2

Situation:

  • React app that was initially running on a VPS
  • A few days ago, we were the target of a DDOS attack that took the site down.
  • During the attack, we decided to migrate to Netlify.
  • Once migrated, the site was live again. The attack was aparently still taking place for a few hours and Netlify did a great job in keeping the site live...
  • ...but it did it at a high cost (3.4 TB of bandwidth consumption, which translates to an expensive bill).

I'm looking for options to protect against the impact of DDOS attacks (avoiding the downtime but also the bandwith usage/cost).

I'd be specially interested in anything that is simple to setup & plays well with Netlify but I will definitely consider all options.

Some options I'm considering:

  • Optimizing the page size -that can reduce bandwidth but it's not a final solution (there's always a limit in the optimization you can do).
  • Configuring Cloudflare in front of Netlify? -I'm wondering if that will solve the problem and if there are implications to consider (there are some answers on SO about performance and other implications but I haven't really found much).
  • Other options?

I acknowledge the question is very broad but suggestions, advice & further details would be really appreciated (how to setup, own experiences, references/articles covering to this specific issue...).

ludovico
  • 73
  • 7
  • It looks like your question is more about cost-effective options. That's not a security concern. – schroeder Apr 20 '21 at 15:18
  • 1
    @schroeder protecting against the misuse of resources is clearly a security concern. I'm not asking for a cost-effective option, I am asking for strategies to avoid the impact of a DDOS attack. – ludovico Apr 20 '21 at 15:27
  • But you already have an effective solution. You just didn't like the cost. You focused on page optimization, looking for a recommendation for an easy-to-use service (security.stackexchange doesn't do recommendations), and a generic question about Cloudflare. Server admin experts are the ones you need to talk to about all this. – schroeder Apr 20 '21 at 15:51
  • A solution that doesn't scale is not an effective solution. – ludovico Apr 20 '21 at 15:57
  • That's nice. For questions on how to implement DDoS protection for this particular server, this is the right place. – schroeder Apr 20 '21 at 15:59
  • Well, you've already given 3 (completely) different explanations for having migrated the original question. I can agree that the question is very broad, might need clarification and it falls in between different stackexchange sites but I don't agree with your criteria to migrate and, TBH, I think you haven't given a fair explanation to that change. In any case, thanks for your efforts in keeping the community a better place. – ludovico Apr 20 '21 at 16:05
  • ... I just gave 3 explanations, as you've said. Why are you so intent to have it on a particular site? – schroeder Apr 20 '21 at 16:09
  • request for a specific service recommendation is out of scope. You can't prevent beeing dosed from somewhat kind of crowded bad people that think they want to do it – djdomi Apr 20 '21 at 17:24
  • Also note that the questions about impact in "Configuring Cloudflare in front of Netlify?" are not our problem but yours - specifically : depending on what you exactly do. The professional approach is to TEST. Put up a second server and test environment, check how it affects your performance. – TomTom Apr 22 '21 at 18:00
  • I'm curious why you added a bounty when you have a good answer below. Do you not like the answer? Do you need more detail? Do you just want alternate ideas? – Tim Apr 22 '21 at 18:04
  • @Tim stated in the bounty description, "Further details, suggestions & advice would be really appreciated. (I acknowledge the question is very broad)" – ludovico Apr 22 '21 at 18:12
  • If you want further details on an answer the best approach is to comment asking for more information. I gave you the "what", if you want the "how" I could link to some tutorials. You'd learn more if you took the concept and did a bit of research yourself. It's not particularly difficult. I've expanded my answer below. – Tim Apr 22 '21 at 19:08
  • don't get me wrong, your initial answer was already good. Btw, I ask here because I haven't found anything valuable (articles etc) regarding this particular issue of bandwidth consumption with netlify (despite the fact that they claim to provide DDOS protection -which up to a point is true). – ludovico Apr 22 '21 at 19:37

1 Answers1

6

Put your server behind a CDN / DDOS protection vendor such as CloudFlare / AWS CloudFront + WAF and ensure that your server only accepts direct connections from your vendor and your own static IP's.

The general steps for this would be:

  1. Sign up for the service and subscribe to the plan you require
  2. Set up DNS on your service to point at your host. Make sure to transfer any other DNS records you require - MX, CNAME, etc
  3. Change your domain registrar to use the CDN or DDOS vendor DNS servers. Wait until the change has applied accros the internet, easiest to just wait 24 hours. You shouldn't see any difference, it should keep working exactly the same.
  4. Set up a firewall that only accepts requests from the CDN's published IP ranges and your private IPs (e.g. your work or home static IP). If you don't have a static home IP you will have to change the firewall every time you want to SSH / RDP into the server. Here's CloudFlare's published IP ranges. IPv4 and IPv6 ideally. This firewall should be a managed service, as otherwise the DDOS is still going to use your server bandwidth, it's just not going to hit your application. In AWS you'd use security groups, Digital Ocean you'd use CloudFirewall, etc

It's not particularly difficult, but you do need to understand some background like IP, firewalls, etc. Each CDN vendor has documentation that will walk you through this.

Scaling

In the cloud you can also scale to meet the part of the DDOS load that gets past the DDOS protection system.

You should read the AWS DDOS Whitepaper, which is largely applicable to other providers and clouds.

Tim
  • 31,888
  • 7
  • 52
  • 78
  • That. Is pretty much the only way to do it. – TomTom Apr 22 '21 at 17:59
  • 1
    IMO outdoing the attacker by adding more resources is also a valid DDoS mitigation, while also preventing inconvenience of CAPTCHA and avoiding blocking valid traffic, especially against small attackers. Could be costly tho. According to OP, apparently that's what Netlify is doing. – mforsetti Apr 23 '21 at 07:35
  • I agree. The AWS ddos white paper says scaling to meet the load is a mitigation. The AWS shield advanced fee even includes writing off those additional resource costs. However if you can block most If the traffic trust reduces resources and costs If the site is not in cloud scaling to that level can be difficult to achieve I'm not familiar with the vendor in question here. – Tim Apr 23 '21 at 11:12
  • that's a very good point. I assume solutions like Cloudflare & AWS CloudFront implement further strategies appart from scaling resources, correct? – ludovico Apr 26 '21 at 18:52
  • 1
    CloudFlare and CloudFront don't have anything to do with scaling. CloudFlare is a WAF / CDN / DDOS protection system, the features you get depend on the plan you purchase. CloudFront is a CDN and integrates with AWS Shield for DDOS protection system, but if you want a WAF you pay for AWS WAF. Scaling is done by AWS EC2 / ECS and such. CloudFlare is much more cost effective than CloudFront / WAF. – Tim Apr 26 '21 at 18:59