| I'm working on DDoS protection at Cloudflare. AMA We try to publish most of what we do, the more obvious links: https://blog.cloudflare.com/how-cloudflares-architecture-all... https://blog.cloudflare.com/meet-gatebot-a-bot-that-allows-u... https://blog.cloudflare.com/the-root-cause-of-large-ddos-ip-... https://blog.cloudflare.com/memcrashed-major-amplification-a... https://blog.cloudflare.com/syn-packet-handling-in-the-wild/ https://blog.cloudflare.com/reflections-on-reflections/ https://blog.cloudflare.com/say-cheese-a-snapshot-of-the-mas... https://blog.cloudflare.com/the-new-ddos-landscape/ https://blog.cloudflare.com/unmetered-mitigation/ https://blog.cloudflare.com/introducing-the-p0f-bpf-compiler... And maany more. Also two talks: https://idea.popcount.org/2016-02-01-enigma---building-a-dos... https://idea.popcount.org/2015-11-16-black-hat-eu---defendin... > But how does that prevent severe service degradation It doesn't. You DROP the most specific thing you can. To avoid collateral damage we are able to do "Scattering" (move client across IPs with the hope the attack won't follow), and for example apply the controversial limits only in certain geographical areas (anycast network allows this). > you still have to do some kind of work (in computation and energy) on the listening side Yes. BPF for L3 works like charm. Read on XDP. > or can fat edge-servers just eat that up? Yes and no. You have to specifically optimize, whatever you do probably won't make Apache or IIS work under DDoS. Most vendors use "scrubbing centres", when they can have small number of beefy dedicated servers. We didn't find this architecture sufficient though, so in our case edge servers do handle the load. But we do spend time on tuning the servers and our applications. |