[stcredzero]

If Azure and Google would like to gain a competitive advantage over AWS, then I would suggest this: Build out a suite of tools for fighting DDOS. Enable private consultants and companies to provide this as a service. Do this in such a way, that cloud customers save money and have to worry about less. Hell, let companies jump in structured as insurance companies! Also bring in cooperation with law enforcement and use data gathering to catch and prosecute DDOS-ers.

[atmosx]

> Enable private consultants and companies to provide this as a service.

If I am an AWS customer I expect AWS to handle/prevent DDoS, same way as they do with S3 to achieve 11 9's availability (the files are saved in multiple AZs in the same region - Glacier IIRC copy files on different regions to avoid data loss in case of physical disaster).

One of the reason for choosing AWS is because AMZ has deep pockets and has the means (financial and technical) to fight against large DDoS attacks, while a smaller provider might not have to do that. Putting clients in a position to have to buy that sort of protection doesn't sound very smart to me.

[takeda]

> do with S3 to achieve 11 9's availability

I see so many people confused about this. Eleven nines is their durability guarantee, their availability that they guarantee is only 99.99%

https://aws.amazon.com/s3/faqs/

[JumpCrisscross]

What's the difference between durability and availability?

[eloff]

Availability is the % of times you try to access your data that you get it back. So 52.5 minutes of downtime a year is still within SLA.

Durability is the % of your data that doesn't die. Eleven 9s means that if you store 1TB on AWS S3 you can expect to lose 10 bytes and still be within SLA.

[jacquesm]

No, it means that if you store your data there that there is a .000000001% chance that you will lose all of it.

[hanoz]

For those wondering .000000001% per what? The answer apparently is per object year.

i.e. you could expect to lose 10 bytes of your 1TB every year if your stored it as a trillion one byte objects, but if you stored it as a single object you could expect to lose the whole thing once every hundred billion years, but none of it the rest of the time.

[speedplane]

Is that true? How can they possibly measure a probability event so small? If every human in the world was their customer, then .05 humans would lost heir data?

[eloff]

It doesn't mean that either. It's just an SLA. Could have been a number pulled out of the air. Likely loss in real life would be granular at the object level.

[gohrt]

durability means you'll get your bits eventually.

availability means you'll get your bits immediately.

[bogomipz]

Durable means it was persisted to disk. Availability means the service is up and reachable.

[bogomipz]

I hear this misunderstanding a lot as well, generally in relation to AWS S3 SLAs. 11 9's of "uptime" would mean service could be be down for 3 milliseconds a year. 4 9s is very respectable.

[ryanlol]

> If I am an AWS customer I expect AWS to handle/prevent DDoS, same way as they do with S3 to achieve 11 9's availability

If you are an AWS customer you should have done your due diligence and know that amazon won't do a very good job at that.

[toomuchtodo]

I don't understand how people who use AWS have such unrealistic expectations.

Someone will always have the upper hand in an arms race, and it's not service providers yet. It's just a matter of finding the choke point between their transit and your code.

[ryanlol]

>I don't understand how people who use AWS have such unrealistic expectations.

Well, the whole point of AWS is not having to deal with the usual hosting stuff. They'll naturally have lots of customers with high expectations and very little understanding of how things work in the background.

[drieddust]

When you are DDOSed they will keep supplying the resources for you to consume and pay them extra. Cloud is commodity so don't expect to be treated like a special snowflake. Your distress is their opportunity to make extra money.

Offtopic but relevant. One of my customer moved their email to O365 without understanding the differences from being ON-Prem. Now they are struggling to adopt their business processes to then limitations MS imposes.

[ryanlol]

>When you are DDOSed they will keep supplying the resources for you to consume and pay them extra.

If the attack is tiny, sure. Otherwise they'll just cut you off.

[drieddust]

> If the attack is tiny, sure. Otherwise they'll just cut you off.

Yet they get to claim inexhaustible capacity.

[frandroid]

For when you want it for traffic you want to pay for, not for unwanted traffic no one wants to pay for.

[qaq]

"achieve 11 9's availability" is this sarcasm?

[_adamb]

They're referring to AWS S3's claim of 99.999999999% durability. AWS actually offers 99.99% availability.

[qaq]

Oh that at least could theoretically be feasible considering AWS's SLA though they might as well claim it's 99.9999999999999999999999999%

[wcummings]

It all depends how you measure it

[Taek]

I thought you had to pay substantially extra to get files stored in multiple regions.

[novaleaf]

i'm not an AWS customer, but from what I have heard, you would be financially responsible for the DDoS traffic bill.

Amazon might wave the fee, but you are the first party responsible.

[capecodcarl]

Doesn't Google already have the infrastructure to deal with an attack of this magnitude? I remember recently reading about Krebs on Security moving to Google's Project Shield service: http://www.zdnet.com/article/google-rescues-krebs-on-securit...

[nstj]

afaik Shield is for select journalists only, not for typical web infrastructure.

[jtl999]

https://support.google.com/projectshield/answer/6358116?hl=e...

> My website is on Blogger, Google Sites, or Google App Engine. Am I eligible?

    > As Google products, these sites already have similar DDoS protection to Project Shield. Your website would not need to be set up with Project Shield. 

Wonder if that answer includes Compute Engine. Doubt it.

[brazzledazzle]

It would be interesting to try using App Engine to simply proxy traffic. I don't know enough about it to even know if it's technically feasible. I imagine the downsides would be many but it could be useful as a temporary measure while you're getting attacked.

[yannovitch]

Some people already use App Engine as a free CDN (http://www.digitalistic.com/2008/06/09/10-easy-steps-to-use-...) , I imagine it would be totally possible to use it as a proxy.

[bogomipz]

You can't just build a "suite of tools" and give them to a customer to fight a DDOS. The way DDOS is mitigated is by making routing changes at the network edge. This is not something you want a customer to be able to do for obvious reasons. And these in themselves are sometimes not enough and DDOS mitigation will require coordinating with transit providers, again not something you would want put in a customer console.

[matt4077]

Cloudflare is targeting that market pretty heavily.