heh...basecamp, meetup, vimeo, and bit.ly are 'small'.
Are there any documented instances of this happening to smaller startups? And, relatedly, are a set of best practices emerging to deal with this sort of a thing?
I'd be really curious to see best practices for smaller startups. We've never been hit with a DDOS, but bot attacks seem pretty commonplace. I'd love to see the open source community come together to create some mitigation strategies, though I admit I don't know what they would entail.
While certainly not a startup I manage an altcoin pool and DDOS seems to be a big deal in this space. In fact my pool (http://awesomehash.com) just got his this morning.
It's a really bad feeling. Our miners really have no reason to stay with us. For a majority of them, as long as the servers are up there's no difference between pools. If our servers go down, even through no fault of our own we stand to lose a bunch of our members, and who knows if they'll come back.
As for solutions, we implemented a few new iptables rules, and we ended moving from DO to another VPS provider who has DDOS mitigation. There really isn't much you can do.
I think the chances are "smaller" start ups are not a big target since they don't have the resources for future payoffs, or even initial pay offs. If it took the same effort would you rob a homeless man?