from Hacker News

Someone has been attempting to DDoS us for weeks and we do nothing

by spacebuffer on 3/30/24, 7:35 AM with 192 comments

• by lopkeny12ko on 3/30/24, 11:16 AM

  This reads as extremely self-congratulatory. A "billion requests per month" is only a few hundred requests per second, which is both trivial and not a "DDOS." Also, their site is behind a CDN (Cloudflare), so I'm extra confused on how they think they did something notable from a performance perspective here.

  For example, there's no reasonable world where that 200 MB blob is not cached and served over CDN. I can't imagine someone would be so proud that their application server isn't reading 200 MB from disk and copying those bytes to the client on every download; it's just so obviously poor design.

• by ThePhysicist on 3/30/24, 9:01 AM

  4 TB per month isn't really a DDoS attack, no? 4 TB per hour might qualify as a DDoS, but 4 TB per month is just 1.5 MB / second. 6 million requests per months are just 2 requests per second. I'd say the fact they run a monolith service isn't really relevant at this scale, especially as I assume Cloudflare handles most of the requests through caching them at the CDN level.

• by oefrha on 3/30/24, 9:51 AM

  This is just a static marketing site for a desktop app. They don’t even have a discussion forum — feedback is handled by GitHub issues. Bragging about how simple their deployment is for a static marketing site and how it’s able to handle a static file being downloaded millions of times a day is super weird. And Cloudflare is doing all the mitigation work here (if that’s even needed for such a puny amount of traffic), not them.

  If I were to be hit by such an "attack" myself I probably wouldn't even notice until Cloudflare sends me that monthly "X TB of data transferred, something close to 100% bandwidth saved" email.

  I like the app btw, can recommend.

• by PreInternet01 on 3/30/24, 9:31 AM

  I'd hardly call that a DDoS attack: from the description given, the extra 8TB-or-so of monthly traffic seems to fall under "annoyingly pointless abuse of services"...

  As long as such abuse doesn't cause monetary or resource exhaustion concerns, it's quite OK to ignore it, but stories like "whelp, turns out that 80% of the capacity of our auto-scaling fleet is not doing anything useful" are depressingly common enough to at least keep an eye on things.

  My annoyance with this kind of abuse revolves mostly around logging: a majority of logs just showing the same set of hosts displaying the same pointless behavior over and over again. Again, not a huge issue if your log storage is cheap and plentiful (as it should be), but having some kind of way to automatically classify certain traffic as abusive and suppress routine handling of that is definitely a good idea.

  It's also a lot harder than it sounds! I can't count the number of times I've added classification logic to my inbound SMTP server that should pick up on outright, silly abuse (of which there is a lot when dealing with email), only to have it triggered by some borderline-valid scenario as well.

  Spending way too much time on going down successive rabbit holes is a great way not to get any real work done -- a great reason to outsource, or, if that's too much work as well or just too expensive, indeed just ignore the abuse, annoying though it is...

• by sethammons on 3/30/24, 10:29 AM

  That's not a noteworthy "attack"; that could be a single runaway bash script on someone's machine. 50MM requests per month "from the UK" averages out to under 20 requests per second. I would expect a single Go server to handle 250 times that request volume before optimizing much.

  Their advice isn't bad per se, but their numbers are not a testament to it. I expect for my Go HTTP API services to handle 5k requests per second on a small to medium VPS when there is some DB activity and some JSON formatting without doing any optimizations. This is based on deploying dozens of similar services while working at a place that got multiple billions of requests per day, spiking to over 500k rps.

• by headmelted on 3/30/24, 9:09 AM

  It’s great that this isn’t hurting them but it leaves out a lot that makes me a bit nervous about this being taken as advice.

  They’re advocating deploying a binary as preferable to using docker, fair enough, but what about the host running the binary? One of the reasons for using containers is to wrap your security hardening into your deployment so that anytime you do need to scale out you have confidence your security settings are identical across nodes.

  On that, the monolith talked about here can be hosted on a single VPS, again that’s great (and cheap!), but if it crashes or the hardware fails for any reason that’s potentially substantial downtime.

  The other worry I’d have is that tying everything into the monolith means losing any defence in depth in the application stack - if someone does breach your app through the frontend then they’ll be able to get right through to the backend data-store. This is one of the main reasons people put their data store behind an internal web service (so that you can security group it off in a private network away from the front-end to limit the attack surface to actions they would only have been able to perform through a web browser anyway).

• by sameoldtune on 3/30/24, 10:51 AM

  Pet peeve of mine. “Billion requests per month” is about 370 rps. Which can be likely handled by a single well configured server. Certainly less than 10 servers. A single rogue bash script could cause that much traffic

• by mastermedo on 3/30/24, 8:53 AM

  I might be out of touch with reality, but billions of requests per month sounds like peanuts. Is that considered a big ddos attack?

• by NKosmatos on 3/30/24, 8:43 AM

  Nice one :-)

  “… => Thus, we build a monolith service for each app, which is easy to deploy and maintain. No Docker, no Kubernetes, no dependencies, no runtime environment - just a binary file that can be deployed on any newly created VPS. …”

• by filleokus on 3/30/24, 9:36 AM

  Was hoping for something more swole dog worthy when reading the headline. Even though I agree with much of the advice, being behind Cloudflare is definetly not nothing.

  Depending on the distribution of the traffic they might have survived well on VPS's without Cloudflare anyways, doesn't seem that large. Would be interesting to see more detailed stats of rps and how much (if any) Cloudflare stopped before they got it.

  Russian layer7 ddos'es that I know of targeting Swedish companies have been large enough that major providers run into capacity problems and fall over (including Verizon, Azure Frontdoor, Cloudflare, GCP's Load balancer). This strategy would absolutely not work against those volumes.

• by pheatherlite on 3/30/24, 10:48 AM

  Why do they need an app server at all? The website, to my initial glance, seems to be a brochure for the desktop product. Surely static pages and static assets would be even more resilient against a ddos since it's just bog standard webserver streaming out the static resources. Mount a memory based fs and conventional disk latency concerns become mitigated, too.

• by kopos on 3/30/24, 9:07 AM

  A bit ingenious to say we do nothing when you have CloudFlare in front of your servers. Cloudflare by itself can automatically detect and handle DDoS without explicitly activating the Under Attack mode.

  Also Java jar files give you the same benefit.

• by trickpa1 on 4/10/24, 10:51 PM

  You should try to protect yourself from it using cloudflare or something like that. here is one site which you can use to test your protection https://topstresser.net/#pricing

• by bun_terminator on 3/30/24, 9:34 AM

  I guess this is an ad, so I'll bite: Why is the mac download button featured so centrally, while there appear also to be downloads for other platforms, too? It's not like that's a usual default.

• by ckdarby on 3/30/24, 11:41 AM

  Literally laughed when they're talking about language choices for a billion requests per month.

  I've got nodejs lambda code that is doing 388B/month and only at this point have we even considered changing the language for performance because the cost savings have a net positive ROI.

  It took 5 years to get to this point.

• by andrewmackrodt on 3/30/24, 10:58 AM

  The architecture of the app didn't seem related to the "DDoS" attack they're describing. If it's only their setup file being downloaded, I imagine their backend isn't even touched, doubly so if they're using cloudflare for caching.

• by dugmartin on 3/30/24, 10:13 AM

  It feels like they didn't learn the root lesson - move your 200MB setup file to a subdomain. You shouldn't host large assets like this on the same domain as your marketing/app site even if there is a CDN fronting it because an attacker can simply add a random query string to bust through the CDN cache and cause the cache miss to hit your box. The subdomain should be hosted on a different box and fronted possibly with a different CDN provider so that any large scale attack doesn't affect your marketing/app site (either due to your CDN provider or upstream network provider temporarily black holing you).

• by vasco on 3/30/24, 9:43 AM

  Bragging about this has to rank up there as the worst idea in the world. If your hole argument is taunting would be attackers with your wallet - saying you're more overprovisioned than the traffic they can send, you're just threatening them with a good time. At another time in my life I'd take this post as an invitation, even, specially because the numbers shared are super low.

