[gchambert]

> Another option, if you're running at a larger scale, is to purchase mitigation appliances and just set up your own mitigation infrastructure. This will not be cheap and require some serious connectivity, but beyond a certain point it'll be more cost-effective.

How many companies reach this level? 99% of companies will have to rely on a CDN provider for this.

> You'll want to avoid anything HTTP-specific (as it will be prone to the same privacy issues as CloudFlare), and opt for layer 3/4 mitigation only.

Of course your CDN provider will be more effective if it can inspect unencrypted traffic. So, again, either you are at the level of traffic of a big IaaS provider, or like 99% of CDN customers you choose between letting your provider inspect your traffic or not be protected against app-level DDoS.

> Even something relatively simple like ModSecurity will cover a wide array of problems.

Everything is a question of measure. How much is "a wide array of problems"? How much is "some serious connectivity"?

A middle-ground would be using a CDN to protect against L3/L4 volumetric attacks, without TLS interception. And using ModSecurity or another WAF against application-level attacks. But the result will probably not be as good as applicative protection at CDN level, and will cost you more (you pay for the CDN, for your own WAF infrastructure, and for your 24/7 team ready to write new protection rules when a new attack occur).

[shkkmo]

Can't you just setup your CDN assets on a seperate domain with TLS termination so that you don't have to expose any non-static data to a 3rd party?

[gchambert]

Yes of course. The dynamic part of your site will still need protection, though. And if you offload static assets to a third-party, you'll have smaller pipes for non-static data, thus you are less likely to handle a DDoS. So you'll still need someone to protect your non-static data.