| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by traskjd 3525 days ago
	Interestingly, in some ways this is a big selling point of AWS/Azure/Goog. The absolute scale they can handle is way up there. The downside of course, is that whilst their infrastructure can likely handle it, handling the bill associated with 'just scale up your service' could be worse than the attack itself.

6 comments

benmac 3525 days ago

AWS has considerable defenses against DDOS attacks of all types - here's the video from Reinvent 2015 which introduces many of Amazon's defenses as well as best practices - https://www.youtube.com/watch?v=Ys0gG1koqJA

Interestingly, the presenter notes that Amazon had seen a drop in DNS as an attack vector in 2015. I asked the presenter (Product Manager) why they hadn't productized the DDoS attack dashboard so you could be aware if you were being attacked (and it was being absorbed by AWS) and his response was that there was insufficient demand at that point to justify the developer staffing. He gave me his card and asked to request the feature so he could us it to make the case internally.

Does anyone here have stories of being successfully DDoS'd on AWS (other than by their own staff :) ?

stcredzero 3525 days ago

If Azure and Google would like to gain a competitive advantage over AWS, then I would suggest this: Build out a suite of tools for fighting DDOS. Enable private consultants and companies to provide this as a service. Do this in such a way, that cloud customers save money and have to worry about less. Hell, let companies jump in structured as insurance companies! Also bring in cooperation with law enforcement and use data gathering to catch and prosecute DDOS-ers.

atmosx 3525 days ago

> Enable private consultants and companies to provide this as a service.

If I am an AWS customer I expect AWS to handle/prevent DDoS, same way as they do with S3 to achieve 11 9's availability (the files are saved in multiple AZs in the same region - Glacier IIRC copy files on different regions to avoid data loss in case of physical disaster).

One of the reason for choosing AWS is because AMZ has deep pockets and has the means (financial and technical) to fight against large DDoS attacks, while a smaller provider might not have to do that. Putting clients in a position to have to buy that sort of protection doesn't sound very smart to me.

takeda 3525 days ago

> do with S3 to achieve 11 9's availability

I see so many people confused about this. Eleven nines is their durability guarantee, their availability that they guarantee is only 99.99%

https://aws.amazon.com/s3/faqs/

JumpCrisscross 3525 days ago

What's the difference between durability and availability?

eloff 3525 days ago

Availability is the % of times you try to access your data that you get it back. So 52.5 minutes of downtime a year is still within SLA.

Durability is the % of your data that doesn't die. Eleven 9s means that if you store 1TB on AWS S3 you can expect to lose 10 bytes and still be within SLA.

jacquesm 3524 days ago

No, it means that if you store your data there that there is a .000000001% chance that you will lose all of it.

gohrt 3525 days ago

durability means you'll get your bits eventually.

availability means you'll get your bits immediately.

bogomipz 3524 days ago

Durable means it was persisted to disk. Availability means the service is up and reachable.

bogomipz 3524 days ago

I hear this misunderstanding a lot as well, generally in relation to AWS S3 SLAs. 11 9's of "uptime" would mean service could be be down for 3 milliseconds a year. 4 9s is very respectable.

ryanlol 3525 days ago

> If I am an AWS customer I expect AWS to handle/prevent DDoS, same way as they do with S3 to achieve 11 9's availability

If you are an AWS customer you should have done your due diligence and know that amazon won't do a very good job at that.

toomuchtodo 3525 days ago

I don't understand how people who use AWS have such unrealistic expectations.

Someone will always have the upper hand in an arms race, and it's not service providers yet. It's just a matter of finding the choke point between their transit and your code.

ryanlol 3525 days ago

>I don't understand how people who use AWS have such unrealistic expectations.

Well, the whole point of AWS is not having to deal with the usual hosting stuff. They'll naturally have lots of customers with high expectations and very little understanding of how things work in the background.

drieddust 3525 days ago

When you are DDOSed they will keep supplying the resources for you to consume and pay them extra. Cloud is commodity so don't expect to be treated like a special snowflake. Your distress is their opportunity to make extra money.

Offtopic but relevant. One of my customer moved their email to O365 without understanding the differences from being ON-Prem. Now they are struggling to adopt their business processes to then limitations MS imposes.

ryanlol 3525 days ago

>When you are DDOSed they will keep supplying the resources for you to consume and pay them extra.

