We got DDoS attacked by some spam bot crawler thing.

Higher ups called a meeting so that one of our seniors could present ways to mitigate these attacks.

- If a custom, "obscure" header is missing (from api endpoints), send back a basic HTTP challenge. Deny all credentials.

- Some basic implementation of rate limiting on the web server

We can't implement DDoS protection at the network level because "we don't even have the new load balancer yet and we've been waiting on that for what... Two years now?" (See: spineless managers don't make the lazy network guys do anything)

So now we implement security through obscurity and DDoS protection... Using the very same machines that are supposed to be protected from DDoS attacks.

I mean if they don't even HAVE a new load balancer ... I'm not sure the network guys could do it if they weren't lazy...

@N00bPancakes I'm happily uninvolved in that portion of our happy little disaster but as far as I'm aware they just need to install the software and replicate our current settings in whatever new system they have in mind

@AtuM these guys are like COBOL cowboys but for visual basic asp. I hate it here, leaving as soon as I can.

Wow.. Its not even DDoS protection. It's just a security patch to block brute force password attacks.

Yeah, that isn’t going to do much.

Whatever, DDoS’s are pretty rare unless you’re doing something to piss someone off. You can probably just wait for it to pass and you’ll be good.

But like.
No load balancer?
You must not get much traffic.

@Root we have LB. We don't have a NEW one. Ours doesn't work extremely well for our needs. Apparently.

@AlgoRythm 🤷🏻‍♀️
Whatevs

What @root said ++.

Cloudflare much? Akamai?

nm then.

Just get behind Cloudflare and be done with it...
The only viable approach to security is "never re-invent the wheel"

@hamido-san

Lotta IT guys out there who I think are masochists and I think want to build their own cloudflare at work .... and complain about it rather than use cloudflare .. it's weird.

@N00bPancakes Cloudflare is both terrible and terrifying. Why? It quite literally breaks SSL in the name of “security.” It provides protection against automated attacks (which aren’t likely to target your servers anyway) by stripping away literally everyone’s privacy.

It’s an unimaginably high price for something you very likely don’t need, and it comes with dire consequences. Again, why? Not only does a third party have access to all of your users’ traffic, but getting used to this idea leads directly to believing “only the guilty have something to hide.”

And another question: what does cloudflare do with that traffic? And who else would pay to share that access? And how much? And further: who has leverage (legal, quasi, or otherwise) over them?

@Root I wouldn't be the most surprised man in the world if the government helped them build their little backbone network for a taste of that delicious user data

I don't understand why DDOS is so problematic. Just uninstall DOS...

@Demolishun i fixed it by calling the dr-Dos

Why not install an intelligent waf and have it deal with the rejections?

Most new products have a learning mode that allows you to run it passively and then make your block changes before you turn on active blocking.

It's a pita for like a week after that, but it's better than not doing anything.

Best DDOS protection: Shut it down, nothing can get to it if it is offline.
You are welcome.