[AdamJacobMuller]

> I've tried 30X redirects (which it follows)

301 response to a selection of very large files hosted by companies you don't like.

When their AWS instances start downloading 70000 windows ISOs in parallel, they might notice.

Hard to do with cloudflare but you can also tar pit them. Accept the request and send a response, one character at a time (make sure you uncork and flush buffers/etc), with a 30 second delay between characters.

700 requests/second with say 10Kb headers/response. Sure is a shame your server is so slow.

[notatoad]

>301 response to a selection of very large files hosted by companies you don't like.

i suggest amazon

[lgats]

unfortunately, it seems AWS even has firewalls that will quickly start failing these requests after a few thousand, then they're back up to their high-concurrency rate

[knowitnone3]

Microsoft

[gitgud]

> Accept the request and send a response, one character at a time

Sounds like the opposite of the [1] Slow Loris DDOS attack. Instead of attacking with slow connections, you’re defending with slow connections

[1] https://www.cloudflare.com/en-au/learning/ddos/ddos-attack-t...

[tliltocatl]

That's why it is actually sometimes called inverse slow loris.

[amy_petrik]

it's called the slow sirol in my circles

[tremon]

As an alternative: 301 redirect to an official .sg government site, let local law enforcement deal with it.

[integralid]

Don't actually do this, unless you fancy meeting AWS lawyers in court and love explaining intricate details of HTTP to judges.

[more_corn]

I like this idea. Here’s how it plays out: Singapore law enforcement gets involved. They send a nasty-gram to AWS. lawyers get involved. AWS lawyers collect facts. Find that the culprit is not you, find that you’ve asked for help, find that they (AWS) failed to remediate, properly fix responsibility on the culprit and secondary responsibility on themselves, punch themselves in the crotch for a minute, and then solve the problem by canceling the account of the offending party.

[kadoban]

> Find that the culprit is not you, find that you’ve asked for help, find that they (AWS) failed to remediate, properly fix responsibility on the culprit and secondary responsibility on themselves, punch themselves in the crotch for a minute, and then solve the problem by canceling the account of the offending party.

Yeah, lawyers are notorious for blaming themselves and taking responsibility. You definitely won't just get blamed.

[anakaine]

A lawyer who can see an easy defence to a path they wish to pursue is going to consider that in their response. If thay defence looks like their own clients vulnerability would be exposed in defence because of their clients action or inaction, their first response will almost certainly be to get the client to fix that action or inaction.

[more_corn]

^ I love you

[gruez]

>When their AWS instances start downloading 70000 windows ISOs in parallel, they might notice.

Inbound traffic is free for AWS

[jacquesm]

It's free, but it's not infinite.

[kadoban]

Free just means you get in trouble when you abuse it.