undefined | Better HN

0 pointsdylz7y ago0 comments

It is not useful for small time attackers - small time attackers/children/etc just use booters which at least usually output double digit gbps, often spoofed, costs a cent or pay in runescape gold or other bullshit like that. Your upstream will need to mitigate this. No small scale attacker will be launching their own attacks (from their own machines), unless they were seriously incompetent but also think they're some form of power user, which doesn't really happen...

It is not useful for straight HTML - volumetric DDoS will take it out (not l7), it's not even going to make it to your machine. It does not mitigate well against any real major l7 flood either, just by virtue of "your pipe is smaller". A formal l7 attack would at least do basic recon to find a high resource consumption page (like search.php?q=%20 or something)

I guess this would come in maybe slightly useful with someone running ab or jmeter from a single machine toward you? But I don't know a single instance of that happening in the last decade..

0 comments

2 comments · 1 top-level

brians7y ago· 1 in thread

It’s great against mistaken API clients. Murphy is the most frequent adversary I encounter.

dylzOP7y ago

I feel like there's a bunch of other things in play, like for example if you're running a public API, one api key should not be able to take you down - you should be rate limiting them against repeated hits, for instance.

I'm not saying iptables is bad per se, but this article in particular is just some overpriced hosting provider's blog that tells you to set things like kernel.panic in sysctl. The article also claims all of this to be a defense against DDoS, which really will probably just eat through your pipe completely most of the time, not single-person DoS.

j / k navigate · click thread line to collapse