[saimiam]

> There is literally nothing I can do to stop the haemorrhaging if the site goes popular.

There’s WAF with rate based limiting to prevent script kiddies for randomly hitting your URLs for files to download and run up your egress prices. Waf costs $5/month plus a flat fee per extra rule.

For DDOS protection there’s Shield which is built into cloudfront and should be enough for most people but if you need more control they have Shield Advanced.

The “Stop Button” for s3 is an application layer responsibility, imho though S3 Should make clean up easier.

[jiggawatts]

Awesome. So I should spend more money to protect myself from flaws in Amazon's billing model with a service that I don't need for static file serving.

This kind of "blame the user" thinking is why I avoid the cloud for my own use, and can't recommend it for most customers unless they have a specific reason.

[xboxnolifes]

Think of it the other way. Instead of it being "it costs more to have the safety features", it's "it costs less if you don't need the safety features".

If you want to spend the absolute bare minimum price,you get the bare minimum service.

[saimiam]

> blame the user

Not sure how this is blame the user. If you are setting up a bare metal server for a client and they don't ask you for (say) DDOS protection, will you still set up a DDOS protection protocol for them? I would think not since most people would try to match what a client asks for and maybe throw in some freebies.

If after that, they get hit by DDOS, the onus is on them to have told you to plan ahead for it and knowing this is not "blame the user'.

This is exactly what AWS is also offering - a basic setup and extra bells and whistles to protect yourself from possible issues based on your threat model.

Maybe I'm missing something in your response.

[jiggawatts]

There are two kinds of outcomes from a DDoS:

1. an outage, which in reality is just an inconvenience, not the end of the world, unlike what most IT people seem to think.

2. a bill that can bankrupt you, which may as well be the end of the world for many people or small businesses. It can be literally "game over".

A bare metal box doesn't need protection from the 2nd risk. Its costs are fixed, irrespective of the amount of traffic attempting to hit it. A 100 Mbps link can't put out more than 100 Mbps, so even if you're charged by the terabyte of egress, there's a cost ceiling integrated into the hardware itself.

The cloud generally has no such limits, or much, much higher ones than is typically desirable.

Okay, here's another random example your WAF will not protect you from: cloud-hosted DNS.

The bare metal scenario is a box sitting on the end of a 1 Gbps Ethernet link. If attacked by some crazy UDP DNS flood attack, it could probably saturate that pipe and send out... 1 Gbps. On a fixed-cost-link plan this costs $0.00 additional money. You might have an outage, or merely a brown-out, but you won't see a cent added to your next bill.

On Azure's DNS Zones service, there's no "1 Gbps" pipe to rate limit them. They have infrastructure deployed globally, typically with 100 Gbps links. In practice, the DNS server probably only gets about 10 Gbps per region, but there's many regions. At 100 bytes per packet, you could be looking at a billion requests per second billed to your account, at an eyewatering $200/s or $720K/hour. Ouch!

Now, Azure will probably forgive that bill because it's clearly an attack.

But what if it isn't clearly an attack? Application Insights by design puts the Instrumentation Key into client-side JavaScript. It charges $3/GB on ingress! It's trivial to charge someone thousands or tens of thousands of dollars before they notice, and then they'd have a hard time convincing support that the traffic wasn't legitimate.

I can send a terabyte out for cents, each of which would cost some poor fool $3,000.

Good luck plugging every such hole, monitoring every alert (there's literally tens of thousands of metrics to alert on), and keeping up with every spike in billing that's a day late reporting on costs that can ramp up to thousands of dollars per minute.

[saimiam]

An outage is a pretty big reputational risk imho - if I'm a startup offering a SaaS and being on Hackernews' front page hugs my site to death, I'm probably losing some potential conversions and have to answer questions about the solidity and longevity of my infra. It's an inconvenience in the moment but erodes trust over time. Unless you're Twitter and your fail whales become memes, being hugged to death is a bad thing.

I agree that the downside of scaling is the risk of running up huge bills. But the safety net to prevent the run-up is literally a monthly flat fee - $5+ $1/WAF rule. Also, you don't have to monitor every alert - just the common ones. If I had to build a comparable alerting system on bare metal, I'd go crazy.

To me, the flexibility of the cloud is worth the trade off.

> WAF will not protect you from...UDP..

Don't think WAF is the tool to protect against UDP layer attacks. Shield (which is available standard) already handles this.

To be clear, I have not had to deal with DDOS attacks. We once had to deal with was someone repeatedly downloading a 1mb gif from our website which led to big egress fees. WAF's rate based rules but an end to that nonsense.

[tekknik]

So let’s say they implement cost limits, how does this work? When you reach the limits does it delete all your resources? Idle them then force AWS to pay the bill by keeping those resources out of rotation for others? Someone has to pay for those resources while they’re used and most don’t want their database tables dropped because they got popular and hit their spend limit.