Hacker News new | past | comments | ask | show | jobs | submit login

Would have appreciated if you did explain what an effective mitigation strategy is.



Depending on your position, there really isn't one. The hosting company can implement one, which they might be able to insert in your path if you are at the receiving end of an attack. There are Cisco products and a bunch of up-and-comers that can do this.

If you're a "typical startup" with an Amazon footprint, you have no mitigation strategy for flooding attacks aside from not attracting them. If someone points multiple gigabit at you, there is just about nothing you can do except hope Amazon can do something.


That's a little pessimistic.

There's a range[2] of ISPs who will sell DDoS protection to you, either as an addon when you host with them, or as an external service (re-routing your traffic).

E.g. StormOnDemand just recently added it to their portfolio[1], which is note-worthy because they actually list prices right on the website.

Either way, even without "explicit protection" any ISP beyond mom&pop-size deals with these attacks every day and will sort them out for you for free the first couple times. Only when they turn into a habit or become so huge that they have to talk to their upstream they will politely ask you to throw some money their way.

Pulling the plug immediately is definitely not normal. However considering Pastie was apparently a sponsored account it's at least somewhat understandable (albeit a terrible PR move).

[1] https://www.stormondemand.com/ddos.html

[2] When in doubt, and pockets deep enough, there's always Akamai. They're the ones who can filter TBit/s-scale (yes, that was a T) attacks for you.


> Pulling the plug immediately is definitely not normal.

Nulling immediately is. You're also assuming that this is Pastie's first DoS attack, which we don't know based on the information presented to us.


Nulling immediately is.

For serious accounts (in the 6 digits/year) absolutely not, unless the attack is large enough to affect other customers.

Admittedly RailsMachine looks very small, in all likelihood their pipe was rather easily clogged and they simply didn't have the choices that larger ISPs have.


> For serious accounts (in the 6 digits/year) absolutely not, unless the attack is large enough to affect other customers.

If it doesn't affect other customers, a hosting company won't act or even be aware, in most cases. They'll just send you a bill for the transfer. If someone attacks you and it impacts other customers, you get nulled. I'm aware of 7 digits/year and 8 digits/year accounts through industry anecdotes that have had machines nulled. The engineer operating the null doesn't say, "oh, that's X, maybe I shouldn't fix the network for my other customers".

I don't understand what you're disagreeing with.


I'm disagreeing with your black/white record.

There's a bit of middle ground between "sending a bill" and nulling.

I've been hit by two larger attacks in the past (GBit/s range) and the respective ISPs were both extremely supportive, switching our IPs while they tightened their filters. Neither billed us a dime despite our ingress spike making quite a bump in their charts and a lot of handholding over 2-3 days.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: