undefined | Better HN

0 pointsdublinben10y ago0 comments

Wouldn't any large enterprise client like this already have a CDN or DDOS-proof hosting provider?

0 comments

2 comments · 1 top-level

philip120910y ago· 1 in thread

I don't know for sure, but they likely have to provide a private key to these providers. Other big disadvantage of a "DDOS-proof hosting provider" is that they likely are not distributed, so absorbing large DDOS is hard.

rdl10y ago

Just to set a baseline: Nothing is DDoS-proof. (even CloudFlare).

What you want is DDoS resistance which is as strong as possible, and sufficiently strong for your application.

It's essentially impossible to have a single location anywhere in the world which is able to resist the largest attacks today (many hundreds of gigabits per second); even if your site somehow has 10Tbps of interconnects, the networks near you will get saturated. (And I don't think you could buy 10Tbps of interconnect to various networks at a single building today)

You could accomplish bigger-than-single-site DDoS resistance in three ways:

1) Direct private connections to users (there are systems which are unsuited for the public Internet!)

2) Buying lots of long-haul off-Internet transport to networks around the world; running your own private network which interconnects in-core in various important networks around the world.

3) Building a highly redundant global distributed front end which then backhauls traffic (over public networks, private networks, some combination), and potentially handles some or all of that traffic at the edge directly (cache, and maybe someday edge processing...)

(#3 can also be accomplished with an application having a loosely coupled front end; if you're just serving static content this is trivial. If you can deal with eventual consistency, it's also relatively easy. It becomes incredibly difficult for regular web apps or anything with lots of writes which need to be globally atomic. There's a lot of great CS work to be done, and then tool development, to make truly distributed web apps possible, then easy...)

#1 and #2 are incredibly expensive as the number of users scales up. #3 is what ~everyone does, even the biggest DDoS targets. CloudFlare and other providers are good at doing #3 for you so you don't have to, but theoretically a large company with a lot of money could do this themselves. It's probably not a core competency of a large financial institution to do this, so modulo trust issues, it makes sense for them to pay a provider to do it. We're working particularly hard at technical solutions to the trust issues, cost, etc. to make it a good solution for anyone.

j / k navigate · click thread line to collapse