Hacker News new | ask | show | jobs
by rdl 4387 days ago
I think one of the useful things to point out is how the $2-5/Mbps transit ($0.45/Mbps transit is probably not realistic in enough places) is billed -- generally, 95th percentile of the higher of inbound or outbound.

So, a site which has a lot of outbound traffic (most web servers) essentially has an equal amount of "free" inbound capacity available. You could sell this to someone doing web crawls, or online backups, or something, but DDoS (if you end up paying for it) is essentially all inbound, too.

The best position to absorb DDoS, if you're not a specialty firm, is to have a huge amount of outgoing web server traffic, huge systems built for that, and really great cooperation with your upstreams to push out filters as quickly as possible. The problem is this only really works against pure resource-consumption DDoS; if people realize a 50Gbps syn flood doesn't affect you too much, they'll move up the stack to layer 7, and then custom-tailored layer 7.

For a site which is huge and constantly being attacked, I could see this becoming a core competency (USG?) -- for anyone else, it's probably something you could outsource.

There are drawbacks to outsourcing your network, but if you're already hosted in the cloud, those drawbacks are mainly the incremental reliability of your outsourced edge provider -- pick a good one. If you're not in the cloud, you need to be very clear what your security model is -- I definitely wouldn't trust bitcoins to any outsourced service provider operating above the atoms level (i.e. a cage in a colo, with no security dependency on anyone running anything above that), but DDoS mitigation is critical for that kind of business -- the optimal situation is to have "untrusted" frontend nodes handling all your incoming traffic, with DDoS mitigation as a service, WAF, etc. probably outsourced, and then application-specific security on your own infrastructure. The DDoS layer can, if it fails, DoS you, but you can switch away from it. The DDoS layer can't actually subvert your application beyond that.