Ask HN: How is BunnyCDN DDoS protection VS Cloudflare?

[HappyCathode]

BunnyCDN Smart DNS load balancer solution costs a LOT less than Cloudflare, I would like to use it in front of a couple HAProxy instances that host my API.

I know Cloudflare is pretty well known for it's DDoS protection, but I'm wondering if anybody has experience with BunnyCDN ? Is it ok, good, bad, good enough ?

I don't think I can use both (Use BunnyCDN DNS load balancer pointing to Cloudflare A records) without having two domains. That would probably be the best of both world, but I don't want to buy a second domain if BunnyCDN is good enough.

Thanks !

[slothsarecool]

BunnyCDN DDoS protection is made to protect their servers and the customers, it's not meant to serve your service as a shield against attacks.

This is a common misconception with many providers, they have DDoS protection to ensure that an attack against them won't cause your website/service being unavailable, however, if an attack targets your service, it most likely won't be filtered by their system.

[re-thc]

It usually does cover volumetric attacks since those usually bring everything down with it.

As to layer 7 or other types of attacks, it’s a tough call. You need specialized services. Cloudflare does great for its price. It’s not like the big cloud providers reliably solve this problem either.

[re-thc]

Cloudflare is the safest in that you can use Cloudflare tunnels to somewhat hide your origin.

Otherwise your origin is still public and there are ways to find out and attack it (bypassing Bunny) easily.

Cloudflare also has a WAF that Bunny says is coming soon (doesn’t apply to DNS only).

Bunny DNS is a relatively new product so it’s not as well tested.

[HappyCathode]

I'm planning on dropping anything that doesn't come from https://www.cloudflare.com/en-ca/ips/, but the tunnels in indeed even better... don't have to stay up-to-date with IP list, and don't have to waste CPU dropping bad traffic. Cloudflare is indeed the safest known solution.

And yeah Bunny.net are getting annoying with their "Coming Soon" stuff. S3 API has been "almost ready" since at least 2020, according to one of their Twitter post. It looks like they are way too small to deliver, but I really like them and I hope they will.

[decide1000]

How would you find the origin ip with Bunny? They proxy it as well right?

[HappyCathode]

I think they meant that your public IPs are responding to requests on :80 and :443. Port scanners are going to find it pretty fast and have fun.

[re-thc]

The OP only asks about using Bunny DNS (not the CDN) so the user can resolve your real IP behind it.