[Firehed]

Easier said than done. We've had DDOS issues in the past as well, and getting it resolved - even by throwing money at the problem - is nontrivial.

What amounts to throwing a massive amount of hardware at the problem (i.e., boxes that can handle 10-100+gbps of traffic, filter out the attacks, and pass only legit stuff down to your servers) is expensive[1], and casuses all sorts of unexpected behavior: API clients mysteriously break, good traffic gets mistakenly dropped, latency is added to the whole process, etc. It gets even weirder on SSL-protected sites. And it's all dependent on attackers not getting the IP of your actual servers which they could then just attack directly.

[1] For sites with even not a whole lot of traffic, you're talking a one-year contract easily in the range of an engineer's salary. I wouldn't be surprised if the cost to protect sites with as much traffic as Github exceeded $1m/year. Even if you have plenty of cash in the bank, that's one hell of a pill to swallow.

[nnnnnnnn]

Github can easily afford to use someone like Prolexic. And they should.

When you say things like "And it's all dependent on attackers not getting the IP of your actual servers" this makes me wonder how much you understand the subject matter. There are many, many options.

[Firehed]

Prolexic's servers don't take the load if the attackers know where the computers behind the scrubbers are. Configuring iptables to ignore all traffic not coming from prolexic's IPs doesn't come close to fending off a DDOS.

I know this because I was told this by prolexic while configuring our servers to sit behind their scrubbing servers while we're under an equally crippling DDOS (one that took down half the customers in our datacenter, not just us). So while I haven't examined their tech stack under a magnifying glass, I'm not exactly talking out of my ass here.

Yes, there are other options but those don't take an hour to implement like signing a contract and changing a few DNS entries does. And when these conditions exist, you need an answer that can be implemented in an hour.

[nnnnnnnn]

You are fabricating straw men. They do not need "an answer that can be implemented in an hour." They have been in business for 4 years, and this particular string of DDoS attacks has been going on for several days now. This is both a a planning failure and an incident response failure.

Your comment about iptables is odd. I don't know why iptables would be relevant here; I suspect we are talking about implementations several orders of magnitude different in size. Certainly one would drop traffic at the edges and not do filtering on end nodes.

[Firehed]

Speaking from experience, most companies don't think to implement DDOS protection until they're under attack. It's just not on most people's checklists. Hence the need to implement something in an hour. The fact that its a problem proves my point.

Yes, it sounds like our scales here are quite different. I'm referring to a few machines in a single data center, not hundreds being geographically distributed.