[nullrouted]

tl:dr Used cloudflare for DNS and Level3/Blacklotus for network filtering.

In DDoS attacks you have three models: On-Prem: Buy hardware and big fat internet pipes to filter traffic (expensive / time \ resrouce intensive) Hybrid: On-Prem devices that can mitigate X/Mbps and then starts announcing your routes after X to their cloud scrubbing centers which can filter it at a much higher capacity (best option) Cloud: Full on filtering by a provider where all your traffic goes through their scrubbing centers full time (usually adds latency, extremely expensive)

The hybrid model is the best and what most companies are going to as it allows you to filter smaller attacks out with little cost as well as scaling up to large 100 Gb/s+ attacks without having to buy massive amounts of hardware/transit.

[prdonahue]

How do you define "extremely expensive"? CloudFlare's Business Plan ($200/mo) includes advanced DDoS mitigation: https://www.cloudflare.com/ddos/.

Also, due to caching of assets in PoPs close to end-users (and TLS termination at the edge), the site is often much faster than without DDoS protection.

[franimals]

Well CloudFlare works if you're mainly worried about responding to HTTP(S) traffic. In this the company was responsible SMTP, POP, etc which CloudFlare doesn't really handle.

Additionally as is mentioned in the article - If the attacker knows your public IP address they can easily bypass CloudFlare by simply directing the traffic to you and not CF.

[nullrouted]

Cloudflare is a WAF/Proxy that can handle DDoS, it isn't a DDoS specific product. If your actual network space is getting hit (e.g. 8.8.8.8) cloudflare will not help you.

[snowwrestler]

Set your network firewall to drop all packets not originating from Cloudflare's IP blocks?

[paulfurtado]

Depends on the type of DDoS. Traffic may saturate your internet connection regardless of there being a firewall on your end. In which case you need a provider capable of handling the full bandwidth of the DDoS sitting in front of you.

[vox_mollis]

How do you define "extremely expensive"?

Always-on scrubbing will typically run you $10k provisioning and $6-9k monthly for 100mbps of clean bandwidth from most of the providers.

[nullrouted]

Always on scrubbing has a number of factors depending on the provider you use. All charge for clean traffic but some charge for number of netblocks/ASNs, number of routers, number of attacks mitigated, etc. It can get extremely expensive depending on your traffic needs and all the other variables. Paying an extra $250,000+ year for 2 Gb/s of traffic is extremely expensive to me.