Hey everyone! I've been pondering a scenario involving economic DDoS attacks on serverless platforms and wanted to get your insights. Here's the situation:
Imagine using a service like Cloudflare Workers while an attacker leverages a large pool of residential IPs to flood random URLs (like `/random-string-12345`) to cause 404 errors without caching issues. They disconnect right after sending the request to save bandwidth.
This setup raises some concerns:
- The attacker's costs are minimal since they only incur bandwidth expenses.
- On the flip side, our costs can spike with each request triggering a Worker run and potentially a DB lookup.
- Traditional defenses like rate limiting don't seem effective against constantly changing IPs, and caching can be bypassed by those random paths.
I'm curious about how companies manage this type of threat. Do smaller businesses just accept the risk, or are there well-known defenses that I might not be aware of? Has anyone faced a similar issue?
3 Answers
I'm quite curious about how robust the DDoS protection is on these platforms. They likely monitor your baseline traffic and can detect anomalies. That should help a bit, right? But I'd love to hear more from someone with real-world experience.
Good question! It seems communicating with a gateway could help process 404s more gracefully. If possible, you might only want to trigger serverless functions after verifying user authenticity.
However, defining legitimacy can be tricky here since traffic can come from residential IPs which complicates matters, especially if legitimate users are sending requests like `/posts/random-slug`. There's definitely a need to balance security without damaging user experience.
It's definitely easy to rack up costs on serverless platforms, even without an attack. Some providers may offer bill forgiveness if you're hit with a DDoS, but reaching out doesn't guarantee anything. A workable option is to set a spending cap, which can help limit your exposure, even if it means going offline after hitting that limit.
On the defense side, you could look into using Cloudflare DNS for some level of DDoS mitigation. It can help cache certain types of traffic, but getting around random paths remains tough. In short, having a serverless platform could be risky if left unchecked.
Yeah, I’ve heard mixed reviews on DDoS bill forgiveness. It's more about how proactive you are with your provider. Mitigating costs while staying online is tricky, especially when common defenses like caching don't seem to hold up against what attackers can do.
I get what you're saying. It’s about managing legitimate traffic while protecting against attacks. Filtering costs increase with overly cautious measures, so it's a real balancing act.