If the attack is tiny, sure. Otherwise they'll just cut you off.

drieddust 3525 days ago

> If the attack is tiny, sure. Otherwise they'll just cut you off.

Yet they get to claim inexhaustible capacity.

frandroid 3524 days ago

For when you want it for traffic you want to pay for, not for unwanted traffic no one wants to pay for.

qaq 3525 days ago

"achieve 11 9's availability" is this sarcasm?

_adamb 3525 days ago

They're referring to AWS S3's claim of 99.999999999% durability. AWS actually offers 99.99% availability.

qaq 3525 days ago

Oh that at least could theoretically be feasible considering AWS's SLA though they might as well claim it's 99.9999999999999999999999999%

wcummings 3523 days ago

It all depends how you measure it

Taek 3525 days ago

I thought you had to pay substantially extra to get files stored in multiple regions.

novaleaf 3524 days ago

i'm not an AWS customer, but from what I have heard, you would be financially responsible for the DDoS traffic bill.

Amazon might wave the fee, but you are the first party responsible.

capecodcarl 3525 days ago

Doesn't Google already have the infrastructure to deal with an attack of this magnitude? I remember recently reading about Krebs on Security moving to Google's Project Shield service: http://www.zdnet.com/article/google-rescues-krebs-on-securit...

nstj 3525 days ago

afaik Shield is for select journalists only, not for typical web infrastructure.

jtl999 3525 days ago

https://support.google.com/projectshield/answer/6358116?hl=e...

> My website is on Blogger, Google Sites, or Google App Engine. Am I eligible?

    > As Google products, these sites already have similar DDoS protection to Project Shield. Your website would not need to be set up with Project Shield.

Wonder if that answer includes Compute Engine. Doubt it.

brazzledazzle 3525 days ago

It would be interesting to try using App Engine to simply proxy traffic. I don't know enough about it to even know if it's technically feasible. I imagine the downsides would be many but it could be useful as a temporary measure while you're getting attacked.

yannovitch 3524 days ago

Some people already use App Engine as a free CDN (http://www.digitalistic.com/2008/06/09/10-easy-steps-to-use-...) , I imagine it would be totally possible to use it as a proxy.

bogomipz 3524 days ago

You can't just build a "suite of tools" and give them to a customer to fight a DDOS. The way DDOS is mitigated is by making routing changes at the network edge. This is not something you want a customer to be able to do for obvious reasons. And these in themselves are sometimes not enough and DDOS mitigation will require coordinating with transit providers, again not something you would want put in a customer console.

matt4077 3525 days ago

Cloudflare is targeting that market pretty heavily.

JshWright 3525 days ago

Yup until this morning, AWS was using Dyn as the sole provider of nameservers for the us-east-1 zone. So this attack did have a pretty substantial impact on some AWS services until they updated us-east-1 to use the more diverse set of nameservers their other datacenters use.

deegles 3525 days ago

That's a good point. If anything, it makes DDOS attacks more effective since you can't easily scale up your bank account :)

unexistance 3525 days ago

so it will be eventually Cloud VS DDoS eh, both can scale indefinitely so the limit is money, which makes the DDoS guys wins, they practically stole CPU/RAM/NET where cloud providers need to buy hardware as usual

Unless we can somehow secure every net-connected devices, ha (I don't know whether to cry or laugh right now)

losteverything 3525 days ago

Can you third grade down your comment please?

I find your language to be of high interest like you had a "dUH" moment - which I am ignorant to get myself.

The Sons rays meat

cheepin 3525 days ago

DDOS usually occurs via a botnet of infected networked devices. Thus, the attacker is getting their resources for "free" since their host is unknowingly wasting CPU and bandwidth during the attack, while the defender is paying for theirs.

losteverything 3524 days ago

Thanks

Is this analogy accurate?

I have one road to get home. It got blocked so I create 2 more roads.

I now have 3 Roads to get home. All 3 become blocked. So now I have to make another road.

More roads is redundancy and requires capital.

The roads become unblocked but I now must expect future road blocks.

kpil 3524 days ago

Until Google starts serving pages from our phones...

atmosx 3525 days ago

Isn't that the meaning the having multiple AWS regions? :-)

If you want HA at local level you'd go with AWS AZs but if you need real HA you need can do the same at region-level.

Of course not everyone has the money/need to go down that route, but it's possible and even advised for some AWS services.