Hacker News new | ask | show | jobs
by PragmaticPulp 1744 days ago
20 million requests per second from a single beefy AWS server is easy to detect and block.

20 million requests per second coming from a rotating list of hosts from generic IP addresses is a nightmare:

> However, we suppose the number to be higher – probably more than 200 000 devices, due to the rotation and absence of will to show the "full force" attacking at once.

If your site normally has 10,000 users per day and suddenly you’re flooded with 200,000 additional IP addresses hammering at your site, you have a problem.

To put it in perspective, the top post on HN most of yesterday was about someone benchmarking their personal server as being able to handle about 5 million requests per day (Granted, that’s quite slow, but it will suffice for making a point). This botnet can deliver 4X that server’s total daily capacity every second.
3 comments
colejohnson66 1744 days ago
But how do you distinguish an abnormal traffic spike (HN hug-of-death) vs a botnet? Cloudflare’s solution is a CAPTCHA, but are there better options?
link
jgrahamc 1744 days ago
Cloudflare's solution is not a CAPTCHA. We have a ton of stuff going on that detects bots. CAPTCHAs are a small part of the tools we use. https://blog.cloudflare.com/cloudflare-bot-management-machin...
link
colejohnson66 1744 days ago
Sorry. I didn’t mean to imply that you don’t have anything but CAPTCHAs. My wording could’ve been better.
link
geitir 1744 days ago
Do you have a scraper that looks for mentions of Cloudflare or did you just happen upon this?
link
jgrahamc 1744 days ago
Yeah. I use something like this: https://github.com/jgrahamc/hncomments

Although I really need to commit the final version as that one isn't quite what I use.

link
mleonhard 1744 days ago
Cloudflare uses CAPTCHA to drive away proxy users. Privacy conflicts with Cloudflare's endgame of profiling every Internet user and then monetizing that data.
link
smasher164 1744 days ago
An attack-resistant trust metric? Although I haven’t seen them used against denial of service attacks.
link
aj3 1744 days ago
Generally you don't. Just be prepared to scale resources and handle everyone.
link
encryptluks2 1744 days ago
I think a lot of services would be happy to silently allow bots on their service to help inflate user numbers.
link
aj3 1744 days ago
Thankfully these attackers haven't heard about Layer 7 attacks yet.
link
ximaera 1744 days ago
They have. These are 20 million Layer 7 requests per second.
link