scale of the first D. At worst, you have one source initiating just one or few connections and many many such sources.

**F.Ultra** · 11 October 2023, 07:38 PM

Originally posted by bug77 View Post

Then how come we have all these DDoS attacks with barely an impact on traffic?
It's hard at first, because you don't know what's malicious and what's legit, but once you figure that out, it's pretty much smooth sailing.

If so you have been hit by extremely tame DDoS:es. Normally you get attacked with an aggregate of 200Gbps and you only have say 2x10Gps connections, so good luck doing anything at the receiving end of that pipe to solve anything.

Announcement

HTTP/2 "Rapid Reset" DDoS Attack Disclosed By Google, Cloudflare & AWS

Comment

Comment

Comment

Comment

Comment

Comment