OR you can easily survive DDOS by not relying on friggin centralized servers accessible over the internet for your social networks and apps. Run them on intranets for your local communities, village etc. and run them on VPNs elsewhere. Then mitigating DDOS can simply be done on the virtual router level.
It may be inconvenient, but you'll survive. We as an industry really need to stop pretending that the cloud is magical and has no downsides. Running on intranets is how a ton of companies successfully do business.
Containers are supposed to be throwaway; if you need to change something inside, you rebuild it from scratch and redeploy.
Hopefully, your data should not be throwaway. The common architecture is to have an application server inside container that connects to database or other persistent storage running outside containers.
Uhm. I'm not using containers much so I'm not up-to-date with best practices, but I recall a solution involving a "shared volume" for containerazed database to store data in. Is this approach wrong?
Mounts and shared volumes are fine, if you can guarantee that the container is going to be scheduled on this specific machine, where the given filesystem lives.
If you can't guarantee that, you are going into the world of NFS (which databases do not like much) or iSCSI, or, if you have distributed storage, into the world of glusterfs, ceph or something similar.
It's much simpler to just set up a database server (or cluster) and live with that.
Everybody. One of the reasons software products are so lucrative is that it can be distributed easily, especially when compared to the logistical challenges of shipping physical goods. Take away my ability to sell Hello, World! to some guy in Japan, I might as well be selling candy door to door.
Guess what, "social" apps should help local communities without the signal having to go to a server farm halfway around the world. India rejected internet.org for that reason. Rural Africa doesn't need drones to organize community dinner or call a plumber.
That depends on why you're using the social app. If you're using it to find a local plumber, then sure, you only need ot to stay in your local area (but what's 'local'? Is that within your town, your county, your state or your country? If you want to fix a leak, you probably want a plumber in your town, if you're replumbing an entire school, then you may be happy to get bids from plumbers 50 miles away).
But if you're using your social network to find the solution to your recurring plumbing problem that the last 3 plumbers you hired couldn't fix, then you'll probably be just as happy with an answer from a plumber from across the world as you would from an plumber next door.
The power of online social networks it that they aren't limited to whoever is in your town.
But they can still live on VPNs and not the open internet. Requests from outside can be blocked. Sure an external router or DNS server might go down but the internal network would be intact. The routing can even be updated on internal routers. People can invite others to the network, and the whole invitation system can be throttled. Byebye DDOS
How does an "internal network" work with an online community? Are members across a community hard-wired in to this online community?
Otherwise it's still subject to all of the same DDoS attacks of a global social network provider. Except that it'll be easier to take it down since it has fewer resources to protect itself (i.e. it doesn't have multiple 10 gbit pipes to the internet and likely can't blackhole traffic with BGP routes)
So yes, the internal network may be fine if a DDoS attack takes down the router to the rest of the internet, but does that matter since no one can reach it?
Or are you envisioning entire communities unplugging themselves from the internet if any community member is under DoS attack?
A DDoS attack is dependent on flooding the users connection with traffic, so if this connection cannot be established, a DDoS is unable to have a significant impact
Your first statement is true, but the traffic doesn't have to be successfully terminated for an attack -- a DDoS attack can easily fill your internet pipe with traffic even if your firewall silently ignores it (and indeed, once the attack is underway, it's likely that your servers can't keep up with the request rate, so many of the connections are going unanswered). So a VPN is no magic bullet.
webrtc is a fairly bad start because it cannot establish connections to known endpoints (think address:port) or speak multicast for local neighbor discovery in a p2p network.
it generally relies on a signalling server or at a minimum on an exchange of one-time session tokens the user could enter for each connection.
it's not distributed and barely decentralized. it's more geared around a client-server approach where some of the traffic is offloaded to peer-peer connections.
compared to protocols like tcp and udp it's incredibly crippled
