[timdorr]

It depends if this attack is on basecamp.com or the IPs that basecamp.com resolves to.

It appears Basecamp only has a /23, so even if they redirected traffic through Cloudflare, the attacker could still find their direct servers fairly easily and attack that IP. It's still possible to block, but not quite as easy as setting up Cloudflare.

[chimeracoder]

> so even if they redirected traffic through Cloudflare, the attacker could still find their direct servers fairly easily and attack that IP.

Why would it be easier for the attacker to find their direct servers if they only have a /23 - doesn't Cloudflare obscure the identity/location/IP of the server on the other side?

[timdorr]

It's only 512 addresses, so the attacker can just switch between different IPs until service degrades and keep on that address. Also, it's likely their rack/cage has a limited amount of bandwidth compared to the whole datacenter, so they can just send traffic to that range and overload the switch.

[jessaustin]

...the attacker could still find their direct servers fairly easily and attack that IP.

Can the upstream to the actual server restrict traffic to known Cloudflare blocks?

[scottbruin]

We've had issues with saturated upstreams and then been negotiating new ISP connections. All the ISPs I've asked (Level3, NLayer, Cogent) won't put an active restriction to only CDN blocks upstream.

The ISPs will help during a DDOS but response times are slow and we haven't tried getting them to put this type of block in place yet.