  I've had 3 situations where my place of work was under DoS attack, in the 3 cases I managed to identify an email address and reached out asking why they are doing it, and if they want to talk about our backend. In 1 case, the "attack" was a broken script by someone learning how to program, the other two were real attacks and one of them just immediately stopped once they knew we knew who they were, the other actually wanted to chat and we emailed back and forward a bit.

  99.99% of the time a DoS is someone who is bored. Talking to them tends to work.

  Edit: there's some questions about the situations so I'll expand:

  - The first was not a real attack, and they were doing the network calls through their authenticated API key. This was early days of a YC startup so of course there was no rate limiting in place. In this case I exchanged 2 or 3 emails and after they sent me their python script I sent them back a patch and they finished their scraping without bringing us down. Never heard from them again

  - The second was at a different company, we were getting targeted to distribute email spam, because at the time we'd allow people to invite their colleagues as members of their account, and some people associated with casinos based out of Macau automated a way to spam their casinos by putting the URL in the name of the account, which went out in the email notification. I contacted one of the admin emails of one of the casinos I found and they stopped and disappeared. In this case we also locked all their accounts and prevented further logins + emailed them to reach out to support if they thought it was a mistake.

  - The third one was more difficult, they weren't using any account, so all we had was network. At some point on the second day though they changed how they were sending some of the calls, and by mistake or not leaked their Telegram username. I installed telegram and talked to them, they trolled me a little bit, but stopped very quickly and didn't start it again. This one was very amusing to people in my company because I had told them this approach would work but a few of the big wigs didn't want me to do it (they didnt have any reason other than "obviously won't work to just talk"). I just did it anyway.

  To be clear, you shouldn't reach out with some threats or how you're so good that you found them. My approach is of genuine curiosity, and my literal first message to the telegram person was:

  "Hello, how is it going? I work at <companyname> and we're seeing a load of requests originating from your user here on telegram. Does this make any sense to you or do you think I might have the wrong person?"

  That's it!

• by tromp on 3/30/24, 9:38 AM

  > our setup file is approximately 200MB

  > we keep things as minimal as possible

  Wonder what's in that file that makes it need to be that large...

• by KingOfCoders on 3/30/24, 10:01 AM

  Doesn't look like a real DDos attack to me with the traffic numbers (of course, No true Scotsman).

  4TB/200mb = 5000.

• by ddorian43 on 3/30/24, 8:50 AM

  A nice thing about modern cloud providers is their expensive bandwidth so a new vector of attack is simply downloading large files that they host. (except cloudflare)

• by AtNightWeCode on 3/30/24, 10:16 AM

  Those numbers in the screenshot from Cloudflare represents requests to Cloudflare, not requests to the origin. It includes cache hits.

• by welzel on 3/31/24, 8:40 PM

  This is so cute. The webpage could be fully static, served from a raspberry as it is hiding behind a CDN anyway and the DDOS is not even trying.

  Anyhow, doing the same with a high traffic application would be a very very different animal, specially when the app has 100k+ active daily users and is doing actual stuff. The advice is not bad, but it sounds so silly. From experience every time a commercial web application was build as a monolith it became very hard or even unmaintainable in a few years, specially when 15+ Teams are constantly contribution. So pick the right hammer for the problem you have, but pretending a simple marketing webpage + payment/subscription is a good example for architecture is just a bit much.

• by vintermann on 3/30/24, 9:08 AM

  > we’ve simplified the deployment process as much as possible. We don’t use Docker, Kubernetes, or any containers, or need to setup the enviroment.

  This sounds like a dream, both in the sense that it's wonderful, and that I'm not quite sure I believe it.

• by razodactyl on 3/30/24, 9:03 AM

  I like this a lot: Why? Because the attacks are directed to someone who isn't bothered and wastes their own resources. I've been a Table Plus user for near a decade now and enjoy the simple but highly compatible software they provide.

• by block_dagger on 3/30/24, 9:17 AM

  Reminds me of Nietchze’s Genealogy of Morals quote: I’m strong enough to allow that.

• by d_burfoot on 3/30/24, 1:20 PM

  This content was very useful to me, as I am running a small service for a few clients that I worry might be taken down by a DDoS. The main takeaway seems to be "use a CDN", but if you are running a more complex service, why can't the attackers hit endpoints that aren't CDN-cached? Is the strategy in this case simply to refuse the request very early in the process, to ensure the service doesn't waste much time processing it?

