[saimiam]

> blame the user

Not sure how this is blame the user. If you are setting up a bare metal server for a client and they don't ask you for (say) DDOS protection, will you still set up a DDOS protection protocol for them? I would think not since most people would try to match what a client asks for and maybe throw in some freebies.

If after that, they get hit by DDOS, the onus is on them to have told you to plan ahead for it and knowing this is not "blame the user'.

This is exactly what AWS is also offering - a basic setup and extra bells and whistles to protect yourself from possible issues based on your threat model.

Maybe I'm missing something in your response.

[jiggawatts]

There are two kinds of outcomes from a DDoS:

1. an outage, which in reality is just an inconvenience, not the end of the world, unlike what most IT people seem to think.

2. a bill that can bankrupt you, which may as well be the end of the world for many people or small businesses. It can be literally "game over".

A bare metal box doesn't need protection from the 2nd risk. Its costs are fixed, irrespective of the amount of traffic attempting to hit it. A 100 Mbps link can't put out more than 100 Mbps, so even if you're charged by the terabyte of egress, there's a cost ceiling integrated into the hardware itself.

The cloud generally has no such limits, or much, much higher ones than is typically desirable.

Okay, here's another random example your WAF will not protect you from: cloud-hosted DNS.

The bare metal scenario is a box sitting on the end of a 1 Gbps Ethernet link. If attacked by some crazy UDP DNS flood attack, it could probably saturate that pipe and send out... 1 Gbps. On a fixed-cost-link plan this costs $0.00 additional money. You might have an outage, or merely a brown-out, but you won't see a cent added to your next bill.

On Azure's DNS Zones service, there's no "1 Gbps" pipe to rate limit them. They have infrastructure deployed globally, typically with 100 Gbps links. In practice, the DNS server probably only gets about 10 Gbps per region, but there's many regions. At 100 bytes per packet, you could be looking at a billion requests per second billed to your account, at an eyewatering $200/s or $720K/hour. Ouch!

Now, Azure will probably forgive that bill because it's clearly an attack.

But what if it isn't clearly an attack? Application Insights by design puts the Instrumentation Key into client-side JavaScript. It charges $3/GB on ingress! It's trivial to charge someone thousands or tens of thousands of dollars before they notice, and then they'd have a hard time convincing support that the traffic wasn't legitimate.

I can send a terabyte out for cents, each of which would cost some poor fool $3,000.

Good luck plugging every such hole, monitoring every alert (there's literally tens of thousands of metrics to alert on), and keeping up with every spike in billing that's a day late reporting on costs that can ramp up to thousands of dollars per minute.

[saimiam]

An outage is a pretty big reputational risk imho - if I'm a startup offering a SaaS and being on Hackernews' front page hugs my site to death, I'm probably losing some potential conversions and have to answer questions about the solidity and longevity of my infra. It's an inconvenience in the moment but erodes trust over time. Unless you're Twitter and your fail whales become memes, being hugged to death is a bad thing.

I agree that the downside of scaling is the risk of running up huge bills. But the safety net to prevent the run-up is literally a monthly flat fee - $5+ $1/WAF rule. Also, you don't have to monitor every alert - just the common ones. If I had to build a comparable alerting system on bare metal, I'd go crazy.

To me, the flexibility of the cloud is worth the trade off.

> WAF will not protect you from...UDP..

Don't think WAF is the tool to protect against UDP layer attacks. Shield (which is available standard) already handles this.

To be clear, I have not had to deal with DDOS attacks. We once had to deal with was someone repeatedly downloading a 1mb gif from our website which led to big egress fees. WAF's rate based rules but an end to that nonsense.

[tekknik]

So let’s say they implement cost limits, how does this work? When you reach the limits does it delete all your resources? Idle them then force AWS to pay the bill by keeping those resources out of rotation for others? Someone has to pay for those resources while they’re used and most don’t want their database tables dropped because they got popular and hit their spend limit.