• by PaulHoule on 3/30/24, 12:33 PM

  Downloading a setup file is not the way to bring down a site. My experience in the HDD era was that people laugh at you when you do a lot of requests like that but call the FBI on you (at least here in the States) if you insert a lot of random users into their database. (Each of those requires a transaction and each of those requires waiting for the disc to spin around unless they had a nice battery-backed write cache)

• by ur-whale on 3/30/24, 9:19 AM

  Public boasting as a mitigation strategy, that's got to be a new one.

  Not entirely sure it's a wise approach given the deeply asymmetric infrastructure costs of DDoS attacks, especially if the attacker has access to a botnet.

  [EDIT]:

  in other words, there is a non-zero probability that the attacker, piqued by the boasting, might be able at the flick of a switch to increase the intensity of the attack by a factor 1M.

• by dsign on 3/30/24, 11:55 AM

  > When using binaries, you can let Linux Systemctl handle the process

  “Systemctl” instead of “systemd” ? Hm, do I detect reticence to publicly admit the undeniable, vast superiority of systemd by confusingly using the name of the utility?

• by neya on 3/30/24, 3:22 PM

  This is the dumbest thing I've read on HN today.

  "We do nothing..because we can."

  This speaks volumes about your attitude towards security as a business. If I was your enterprise client I wouldn't really be happy reading this.

• by hntddt1 on 3/30/24, 9:44 AM

  It's going to a point where that directly find out the person behind it is cheaper than fix the bug. People nowadays don't pay respect to the hard working people anymore

• by CanaryLayout on 3/30/24, 9:34 AM

  Yeah Goroutines are great. Then add something like WebRTC to your project that realistically tops out at 10000 listeners, and people wonder why Twitter Spaces is so buggy...

• by wigster on 3/30/24, 11:18 AM

  THATS not a DDos attack! when i were a lad...

• by _ache_ on 3/30/24, 10:16 AM

  People has broken CI/CD so we do meme. Not sure if 6M/m is a lot. Looks like not that much.

• by memothon on 3/30/24, 3:34 PM

  A post like this seems kind of dangerous. Just asking someone to fire their cannon at you! Beware.

• by samyar on 3/30/24, 9:11 AM

  This is the first time hear the word "Monolith"

  What is it and how can one learn about it.

• by dewey on 3/30/24, 11:51 AM

  Almost sounds like a buggy update process of their app that they shipped.

• by tluyben2 on 3/30/24, 8:51 AM

  Similar problem and similar-ish product 0]; we get DDoSsed a lot and I don’t know why. We had to put Cloudflare botfight to stop it. That works very well, but what do you do if CF doesn’t exist?

  0] https://flexlists.com

• by vdddv on 3/30/24, 9:03 AM

  Is there any way to know who's behind a DDoS attack?

• by pknerd on 3/30/24, 9:46 AM

  off topic but you guys have done solid SEO. You query anything related to SQL/syntax and tableplus will be in front of you.

• by b0x68 on 3/30/24, 1:40 PM

  What does “heete” mean?

• by sylware on 3/30/24, 11:32 AM

  It is like computer viruses.

  DDoS attacks do benefit some specific corps, for instance cloudflare.

  What's very important is to build DDoS resistant infrastructure without them, to rid of the incentive to shadow-hire hackers to DDoS and force some infrastructures to move there and pay them.

  There is too much suspicion in the digital world nowdays. Like current crypto is not mainly for shaddy ops and mafia? Really?

• by kbar13 on 3/30/24, 9:58 AM

  not really that interesting of a post. billions of requests per month is like low hundreds of requests per second. billion is a big number but so is a month when it comes to request throughput. all the grandstanding about monolith... for something that serves 2-3 requests per second, and is a static marketing site... this is so overblown.

• by aoeusnth1 on 3/30/24, 5:17 PM

  Why is billions of request per month so exciting to the authors? That’s only ~100 QPS, which a single-core application should be able to handle easily.

  Wake me up when you have hundreds of millions of QPS of DOS load.